Carnegie Mellon University released a study in 2013 called “Measuring Password Guessability for an Entire University.” CMU has over 25,000 faculty, staff, and students with a single-sign-on password. With this research study, CMU wanted to analyze how guessable the passwords would be in a password attack by standard password cracking tools and algorithms. A standard password policy was enforced at CMU – a minimum of eight characters and four different character sets. CMU’s password policy meets guidelines that are established by the InCommon Federation. InCommon provided insight for educational and research institutions in the United States and relies on NIST guidelines for providing security standards.
The researchers collected all 25,000 hashes and analyzed their guessability with a commonly used algorithm. According to CMU’s research, many times with password studies the researcher would ask users what their password is or ask them what type of password they use. Self-reporting information is not always reliable.
A few key findings in the study were:
- Users associated with the science and technology colleges made passwords 1.8 times stronger than those associated with the business school
- Users who reported disliking the password policy made weaker passwords
- Male users created stronger passwords than female users
- Passwords with more numeric, symbols, and uppercase letters were stronger
- Passwords with numeric characters or symbols are least effective when placed at the end of the password
- Passwords with uppercase letters at the beginning of the password are least effective
- The passwords that were released from the Yahoo! breach most accurately resemble the passwords of CMU users
Furthermore, here are a few insights that the researchers were able to make after completing the study:
- Users would have been able to create stronger passwords if they received instructions on how to do so
- Users that do not feel like creating stronger passwords because they do not feel it is necessary to do so would have benefited from education information
- Users who complained about the password policy would have benefited from education information
After the completion of this study, the researchers want to continue by further investigating password habits. Here are a few of their ideas:
- Look to determine password strength when reducing the number of character sets in a password if users create a longer password
- Prohibiting special characters at the beginning or end of a password
- Changing the dictionary check to skip dictionary checking if users include symbols or numerical characters
With the nFront Password Filter, companies are able to successfully integrate their findings. We believe that in tandem of implementing a password filter, an educational document should be given to end users explaining how to create a stronger password and the importance of doing so. In addition to the educational material, users are able to receive coaching as they create a password using the nFront Client. When a user goes to change their passwords and it is not in compliance with the company’s password policy, a detailed message will appear on the screen as to why the password change was unsuccessful.
All three of their further research ideas can be completed using the nFront Password Filter. The first idea is called the Stanford Password Policy which was a recommendation by Stanford University. Users are able to create shorter passwords if they use all four character sets and longer passwords are required if the user wishes to use one character set.
Second, the nFront Password Filter allows the password policy administrator to prohibit the use of numeric or special characters at the end or beginning of a password.
Finally, we offer a variation of the third recommendation for dictionary checking. The nFront Password Filter allows you to skip dictionary checking for passwords that are longer than the desired length. Most companies will set this to 15 characters since Rainbow Tables normally target passwords that are 14 characters or less.