|The Carnegie Mellon University|
Password Research Group's
Password Guessability Service
Welcome to the Password Guessability Service (PGS) for researchers who are studying passwords! PGS is provided for the community free of charge by the Passwords Research Team at Carnegie Mellon University. PGS estimates plaintext passwords' guessability: how many guesses a particular password-cracking algorithm with particular training data would take to guess a password.
As researchers conduct studies on different aspects of passwords, they are often left wondering how secure the different passwords in their datasets are. As we describe in our USENIX Security 2015 paper on modeling password guessability, we have instrumented several state-of-the-art password cracking techniques to calculate guessability. We are now sharing our knowledge of these measurement techniques, as well as the computing infrastructure needed to calculate guessability to large guess numbers, with the greater research community. PGS does not "crack" passwords (discover a preimage that hashes to a value stored in a password database). Therefore, PGS does not directly benefit attackers who are trying to discover passwords from a stolen password database.
GAINING ACCESS TO PGS
Researchers from both academia and industry may request to use PGS, though we reserve the right to limit or deny requests. If you wish to become an "approved PGS researcher" and thereby gain access to PGS, please email us at firstname.lastname@example.org .edu and include the following information:
If your planned usage of the service or source of data changes materially after we have granted you access to PGS, you must inform us of the new/additional usage. You may not use PGS to analyze data related to the new/additional usage until we have confirmed our approval.
THE LOGISTICS OF USING PGS
Approved researchers can submit plaintext passwords to PGS over SSL. The passwords in the file you upload will automatically be loaded into our systems that simulate password cracking. Note that our simulations of the different cracking approaches take different amounts of time; and depending on system load, calculating results may take several weeks. When the calculations are finished, we will send you an email with an encrypted "guessability file" that provides a guess number for each password you uploaded under that particular password-cracking approach. In our recent study, we found that the minimum guess number across the cracking approaches we simulated was a conservative estimate of a password's vulnerability to a professional attacker, at least through our cutoff of 10 trillion guesses.
In more detail, each time approved researchers wish to compute guessability for one or more sets of passwords, they should upload to PGS a single text file with one password per line, and no additional information. Here is a sample input file. At the time you upload passwords, you will have the opportunity to select which cracking approaches (and in what configurations) you want us to simulate from among those we currently support. Each guessability file you receive back via email will be a two-column (tab-delimited) file in which the first column contains the plaintext passwords and the second column contains how many guesses the given cracking approach took to guess that password, or a "-5" to indicate that it did not guess that password. The first line of the guessability file, however, will provide metadata about the cracking approach (e.g., what approach, what configuration, the number of guesses simulated). Here is a sample output file. The guessability file will be sent as an attachment and will be GPG-encrypted using a password this service provides to you upon uploading the original password file.
After we return your results, we will delete your passwords from our system within 14 days. We do not immediately delete them in case there is a problem transmitting them to you. We will not use your passwords for our own research or share them with other parties. We do our best to maintain the confidentiality of uploaded passwords by limiting the time they are stored on our system, limiting who has access to our system, and transmitting results to you in encrypted form. However, we cannot provide confidentiality guarantees. Therefore, it is critical that you do not send us any accompanying usernames or other information associated with the uploaded passwords. Please note that Carnegie Mellon University may be required to disclose the passwords you upload and information about your identity and research project as required by law, regulation, subpoena, or court order.
DETAILED DESCRIPTION OF CRACKING APPROACHES AND CONFIGURATIONS
Please click here to see a detailed description of the different configurations of the password-cracking approaches we currently support, as well as the password-composition policies for which we currently filter guesses.
FINAL NOTES AND REQUEST
Our group, the Passwords Research Team at Carnegie Mellon University, is providing PGS as a service to the research community. In return we ask only that you give us feedback on the service and acknowledge us (e.g., by citing our USENIX Security 2015 paper) in any papers you may write that use the results provided by our service. Please note that PGS is run on the same infrastructure we use for our own research, and PGS is maintained by students. Therefore, we cannot make any guarantees or warranties that the guessability results will be sent to you on any particular timeline, or at all.
If you already have an account, click below to log in. Otherwise, follow the instructions above to request an account via email.
© 2020 Carnegie Mellon University