Skeptic: Automatic, Justified and Privacy-Preserving Password Composition Policy Selection

arXiv:2007.03809v2 Announce Type: replace
Abstract: The choice of password composition policy to enforce on a password-protected system represents a critical security decision, and has been shown to significantly affect the vulnerability of user-chosen passwords to guessing attacks. In practice, however, this choice is not usually rigorous or justifiable, with a tendency for system administrators to choose password composition policies based on intuition alone. In this work, we propose a novel methodology that draws on password probability distributions constructed from large …

arxiv attacks automatic critical cs.cr decision password passwords policy practice privacy security system vulnerability