One of the most common ways hackers try to compromise passwords is simple brute-force attack-randomly guessing at possible combinations until something works. Of course, by "hackers," we mean to say software written by hackers-even simple brute-force attacks can get pretty sophisticated as they try to sense patterns and crack your defenses.
To combat brute-force attacks, IT typically requires users to set passwords that are, at least ostensibly, hard to guess. Policies on password composition force users to include numbers or symbols and to not use common "dictionary" phrases as their passwords. But how effective are these policies against machines that guess at the speed of light?
Researchers at Carnegie Mellon University and the National Institute of Standards and Technology explore how common composition polices affect password entropy, or resistance to brute-force attack, in their article Of Passwords and People: Measuring the Effect of Password-Composition Policies. The research is available free to IT Business Edge members here in the IT Downloads library.
The article includes in-depth analysis of how and where users employ numbers and charters in passwords based on typical composition policies:
basic8: Passwords must have at least eight characters, of any type.
basic16: Passwords must have at least 16 characters, of any type.
dictionary8: Passwords must have at least 8 characters, and may not contain a dictionary word. A simple lookup is executed to check for such easy-to-guess strings.
comprehensive8: Passwords must have at least 8 characters, including an uppercase and lowercase letter, a symbol and a digit. They may not contain a dictionary word.
Literally every slot of the passwords created by 5,000 test users was evaluated, as you can see from the graph below, which breaks out the distribution of digits and symbols in passwords in the comprehensive8 condition, relative to the start and end of the password.
The researchers also report that the @ and ! symbols are far and away the most commonly used in passwords, occurring about twice as often as the next most commonly used symbol, $. In fact, the researchers found that about eight or so symbols are used with extraordinary regularity.
When forced to use either numbers or symbols in a password (the rule for comprehensive8), users picked numbers twice as often. However, researchers also found that numbers are perhaps even better than anticipated at shoring up password strength, since users pick them fairly randomly, while lowercase letters tend to be employed in a more predictable fashion, despite outnumbering numbers 24 to 16. There's probably going to be a vowel in there somewhere. The researchers also found that users tend to include numbers in passwords even when they don't have to, and they tend to pop them into slots in their passwords in a far more random fashion.
The article goes on to examine how many tries the average user needed to create a password under different models, how often they just give up and drop out, and how often they tend to reuse passwords. An entire page is devoted to a table spelling out entropy per character type per composition policy.
If this seems like a lot of information, it is. Just remember that this is exactly the way hackers are trying to figure out how to get at your database.
Also be sure to check out yesterday's post about the researchers' finding onhow composition policies affect user behavior after they create their passwords. It's all very detailed but fascinating stuff.