Browse Prior Art Database

Probabality-Based Application of Password Quality Rules

IP.com Disclosure Number: IPCOM000173413D
Original Publication Date: 2008-Aug-05
Included in the Prior Art Database: 2008-Aug-05
Document File: 2 page(s) / 51K

Publishing Venue

IBM

Abstract

Password syntax rules are an effective way to ensure that passwords are not trivial. Historically, password syntax rules have been applied to users on a very static basis. This article describes how to use a probabality-based mechanism to assign password syntax rule sets to users.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 53% of the total text.

Page 1 of 2

Probabality-Based Application of Password Quality Rules

Passwords are the primary form of authentication on computer systems. Effective passwords must strike a balance between easy to remember and difficult to guess. Most installations define "password quality rules" which attempt to make passwords harder to guess. For example, some companies require that passwords have a length of 8 characters, must start and end with an alphabetic character, and must contain at least one numeric and one national character "in the middle".

     While password rules tend to force users to select better passwords, they also reduce the "password space", which is the total number of possible valid passwords. For example, if an installation allows any upper case alphabetic or numeric character for a four character password, then the number of valid passwords is 39 x 39 x 39 x 39 or approximately 2,300,000. Without constraints, humans tend to use a small subset of very predictable passwords, such as 'METS', 'MARK', or 'ABCD'. Passwords such as these are susceptible to dictionary or "guess" attacks.

     A password rule which requires that a numeric be used as the last character in the password reduces the number of valid four-character passwords to 39x39x39x10, or approximately 600,000, this reducing the potential password space by almost 75%. Additional password rules can reduce the space even further.

     Installations often define a set of password rules, where if the user's password passes any one rule the password is acceptable. Installations which want to force a random distribution of their password rules could do so by instituting a probability-based assignment of the password rule set by having sets of password rules, with the installation defining the percentage of passwords which are to be assigned to a particular password rule set.

     For the definition of the password rules, for each rule, a frequency distribution is established. For example, An installation might want a password policy of...