Abstract

We examine the efficacy of tactics for defending password-protected networks from guessing attacks, taking the viewpoint of an enterprise administrator whose objective is to protect a population of passwords. Simple analysis allows insights on the limits of common approaches, and reveals that some approaches spend effort in “don’t care” regions where added password strength makes no difference. This happens either when passwords do more than enough to resist online attacks while falling short of what’s needed  against offline attacks, or when so many accounts have fallen that an attacker gains little from additional compromises. Our review of tools available to improve attack-resistance finds, for example, that compelling returns are offered by password blacklists, throttling and hash iteration, while current password composition policies fail to provide demonstrable improvement in outcomes against offline guessing attacks.