Abstract:
When we authenticate on online web sites, passwords are the only thing that separates attackers from getting into our account. When we have to register on web sites, we are asked to generate a password, that we have to remember for future accesses. To prevent users to generate very weak passwords, sites provide some rules that must be respected. These rules are called password policies. These policies span from simple to complex: some require few “rules” to be respected, some much more. Recent studies have shown that users tend to use very simple to remember passwords and tend to reuse the same password over different sites. These simple passwords can be cracked with efficient tools, like Hashcat and John the Ripper, by using efficient techniques like dictionary attacks and rule attacks. In addition to policies, some sites provide the use of password meters, to visualize the strength of the new generated password.
In this thesis we conducted a study on the effectiveness and security of the various password policies that we can find on the various websites when we have to register. To carry out this analysis, we started from a collection of 144,740,240 passwords, filtering the passwords in such a way as to satisfy various policies of interest to us. We started with very simple policies, and then increased their complexity, also adding external factors such as dictionaries of various languages and symbol substitutions. To understand the security of the various policies, we used the Hashcat tool and conducted an attack based on dictionary and rules. We have also studied the effectiveness of some password meters, to understand whether they can help create more effective passwords. For this study we cracked passwords depending on how they are classified by the various password meters. Our results showed that the more complex a policy is, the more secure it is. Furthermore, the use of effective password meters allows for the creation of more secure passwords.
