Florida State University Libraries Electronic Theses, Treatises and Dissertations The Graduate School 2011 Analyzing Password Strength & Efficient Password Cracking Shiva Houshmand Yazdi Follow this and additional works at the FSU Digital Library. For more information, please contact [email protected] THE FLORIDA STATE UNIVERSITY COLLEGE OF ARTS AND SCIENCES ANALYZING PASSWORD STRENGTH & EFFICIENT PASSWORD CRACKING By SHIVA HOUSHMAND YAZDI A Thesis submitted to the Department of Computer Science in partial fulfillment of the requirements for the degree of Master of Science Degree Awarded: Summer Semester, 2011 Approved: _____________________________________ David Whalley, Chair, Department of Computer Science _____________________________________ Joseph Travis, Dean, College of Arts and Sciences The Graduate School has verified and approved the above-named committee members. The members of the committee approve the thesis of Shiva Houshmand Yazdi defended on June 8, 2011. _______________________________________ Sudhir Aggarwal Professor Directing Thesis _______________________________________ Piyush Kumar Committee Member _______________________________________ Xin Yuan Committee Member ii To my mother, for all the sacrifices she made. iii ACKNOWLEDGEMENTS My sincere gratitude goes out to my advisor Professor Sudhir Aggarwal for all the time he gave me, discussing and guiding me during my thesis; I would like to thank him for his guidance, inspiration and support throughout my studies. His enthusiasm in science along with giving me independence, gave me opportunity and motivation to strive to reach my goals. It is greatly appreciated. I would like to extend my gratitude to my committee members for their encouragement and insightful comments. I would also like to thank Dr. Matt Weir for helping in this thesis from the beginning, greatly beyond all my expectations. I would like to express my appreciation to my family for their unconditional love. My amazing mother who believed in me; her belief, determination and inspiration throughout my entire life fuelled me in becoming who I am today; I cannot be more grateful to her for every day of my life. My eldest sister Shadi for her tactful advice and guidance; likewise, my sister Shirin for her love and confidence toward me, she made this journey of my life not only possible but also pleasant and enjoyable. Thank you all. Last but not least, I would like to thank my love, for his devotion and belief, being with me every step of the way, never doubting my abilities. iv TABLE OF CONTENTS List of Tables ................................................................................................................................ vii List of Figures .............................................................................................................................. viii Abstract .......................................................................................................................................... ix 1. INTRODUCTION ...................................................................................................................1 2. BACKGROUND AND RELATED WORK ...........................................................................3 2.1 Password Cracking .........................................................................................................3 2.1.1 Probabilistic password cracker ..........................................................................3 2.1.1.1 Training ..................................................................................................5 2.1.1.2 Probability Smoothing ...........................................................................6 2.1.1.3 Guess Generating ...................................................................................6 2.2 Password Checking/Strengthening ................................................................................7 2.3 Password Creation policies ..........................................................................................10 2.3.1 Different policies and advice on password creation ........................................10 2.3.2 Existing password checkers .............................................................................11 2.3.2.1 Password Meter ....................................................................................11 2.3.2.2 How secure is my password .................................................................11 2.3.2.3 Microsoft ..............................................................................................12 2.3.2.4 Geekwisdom ........................................................................................13 2.4 Metric for password strength: Entropy ........................................................................14 2.4.1 The NIST Model of Password Entropy ...........................................................14 2.4.2 Shay Model of Password Entropy ....................................................................17 3. METRIC FOR PASSWORD STRENGTH ...........................................................................19 3.1 Entropy definition and properties ................................................................................19 3.2 Calculation of Entropy based on Context-free Grammars ...........................................20 4. PAM – PASSWORD ANALYZER AND MODIFIER ........................................................24 4.1 Password Creation Policy Categories ..........................................................................24 4.1.1 Explicit password creation policies .................................................................24 4.1.2 External password creation policies .................................................................25 4.1.3 Implicit password creation policies .................................................................25 4.2 PAM Overview ............................................................................................................25 4.2.1 Preprocessing ...................................................................................................26 4.2.1.1 Training ................................................................................................26 4.2.1.2 Set the threshold ...................................................................................27 4.2.2 The Reject Function .........................................................................................29 5. SUGGESTING NEW PASSWORDS ...................................................................................31 5.1 Password Usability.......................................................................................................31 5.2 Distance Function ........................................................................................................32 5.2.1 PAM’s distance function ..................................................................................32 5.3 Modifier Algorithm ......................................................................................................33 v 6. MAINTAINING THE SYSTEM ..........................................................................................36 6.1 Using the proposed password analyzer and modifier ..................................................36 6.2 Updating the training set through adjusting the context-free grammar .......................37 6.3 Maximizing Entropy values .........................................................................................38 7. EFFICIENT PASSWORD CRACKING ..............................................................................43 7.1 Parallel password cracking ..........................................................................................43 7.1.1 Graphic Processor Unit ....................................................................................43 7.1.2 OpenCL ............................................................................................................45 7.2 Cracking TrueCrypt files .............................................................................................46 8. CONCLUSION .....................................................................................................................49 APPENDICES ...............................................................................................................................50 A Pseudo-code for PAM modifier algorithm ..................................................................50 REFERENCES ..............................................................................................................................51 BIOGRAPHICAL SKETCH .........................................................................................................54 vi LIST OF TABLES Table 2.1 Example probabilistic context-free grammar .................................................................7 Table 2.2 Different password policies ..........................................................................................10 Table 2.3 Targeted cracking attack vs. the NIST Entropy [24] .....................................................16 Table 2.4 Entropy calculations across conditions [28] ..................................................................18 Table 3.1 Example Context-free grammar to calculate entropy ...................................................21 Table 3.2 Results of the comparison on calculating entropy .........................................................23 Table 4.1