Você está em: Start > Publications > View > Skeptic: Automatic, Justified and Privacy-Preserving Password Composition Policy Selection
Map of Premises
Publications
Skeptic: Automatic, Justified and Privacy-Preserving Password Composition Policy Selection
Title
Skeptic: Automatic, Justified and Privacy-Preserving Password Composition Policy Selection
Type
Article in International Conference Proceedings Book
Year
2020
Authors
Johnson, SA
(Author)
Other
The person does not belong to the institution.
The person does not belong to the institution.
The person does not belong to the institution.
Without AUTHENTICUS
Without ORCID
Ferreira, JF
(Author)
Other
The person does not belong to the institution.
The person does not belong to the institution.
The person does not belong to the institution.
Without AUTHENTICUS
Without ORCID
Mendes, A
(Author)
Other
View Personal Page
You do not have permissions to view the institutional email.
Search for Participant Publications
View Authenticus page
View ORCID page
Cordry, J
(Author)
Other
The person does not belong to the institution.
The person does not belong to the institution.
The person does not belong to the institution.
Without AUTHENTICUS
Without ORCID
Conference proceedings International
Title:
ASIA CCS '20: The 15th ACM Asia Conference on Computer and Communications Security, Taipei, Taiwan, October 5-9, 2020
Search for Conference Proceedings Publications
Pages: 101-115
15th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2020
5 October 2020 through 9 October 2020
Indexing
Other information
Authenticus ID:
P-00S-GJP
Abstract (EN):
The choice of password composition policy to enforce on a password-protected system represents a critical security decision, and has been shown to significantly affect the vulnerability of user-chosen passwords to guessing attacks. In practice, however, this choice is not usually rigorous or justifiable, with a tendency for system administrators to choose password composition policies based on intuition alone. In this work, we propose a novel methodology that draws on password probability distributions constructed from large sets of real-world password data which have been filtered according to various password composition policies. Password probabilities are then redistributed to simulate different user password reselection behaviours in order to automatically determine the password composition policy that will induce the distribution of user-chosen passwords with the greatest uniformity, a metric which we show to be a useful proxy to measure overall resistance to password guessing attacks. Further, we show that by fitting power-law equations to the password probability distributions we generate, we can justify our choice of password composition policy without any direct access to user password data. Finally, we present Skeptic - -a software toolkit that implements this methodology, including a DSL to enable system administrators with no background in password security to compare and rank password composition policies without resorting to expensive and time-consuming user studies. Drawing on 205,176,321 passwords across 3 datasets, we lend validity to our approach by demonstrating that the results we obtain align closely with findings from a previous empirical study into password composition policy effectiveness. © 2020 ACM.
Language:
English
Type (Professor's evaluation):
Scientific
Documents
We could not find any documents associated to the publication.
Copyright 1996-2025 © Faculdade de Direito da Universidade do Porto
I Terms and Conditions
I Acessibility
I Index A-Z
Page created on: 2025-09-15 at 17:16:27 | Privacy Policy | Personal Data Protection Policy | Whistleblowing | Electronic Yellow Book
Page created on: 2025-09-15 at 17:16:27 | Privacy Policy | Personal Data Protection Policy | Whistleblowing | Electronic Yellow Book