Skeptic: Automatic, Justified and Privacy-Preserving Password Composition Policy Selection

TL;DR

This work tackles the problem of rigorously selecting password composition policies by avoiding reliance on password data and intuition. It introduces Skeptic, a toolchain that constructs password probability distributions from large breached datasets, models user reselection under four macrobehaviours, and uses power-law fits to quantify distribution uniformity as a proxy for security. The framework produces policy rankings for 28 policies across three datasets via the Pacpal DSL, and demonstrates strong alignment with prior empirical findings while preserving user privacy. It also provides Coq-based immunity proofs for certain policies against Mirai and Conficker, illustrating practical defensive applications. The approach offers a practical, attack-agnostic method for administrators to justify policy choices and enables reproducible, privacy-preserving security assessments.

Abstract

The choice of password composition policy to enforce on a password-protected system represents a critical security decision, and has been shown to significantly affect the vulnerability of user-chosen passwords to guessing attacks. In practice, however, this choice is not usually rigorous or justifiable, with a tendency for system administrators to choose password composition policies based on intuition alone. In this work, we propose a novel methodology that draws on password probability distributions constructed from large sets of real-world password data which have been filtered according to various password composition policies. Password probabilities are then redistributed to simulate different user password reselection behaviours in order to automatically determine the password composition policy that will induce the distribution of user-chosen passwords with the greatest uniformity, a metric which we show to be a useful proxy to measure overall resistance to password guessing attacks. Further, we show that by fitting power-law equations to the password probability distributions we generate, we can justify our choice of password composition policy without any direct access to user password data. Finally, we present Skeptic -- a software toolkit that implements this methodology, including a DSL to enable system administrators with no background in password security to compare and rank password composition policies without resorting to expensive and time-consuming user studies. Drawing on 205,176,321 pass words across 3 datasets, we lend validity to our approach by demonstrating that the results we obtain align closely with findings from a previous empirical study into password composition policy effectiveness.

Figures (15)

• Figure 1: The simple, minimal example of a password probability distribution that we use to visualise different reselection modes in this section. Probability $D(P_{n})$ of password $P_{n}$ is $\frac{1}{2^{n}}$.
• Figure 2: The redistribution of probability in convergent reselection mode under a policy prohibiting $P_1$ and $P_2$. Dotted bar outlines show the probability of prohibited passwords, and stacked bars show the redistribution of this probability.
• Figure 3: The redistribution of probability in proportional reselection mode under a policy prohibiting $P_1$ and $P_2$.
• Figure 4: The redistribution of probability in extraneous reselection mode under a policy prohibiting $P_1$ and $P_2$.
• Figure 5: The redistribution of probability in null reselection mode under a policy prohibiting $P_1$ and $P_2$.