Showing 1–3 of 3 results for author: Cordry, J

Skeptic: Automatic, Justified and Privacy-Preserving Password Composition Policy Selection

Authors: Saul Johnson, João F. Ferreira, Alexandra Mendes, Julien Cordry

Abstract: The choice of password composition policy to enforce on a password-protected system represents a critical security decision, and has been shown to significantly affect the vulnerability of user-chosen passwords to guessing attacks. In practice, however, this choice is not usually rigorous or justifiable, with a tendency for system administrators to choose password composition policies based on int… ▽ More The choice of password composition policy to enforce on a password-protected system represents a critical security decision, and has been shown to significantly affect the vulnerability of user-chosen passwords to guessing attacks. In practice, however, this choice is not usually rigorous or justifiable, with a tendency for system administrators to choose password composition policies based on intuition alone. In this work, we propose a novel methodology that draws on password probability distributions constructed from large sets of real-world password data which have been filtered according to various password composition policies. Password probabilities are then redistributed to simulate different user password reselection behaviours in order to automatically determine the password composition policy that will induce the distribution of user-chosen passwords with the greatest uniformity, a metric which we show to be a useful proxy to measure overall resistance to password guessing attacks. Further, we show that by fitting power-law equations to the password probability distributions we generate, we can justify our choice of password composition policy without any direct access to user password data. Finally, we present Skeptic -- a software toolkit that implements this methodology, including a DSL to enable system administrators with no background in password security to compare and rank password composition policies without resorting to expensive and time-consuming user studies. Drawing on 205,176,321 pass words across 3 datasets, we lend validity to our approach by demonstrating that the results we obtain align closely with findings from a previous empirical study into password composition policy effectiveness. △ Less

Submitted 15 March, 2024; v1 submitted 7 July, 2020; originally announced July 2020.

Comments: 15 pages, 15 figures, 10 tables

Journal ref: ASIA CCS '20: Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, 2020, pp. 101-115

Lost in Disclosure: On The Inference of Password Composition Policies

Authors: Saul Johnson, João Ferreira, Alexandra Mendes, Julien Cordry

Abstract: Large-scale password data breaches are becoming increasingly commonplace, which has enabled researchers to produce a substantial body of password security research utilising real-world password datasets, which often contain numbers of records in the tens or even hundreds of millions. While much study has been conducted on how password composition policies (sets of rules that a user must abide by w… ▽ More Large-scale password data breaches are becoming increasingly commonplace, which has enabled researchers to produce a substantial body of password security research utilising real-world password datasets, which often contain numbers of records in the tens or even hundreds of millions. While much study has been conducted on how password composition policies (sets of rules that a user must abide by when creating a password) influence the distribution of user-chosen passwords on a system, much less research has been done on inferring the password composition policy that a given set of user-chosen passwords was created under. In this paper, we state the problem with the naive approach to this challenge, and suggest a simple approach that produces more reliable results. We also present pol-infer, a tool that implements this approach, and demonstrates its use in inferring password composition policies. △ Less

Submitted 15 March, 2024; v1 submitted 12 March, 2020; originally announced March 2020.

Comments: 6 pages, 8 figures, 7 tables

Journal ref: 2019 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW), 2019, pp. 264-269

MESURE Tool to benchmark Java Card platforms

Authors: Samia Bouzefrane, Julien Cordry, Pierre Paradinas

Abstract: The advent of the Java Card standard has been a major turning point in smart card technology. With the growing acceptance of this standard, understanding the performance behavior of these platforms is becoming crucial. To meet this need, we present in this paper a novel benchmarking framework to test and evaluate the performance of Java Card platforms. MESURE tool is the first framework which ac… ▽ More The advent of the Java Card standard has been a major turning point in smart card technology. With the growing acceptance of this standard, understanding the performance behavior of these platforms is becoming crucial. To meet this need, we present in this paper a novel benchmarking framework to test and evaluate the performance of Java Card platforms. MESURE tool is the first framework which accuracy and effectiveness are independent from the particular Java Card platform tested and CAD used. △ Less

Submitted 11 September, 2009; originally announced September 2009.

Comments: International Journal of Computer Science Issues, Volume 1, pp49-57, August 2009

Journal ref: S. Bouzefrane, J. Cordry and P. Paradinas,"MESURE Tool to benchmark Java Card platforms", International Journal of Computer Science Issues, Volume 1, pp49-57, August 2009