CyLab researcher Lujo Bauer, director Lorrie Cranor and colleagues developed a system merging machine learning and 20 heuristics to check password strength.
There’s no shortage of advice for how chief information security officers should design password policies. Cycle passwords every six months. Include a special character, a capital and a lower case. Minimum of eight characters.
But as anyone who has seen their parents’ passwords can attest, it’s easy to follow basic rules and still come up with an easy to crack password. After all, “Password1!” is almost as easy to brute force as “password.”
Carnegie Mellon University’s CyLab will present a paper next month on a scientifically backed password policy, allowing users to efficiently select passwords.
CyLab researcher Lujo Bauer, director Lorrie Cranor and colleagues developed a system merging machine learning and 20 heuristics to check password strength into a password strength meter capable of telling users specifically what is keeping their password from being secure.
SC Media spoke with Bauer and Cranor about the new paper.
What’s the matter with just giving people the same advice system admins have always given: a capital letter, a symbol and a new password every 45 days?
LC: A lot of the things that people have been told over the years have not been based on science. Security administrators have been desperate to stop accounts from being compromised, and every time there’s a breach that gets publicized they say “We’ve got to do more!” and just kind of tack on some things that seem like maybe they’ll help without any actual evidence as to whether or not they will help.
We actually started doing this research about ten years ago after Carnegie Mellon University changed its password policy. We started wondering well, why did they pick that policy? We went and talked to the powers-that-be and they pointed to some NIST guidance on password policies and we found that it wasn’t fully based on science. It actually said in it that we don’t have enough data on passwords to figure out what the best policy is. So we thought, well, let’s get some data on passwords and actually figure out what policy is going to be best. It took us about 10 years.
So, then, how do you scientifically develop a stronger password policy?
LB: You see how long it actually takes the attacker to guess particular passwords, because ultimately the best password is the one that the attacker can’t guess pretty easily. On the flip side, you figure out how people react when they have to create passwords under a particular policy, whether they can remember them later or have to cut and paste.
One of the things we starting to do four or five years ago is to try to use machine learning to model the passwords people create; these models can be used to essentially order passwords from most likely to least likely [to be used]. From all the passwords that have been leaked, the machine can learn, what do passwords look like, what more common passwords look like compared to less common passwords. From that, you can develop algorithms that approximate how well an attacker might be able to crack different passwords. So we took several different algorithms and we assumed that whichever algorithm would guess the passwords first is the worst-case scenario.
What have you learned by taking a scientific approach to password policies?
LC: One thing we’ve taken away from running these algorithms is that adding more characters to a password makes them more resistant to this sort of attack, but adding more symbols and different character classes gives you less bang for your buck.
One of the things that we found in our most recent paper is that instead of telling users you have to follow these particular rules for character classes and length and all of these things, we can just tell them a password needs to be greater than a particular strength as measured by that machine learning with a length requirement.
Password strength meters already existed. How does the new paper change what was already available?
LC: Unlike a lot of the strength meters out there that just tell you ‘your password is bad,’ our password meter uses heuristics based on our research to offer concrete guidance. So for example, if you create the password and you put a digit at the end our password meter might suggest that you move your digit to the middle of the password. The advice it gives you is tailored to the specific password that you’ve typed in so far.
LB: Things like words that are on a list of popular passwords should not be included, digits and symbols in the middle are stronger than at the end, capital letters in the middle are stronger than capital letters in the beginning. That’s a critical thing; we can choose which heuristics would be most useful in this particular case. All these heuristics are always valid in some sense, but you don’t want to give a person twenty rules to create their password.
Source: sc magazine
Source Link: https://www.scmagazine.com/home/security-news/how-science-selects-a-password-policy/