Password Exhaustion: Predicting the End of Password Usefulness

  • Luke St. Clair
  • Lisa Johansen
  • William Enck
  • Matthew Pirretti
  • Patrick Traynor
  • Patrick McDaniel
  • Trent Jaeger
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4332)


Passwords are currently the dominant authentication mechanism in computing systems. However, users are unwilling or unable to retain passwords with a large amount of entropy. This reality is exacerbated by the increasing ability of systems to mount offline attacks. In this paper, we evaluate the degree to which the previous statements are true and attempt to ascertain the point at which passwords are no longer sufficient to securely mediate authentication. In order to demonstrate this, we develop an analytical model for computation to understand the time required to recover random passwords. Further, an empirical study suggests the situation is much worse. In fact, we found that past systems vulnerable to offline attacks will be obsolete in 5-15 years, and our study suggests that a large number of these systems are already obsolete. We conclude that we must discard or fundamentally change these systems, and to that effect, we suggest a number of ways to prevent offline attacks.


Dictionary Attack Processor Performance Brute Force Attack User Password Password Security 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    AMD 3-year technology outlook,
  2. 2.
  3. 3.
    John the ripper password cracker,
  4. 4.
    Number of words in the English language,
  5. 5.
  6. 6.
    pwgen password generator,
  7. 7.
  8. 8.
  9. 9.
  10. 10.
    The magical number seven, plus or minus two: Some limits on our capacity for processing information (1956)Google Scholar
  11. 11.
    Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 139–156. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  12. 12.
    Bellovin, S.M., Merritt, M.: Limitations of the kerberos authentication system. SIGCOMM Comput. Commun. Rev. 20(5), 119–132 (1990)CrossRefGoogle Scholar
  13. 13.
    Biham, E.: A fast new DES implementation in software. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 260–272. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  14. 14.
    Borkar, S.Y., Dubey, P., Kahn, K.C., Kuck, D.J., Mulder, H., Pawlowski, S.S., Rattner, J.R., Ramanathan, R.M., Thomas, V.: Platform 2015: Intel Processor and Platform Evolution for the Next Decade. Technical report, Intel (2005)Google Scholar
  15. 15.
    Federal Fiancial Institutions Examination Council. Authentication in an internet banking environment,
  16. 16.
    Cuban, L.: Oversold and Underused: Computers in the Classroom. Harvard University Press, Cambridge (2001)Google Scholar
  17. 17.
    Dubash, M.: Moore’s Law is dead, says Gordon Moore (2005),
  18. 18.
    Ekman, M., Warg, F., Nilsson, J.: An in-depth look at computer performance growth. SIGARCH Comput. Archit. News 33(1), 144–147 (2005)CrossRefMATHGoogle Scholar
  19. 19.
    Feldmeier, D.C., Karn, P.R.: Unix password security - ten years later. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 44–63. Springer, Heidelberg (1990)Google Scholar
  20. 20.
    Hiremane, R.: From Moore’s Law to Intel Innovation - Prediction to Reality. Technology@Intel Magazine (April 2005)Google Scholar
  21. 21.
    Jermyn, I., Mayer, A., Monrose, F., Reiter, M., Rubin, A.: The Design and Analysis of Graphic Passwords. In: Proceedings of the 8th Annual USENIX Security Symposium (1999)Google Scholar
  22. 22.
    Klein, D.V.: foiling the cracker – A survey of, and improvements to, password security. In: Proceedings of the second USENIX Workshop on Security, pp. 5–14 (Summer 1990)Google Scholar
  23. 23.
    Kohl, J., Neuman, C.: RFC 1510: The Kerberos Network Authentication Service (V5). Status: PROPOSED STANDARD (September 1993)Google Scholar
  24. 24.
    Lemos, R.: Passwords: The Weakest Link (2002),
  25. 25.
    Monrose, F., Rubin, A.: Authentication via Keystroke Dynamics. In: Proceedings of the 4th ACM Conference on Computer and Communication Security (1997)Google Scholar
  26. 26.
    Morris, R., Thompson, K.: Password security: a case history. Commun. ACM 22(11), 594–597 (1979)CrossRefGoogle Scholar
  27. 27.
    Narayanan, A., Shmatikov, V.: Fast dictionary attacks on passwords using time-space tradeoff. In: CCS 2005: Proceedings of the 12th ACM conference on Computer and communications security, pp. 364–372. ACM Press, New York (2005)CrossRefGoogle Scholar
  28. 28.
    Provos, N., Mazières, D.: A Future-Adaptable Password Scheme. In: USENIX Annual Technical Conference, FREENIX Track, pp. 81–91 (1999)Google Scholar
  29. 29.
    Reinhold, A.G.: Results of a survey on pgp pass phrase usage,
  30. 30.
    Rivest, R.: The MD5 Message-Digest Algorithm. RFC 1321 (Informational) (April 1992)Google Scholar
  31. 31.
    Summers, W.C., Bosworth, E.: Password policy: the good, the bad, and the ugly. In: WISICT 2004: Proceedings of the winter international synposium on Information and communication technologies, Trinity College Dublin, pp. 1–6 (2004)Google Scholar
  32. 32.
    Polk, W.T., Burr, W.E., Dodson, D.F.: Electronic authentication guidelines. NIST Special Publication 800-63Google Scholar
  33. 33.
    Wu, T.: The secure remote password protocol. In: Proceedings of the 1998 Internet Society Network and Distributed System Security Symposium, pp. 97–111 (1998)Google Scholar
  34. 34.
    Wu, T.: A real-world analysis of Kerberos password security. In: Internet Society Network and Distributed System Security Symposium (1999)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Luke St. Clair
    • 1
  • Lisa Johansen
    • 1
  • William Enck
    • 1
  • Matthew Pirretti
    • 1
  • Patrick Traynor
    • 1
  • Patrick McDaniel
    • 1
  • Trent Jaeger
    • 1
  1. 1.Systems and Internet Infrastructure Security LaboratoryThe Pennsylvania State UniversityUSA

Personalised recommendations