The invention relates to passwords for authenticating users; and more particularly, to new systems and methods for evaluating the effectiveness of password policies.
Passwords are used for authenticating the users of numerous types of accounts, proving identity and gaining access to protected resources. For example, many computer software applications and systems and most online accounts require a username and a password to gain access to the online account. A typical computer user may use passwords for many purposes, such as logging in to computer accounts, retrieving e-mail from servers, accessing programs, databases, networks, web sites, and even reading the morning newspaper online.
Despite the name, passwords are not necessarily actual words, but may be any reproducible combination of characters, including letters, numbers, symbols, or the like. These different characters sets are referred to as character types. Thus, letters, numbers and symbols each represent different character types. Passwords may even be formed from multiple words, which may more accurately be called a passphrase. The term passcode is sometimes used when the secret information is purely numeric, such as the personal identification number (PIN) commonly used for ATM access. As used herein, the term password includes passphrases, passcodes, and any reproducible combination of characters which are used to gain access and/or prove identity.
Typically, a user is asked to choose a password which meets certain criteria by setting constraints on the passwords that are allowed, such as the number of characters, the types of characters, and sometimes restricted words and/or characters. These criteria are referred to as a “password policy.” The password policy governs which passwords are allowed or disallowed for a particular application. For instance, the policy may have constraints such as requiring that the password has a minimum of 8 characters, and that the password contains at least one uppercase letter and at least one number.
The password constraints of a password policy are generally chosen so as to establish a certain minimum level of security for the passwords allowed by an application. One measure of the level of security afforded by a password policy is the password “strength,” which is a measure of the resistance of a password to being compromised by an unauthorized entity, commonly referred to as an “attacker.” Some of the factors affecting password strength are the minimum length and the password complexity. The password complexity may include such constraints as the composition of the character set, requirements to utilize certain combinations of character types, and restrictions on commonly used words and character combinations. In general, increased password complexity results in a stronger password and a more secure authentication system. As discussed in more detail below, if passwords are not complex, they tend to be easier for attackers to guess. If the passwords are more complex, it is more difficult for an attacker to guess a user's password.
The strength of a password is commonly measured as the uncertainty in the value of a password, and this uncertainty has been commonly termed the “entropy” of a password. The entropy of passwords is conventionally expressed in bits. Thus, if a password of k bits is chosen at random, there are 2k possible values and the password is considered to have k bits of entropy. For instance, if a password of length l is randomly chosen from an alphabet of b characters, then the entropy of the password is bl, or expressed in bits, the entropy is given by the following formula:Entropy=log2(bl)
As an example, a password randomly composed of 8 characters chosen from the English alphabet of 26 letters has an entropy of 268≈2.1×1011, or about 37.6 bits of entropy. For randomly chosen passwords, the entropy of a password is simply the number of possible combinations of characters. Since password policies usually specify a constraint on the minimum number of characters, this calculation would measure the minimum entropy of the password policy, because users could choose passwords having more than the minimum number of characters. However, since users tend to gravitate toward the weakest passwords allowed by a password policy, this calculation tends to be representative of the strength of the password policy. Moreover, as discussed below, other factors are considered in modeling password entropy which tends to take in to account this possible inaccuracy.
The actual entropy of passwords chosen by users according to a password policy tends to be much lower than this theoretical “random” entropy because they are not chosen at random and they will not have a uniform random distribution. Still, by adding complexity constraints on passwords, the randomness of the passwords can be increased, and therefore the entropy and strength of the password policy is increased. For example, if a password policy requires that a password have a minimum of 8 characters, and must contain at least one letter and one number, the randomness of the possible passwords increases because it eliminates many common passwords that are easy for an attacker to guess, even though the constraint reduces the allowed set of passwords.
There are several published theories and models for determining password entropy (a measure of the strength of a password), which take into account many of the non-random factors of user selected passwords, such as adding complexity requirements. For example, the National Institute of Standards and Technology, Electronic Authentication Guideline, William E. Burr, Donna F. Dodson and W. Timothy Polk, published April, 2006, includes a detailed analysis and modeling of electronic authentication and password strength (the “NIST model” for password entropy/strength). Other password entropy models include one developed by C. E. Shannon (the “Shannon model”), a language entropy researcher, and one developed by Dr. Jesper Johannson, an author and researcher on the subject of passwords (the “Johansson model”), both of which are accessible on the internet. Thus, there are several available techniques for assessing the strength of a password system.
However, adding complexity to a password policy makes it difficult for a user to choose a compliant password and difficult for the user to remember his or her password. The constraints may restrict a user from choosing an easy to remember password, or a password that the user is using for other applications. The user may have to make multiple attempts to find a compliant password, especially where the complexity constraint restricts commonly used words and passwords. Multiple failed attempts can discourage the user from using the application at all, which can be very damaging to the business of a commercial website such as a online retailers and advertising supported websites, where every login event is a revenue opportunity.
Thus, the designers of the password policy must make a tradeoff between security and ease-of-use. Typically, the designers of the policy choose the policy in an ad-hoc manner. They will often look at industry best practices and use their own intuition to choose a password policy that seems secure, yet does not adversely impact the ease of use for the end users. There is currently no technique or tool to quantitatively evaluate the tradeoff between security and ease-of-use of a password policy.