Some insights about password shapes

Back in September 2010 at ESORICS, I presented Kamouflage, a new kind of password manager based on the following premise: an attacker cannot perform an offline attack on a password manager if he does not know how to test the success of his decryption. An attacker will not know whether his decryption is successful in Kamouflage, because every decryption returns a set of passwords that looks plausible. Accordingly, the security of the entire scheme is based on our ability to create decoy password sets that look real. (If you would like the full description of how Kamouflage works, you can download the paper/slide from here.) In order to come across as compelling decoys, the Kamouflage passwords must mimic passwords that human users create every day. To figure out how users construct their passwords, I extensively analyzed leaked password databases. Today, I would like to share with you some insights that I discovered about password “shapes.” More specifically, I will discuss some of the interesting metrics I computed from the RockYou database, which is, as far as I know, the largest password database ever leaked, with 32 million passwords!

Read More...