Share on Facebook Tweet on Twitter Share on LinkedIn Share by email
An Administrator’s Guide to Internet Password Research

Dinei Florencio ˆ, Cormac Herley, and Paul C. van Oorschot

Abstract

The research literature on passwords is rich but little of it directly aids those charged with securing web-facing services or setting policies. With a view to improving this situation we examine questions of implementation choices, policy and administration using a combination of literature survey and first-principles reasoning to identify what works, what does not work, and what remains unknown. Some of our results are surprising. We find that offline attacks, the justification for great demands of user effort, occur in much more limited circumstances than is generally believed (and in only a minority of recently-reported breaches). We find that an enormous gap exists between the effort needed to withstand online and offline attacks, with probable safety occurring when a password can survive 106 and 1014 guesses respectively. In this gap, eight orders of magnitude wide, there is little return on user effort: exceeding the online threshold but falling short of the offline one represents wasted effort. We find that guessing resistance above the online threshold is also wasted at sites that store passwords in plaintext or reversibly encrypted: there is no attack scenario where the extra effort protects the account.

Details

Publication typeArticle
Published inUsenix LISA
PublisherUSENIX – Advanced Computing Systems Association
> Publications > An Administrator’s Guide to Internet Password Research