Skip to main content
Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms (CMU-CyLab-11-008)
  • Patrick Kelley, Carnegie Mellon University
  • Saranga Komanduri, Carnegie Mellon University
  • Michelle L. Mazurek, Carnegie Mellon University
  • Richard Shay, Carnegie Mellon University
  • Tim Vidas, Carnegie Mellon University
  • Lujo Bauer, Carnegie Mellon University
  • Nicolas Christin, Carnegie Mellon University
  • Lorrie Faith Cranor, Carnegie Mellon University
  • Julio Lopez, Carnegie Mellon University
Date of Original Version
Technical Report
Abstract or Description

Text-based passwords remain the dominant authentication method in computer systems, despite significant advancement in attackers’ capabilities to perform password cracking. In response to this threat, password composition policies have grown increasingly complex. However, there is insufficient research defining metrics to characterize password strength and evaluating password-composition policies using these metrics. In this paper, we describe an analysis of 12,000 passwords collected under seven composition policies via an online study. We develop an efficient distributed method for calculating how effectively several heuristic password-guessing algorithms guess passwords. Leveraging this method, we investigate (a) the resistance of passwords created under different conditions to password guessing; (b) the performance of guessing algorithms under different training sets; (c) the relationship between passwords explicitly created under a given composition policy and other passwords that happen to meet the same requirements; and (d) the relationship between guessability, as measured with password-cracking algorithms, and entropy estimates. We believe our findings advance understanding of both password-composition policies and metrics for quantifying password security.

Citation Information
Patrick Kelley, Saranga Komanduri, Michelle L. Mazurek, Richard Shay, et al.. "Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms (CMU-CyLab-11-008)" (2011)
Available at: