Testing of Password Policy

Anton Dedov

ZeroNights 2013

Who Am I

• Software Developer and Security Engineer@ Parallels Automation

• Open source developer• Mail: adedov@gmail.com• Twitter: @brutemorse

3

Motivation

• It is hard for application developers to choose between existing password meters reasonably.

• Worse, some implement their own [or customize existing] without understanding of security and psychological implications.

• Need some framework/criteria that would help reasonable choice.

NAÏVE SECURITY MODEL

100 K10 K

100 K

Untargeted Online Attacks

2.5 K 5 K

• 1 guess per user / day• 2 days to find first password• 100 days to find 50 passwords

User baseCommon passwords

• 1 guess per user / day• 10 days to find first password• 1.5yr to find 50 passwords

Targeted Online Attacks

• 10 failed attempts 1 hour block• 240 attempts per user / day• 7200 attempts per user / month• 86400 attempts per user / year• More IP-s scale linearly

7

Offline Attacks

• Huge dictionaries• Specialized hardware and clusters• No time/complexity limitations except

– Enforced password quality– Hash speed– Salt uniqueness

TESTING PASSWORD METERS

Candidates

• Plesk• jquery.complexify• zxcvbn• libpwquality• passwdqc

Method

• Apply meters to password bases• Dictionary attacks with JtR• Rule-based attacks with JtR• Collect essential parameters

11

Apply Meters

• Requirement: meter should provide unambiguous signal about if password is accepted or not.

• Passwdqc tells straight “OK” or “Bad”.• Others return score. Minimal accepted score

documented.

12

Password Bases

• Real customers• RockYou all• CMIYC-2010 not cracked• Random passphrases• Random 10-char passwords

Red for attacks; blue for psychological acceptance.

13

Dictionaries

Dictionary Size, wordsTiny English 817RockYou top 1438Common-passwords 3546English 54316Tiny English crossed / 8 chars 72100

14

Rules

Rule FactorJtR defaults ~ 40JtR jumbo ~ 5500m3g9tr0n-2048512 = 3510m3g9tr0n-2048517 ~ 860

15

Cracking Sessions

Tiny

None 817 words

JtR default 41K words

JtR jumbo 4M words

m3g9tr0n-2048512 2.8M words

m3g9tr0n-2048517 707K words

16

Cracking Sessions

• 25 attacks per password base per meter• Min dictionary size 817• Max dictionary size 396M

RockYou dictionary was not used against RockYou password base.

17

Parameters

• M – passwords approved by meter

• D – attack dictionary size

• C – # of guessed passwords during attack

• Attack effectiveness

• Attack economy

18

For dictionaries < 100KMax guess rate 0.007%

Online Attacks Effectiveness

19

Max Attack Effectiveness

passwdqc plesk zxcvbn complexify pwquality

rockyou 0.000011 0.000002 0.00013 0.000049 0.000224

cus-tomer1

0.00021 0.000089 0.000315 0.00046 0.00029

cus-tomer2

0.000304 0.00013 0.000182 0.000546 0.000794

0.0100%

0.0300%

0.0500%

0.0700%

0.0900%

0.1100%

0.1300%

20

Max Attack Economy

_x0007_rockyou customer1 customer2

passwdqc 0.001224 0.001224 0.001224

plesk 0.001224 0.001224 0.001224

zxcvbn 0.64185 0.002782 0.001224

complexify 0.198816 0.001224 0.001224

pwquality 0.621545 0.002782 0.001224

10.0000%30.0000%50.0000%70.0000%90.0000%

110.0000%130.0000%150.0000%

21

Average Attack Economy

_x0007_rockyou customer1 customer2

passwdqc 0.00013705 0.00009228 0.00009388

plesk 0.00007885 0.00009156 0.00009176

zxcvbn 0.0340334 0.00017972 0.00009568

complexify 0.010375 0.0000946 0.00010108

pwquality 0.03215435 0.00017748 0.00009328

0.5000%1.5000%2.5000%3.5000%4.5000%5.5000%6.5000%7.5000%8.5000%

Guesses Totals

Meter RockYou Customer 1 Customer 2plesk 0.08% 0.28% 0.28%passwdqc 0.18% 0.23% 0.12%zxcvbn 0.54% 0.26% 0.06%complexify 0.54% 1.06% 0.40%libpwquality 1.16% 0.50% 0.45%

23

Guesses Totals

passwdqc plesk zxcvbn complexify pwquality0.00%

0.50%

1.00%

1.50%

2.00%

2.50%

rockyou-allcustomer2customer1

Psy. Acceptance: User Passwords

Meter RockYou Customer 1 Customer 2plesk 0.21% 3.45% 5.53%passwdqc 1.60% 14.90% 40.62%zxcvbn 5.43% 16.29% 43.16%complexify 2.03% 7.05% 27.18%libpwquality 4.32% 11.88% 34.27%

25

Psy. Acceptance: User Passwords

passwdqc plesk zxcvbn complexify pwquality0.00%

10.00%

20.00%

30.00%

40.00%

50.00%

60.00%

70.00%

customer2customer1rockyou-all

26

Psy. Acceptance: Hard Passwords

Meter CMYIC-2010 Pass-Phrases Random10 chars

plesk 24% 0% 42%passwdqc 59% 99.98% 100%zxcvbn 42% 99.76% 99.99%complexify 3% 99.94% 0%libpwquality 10% 99.82% 81%

27

Psy. Acceptance: Hard Passwords

passwdqc plesk zxcvbn complexify pwquality0.00%

10.00%

20.00%

30.00%

40.00%

50.00%

60.00%

70.00%

80.00%

90.00%

100.00%

CMIYC2010-uncrackedphrases-rand39random10

28

The “editors” choice

Security Psychologypasswdqc zxcvbnplesk passwdqczxcvbn libpwqualityjquery.complexify jquery.complexifylibpwquality plesk

Conclusions

• Test your security tools for security• Avoid write your own security tools• All tested meters protect from online attacks• Also seem protect from offline attacks

(for slow hashes and unique salts)• But most tend to deny more passwords than it

is necessary, including known to be hard ones• Passwdqc and zxcvbn look best

30

Where to go?

• Bigger dictionaries and brute force• Testing on real people to

– Learn evolution of “common passwords” lists– Test psychological acceptance empirically

• More meters?

31

Special thanks

Alexander PeslyakSolar Designer

Bonus: time to process RockYou…(MBP 2011)

0:00 1:12 2:24 3:36 4:48 6:00 7:12

0:15

0:26

0:13

5:47

3:15

zxcvbnpwqualitypleskpasswdqccomplexify

Hours