Home → Magazine Archive → November 2016 (Vol. 59, No. 11) → Pushing on String: The 'Don't Care' Region of Password... → Abstract

Pushing on String: The 'Don't Care' Region of Password Strength

By Dinei FlorĂȘncio, Cormac Herley, Paul C. Van Oorschot

Communications of the ACM, Vol. 59 No. 11, Pages 66-74

[article image]

We examine the efficacy of tactics for defending password-protected networks from guessing attacks, taking the viewpoint of an enterprise administrator whose objective is to protect a population of passwords. Simple analysis allows insights on the limits of common approaches and reveals that some approaches spend effort in "don't care" regions where added password strength makes no difference. This happens either when passwords do more than enough to resist online attacks while falling short of what is needed against offline attacks or when so many accounts have fallen that an attacker gains little from additional compromises.

Back to Top

Key Insights


Our review of tools available to improve attack-resistance finds that, for example, compelling returns are offered by password blacklists, throttling, and hash iteration, while current password-composition policies fail to provide demonstrable improvement in outcomes against offline guessing attacks.


No entries found