Some of the material in is restricted to members of the community. By logging in, you may be able to gain additional access to certain collections or items. If you have questions about access or logging in, please use the form on the Contact Page.
Passwords are still one of the most common means of securing computer systems. Most organizations rely on password authentication systems, and therefore, it is very important for them to enforce their users to have strong passwords. They usually try to enforce security by mandating users to follow password creation policies. They force users to follow some rules such as a minimum length, or using symbols and numbers. However, these policies are not consistent with each other; for example, the length of a good password is different in each policy. They usually ignore the importance of usability of the password for the users. The more complex they are the more they frustrate users and they end up with some coping strategies such as adding "123" at the end of their passwords or repeating a word to make their passwords longer, which reduces the security of the password, and more importantly there is no scientific basis for these password creation policies to make sure that passwords that are created based on these rules are resistance against real attacks. In fact, there are studies that show that even the NIST proposal for a password creation policy that results in strong passwords is not valid. This paper describes different password creation policies and password checkers that try to help users create strong passwords and addresses their issues. Metrics for password strength are explored in this paper and new approaches to calculate these metrics for password distributions are introduced. Furthermore, a new technique to estimate password strength based on its likelihood of being cracked by an attacker is described. In addition, a tool called PAM has been developed and explained in details in this paper to help users have strong passwords using these metrics. PAM is a password analyzer and modifier, which rejects weak passwords and suggests a new stronger password with slight changes to the original one to ensure the usability of the password for each individual.
This Item is protected by copyright and/or related rights. You are free to use this Item in any way that is permitted by the copyright and related rights legislation that applies to your use. For other uses you need to obtain permission from the rights-holder(s). The copyright in theses and dissertations completed at Florida State University is held by the students who author them.