The Security of Modern Password Expiration: An Algorithmic Framework and Empirical Analysis, CCS, 10
The authors investigate into how easy it is to guess new passwords from old ones where users are forced to change password due to password expiration policy. They apply primitive transforms on the old password to create a new one. The authors show that the problem is an NP hard one by reducing it to Min-Sum-Set-Cover problem, but they propose an efficient greedy approximation algorithm.
The algorithm cracked 41% passwords offline within seconds and five online guesses sufficed to crack 17%. They propose to eliminate password expiration policy altogether.
Citation (ACM Ref): Yinqian Zhang, Fabian Monrose, and Michael K. Reiter. 2010. The security of modern password expiration: an algorithmic framework and empirical analysis. In Proceedings of the 17th ACM conference on Computer and communications security (CCS '10). ACM, New York, NY, USA, 176-186. DOI=10.1145/1866307.1866328 http://doi.acm.org/10.1145/1866307.1866328
The algorithm cracked 41% passwords offline within seconds and five online guesses sufficed to crack 17%. They propose to eliminate password expiration policy altogether.
Citation (ACM Ref): Yinqian Zhang, Fabian Monrose, and Michael K. Reiter. 2010. The security of modern password expiration: an algorithmic framework and empirical analysis. In Proceedings of the 17th ACM conference on Computer and communications security (CCS '10). ACM, New York, NY, USA, 176-186. DOI=10.1145/1866307.1866328 http://doi.acm.org/10.1145/1866307.1866328