This project aims to help developers to measure important properties of password policy they use in applications. The measurement is offline meaning that there is no experiments on people are involved.
The main idea is to apply password policy of interest to password dumps. And then to model guessing attacks on passwords from specific dump that have passed the policy. Additionally, the policy is applied to a number of knowingly good passwords to see if policy allows users to choose strong passwords from the key space of their choice. The different parameters of the process are being measured during attack model:
- Number of passwords passed the policy
- Number of guessed passwords
- Size of attackers dictionary
- etc.
See my slides from ZeroNights 2013 conference.
- John The Ripper
- Python doit
- Sqlite3
- Node.js recommended
- Compile John The Ripper; link run folder into local directory.
- Place big enough password dumps into "passwords" folder (see passwords/README.md).
- Make command wrapper and, probably, implementation of password policy of interest in "meters" folder (see meters/README.md).
- Configure test case configuration in JSON. Use default.json as example.
If you have configuration for test case in "test1.json", use following command to run experiment:
% CASE=test1 doit
The framework creates folder output to put all intermediate and final artefacts. The following files are useful for analysis:
| output/<dump>-<policy>.meter | All passwords from particular *dump* that have been accepted by *policy*. |
| output/<dump>-<policy>.john | John the Ripper input file for pair {*dump*, *policy*}. |
| output/<dump>-<policy>-<dictionary>.pot | JtR pot files for cracking sessions against passwords from *dump* accepted by the *policy* using specific *dictionary*. |
| output/report-<case>.db | SQLite3 database that contain statistics data about all password evaluation and guessing sessions for test the test *case*. Take a look at [report_schema.sql](sql/report_schema.sql) for schema. |