Lost in Disclosure: On The Inference of Password Composition Policies


Large-scale password data breaches are becoming increasingly commonplace, which has enabled researchers to produce a substantial body of password security research utilising real-world password datasets, which often contain numbers of records in the tens or even hundreds of millions. While much study has been conducted on how password composition policies—sets of rules that a user must abide by when creating a password—influence the distribution of user-chosen passwords on a system, much less research has been done on inferring the password composition policy that a given set of user-chosen passwords was created under. In this paper, we state the problem with the naive approach to this challenge, and suggest a simple approach that produces more reliable results. We also present pol-infer, a tool that implements this approach, and demonstrates its use in inferring password composition policies.

In the 2019 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW) – 4th International Workshop on Reliability and Security Data Analysis
Alexandra Mendes
Assistant Professor

My research focuses on innovative user interfaces for formal methods and mathematical approaches to software quality. More recently, I started work on usable security, in particular on the impact of formal verification on the use and adoption of formally verified security software product. Much of my most recent work overlaps with the area of software engineering. I am also interested on innovative and fun ways to teach Computer Science. For more details, see selected publications and some of my projects. Follow me on Twitter or add me on LinkedIn.