Testing metrics for password creation policies by attacking large sets of revealed passwords

  • Weir M
  • Aggarwal S
  • Collins M
 et al. 
  • 173


    Mendeley users who have this article in their library.
  • 147


    Citations of this article.


In this paper we attempt to determine the effectiveness of using entropy, as defined in NIST SP800-63, as a measurement of the security provided by various password creation policies. This is accomplished by modeling the success rate of current password cracking techniques against real user passwords. These data sets were collected from several different websites, the largest one containing over 32 million passwords. This focus on actual attack methodologies and real user passwords quite possibly makes this one of the largest studies on password security to date. In addition we examine what these results mean for standard password creation policies, such as minimum password length, and character set requirements.

Get free article suggestions today

Mendeley saves you time finding and organizing research

Sign up here
Already have an account ?Sign in

Find this document


  • Matt Weir

  • Sudhir Aggarwal

  • Michael Collins

  • Henry Stern

Cite this document

Choose a citation style from the tabs below

Save time finding and organizing research with Mendeley

Sign up for free