Exploring the Number of Tries Related to Cracking Passwords Generated with Different Strategies

As more services and workflows are moved into computerized systems the number of accounts a person has to be aware of is on steady increase. Today the average user is likely to have more than 25 accounts for different services used on a daily basis that all need authentication. The dominant authentication mechanism used today is still password authentication. In an attempt to satisfy the requirements of different password creation policies and to recall all passwords when needed users tend to rely on different strategies for password creation. These strategies may all seem to provide adequate security, and they may do, but the reality is that they differ tremendously in terms of how time consuming it is to crack passwords generated with the different strategies. By conducting interviews with domain experts different password creation strategies are discussed and pseudo algorithms for cracking passwords are constructed. Based on mutual definitions of the classes and a predefined word list the cost for cracking passwords generated by different strategies are explored. Major findings indicate that strategies based on phrases are at the top of the list. Using a strategy to create a seemingly random password based on a logical phrase, where only the first letter from each word is used, tends in some cases to be the best of choice. An example is to turn the phrase “this password is the greatest of them all” into “tpitgota” instead of using the phrase “goodword” to create an 8 character long password. However, if the phrase contains words not usually found in common dictionaries the best strategy seems instead to be utilizing character substitution as in turning the phrase “my dog Krillex is cool” into “myDoGkriLLExiscooL”