"LISA is the conference that I send my system administrators to so they can bring the latest tools and techniques back to the rest of the team. Much of our current environment can be traced directly back to LISA."
Cory Lueninghoener, Deputy Group Leader of Production High Performance Computing at Los Alamos National Laboratory
"I keep coming back for the technical content and the personal networking opportunities. I attend for career development."
LISA '13 Attendee
"LISA is the conference that I send my system administrators to so they can bring the latest tools and techniques back to the rest of the team. Much of our current environment can be traced directly back to LISA."
Cory Lueninghoener, Deputy Group Leader of Production High Performance Computing at Los Alamos National Laboratory
"I use LISA to benchmark the SA activities in my company."
LISA '13 Attendee
"LISA is where I find direction for evolving the my core professional skills."
LISA '13 Attendee
"Information from LISA helps us push the envelope on automation and scaling, allowing a team of four to manage over 3000 Firefox build and test systems running 15 different operating systems."
Amy Rich, Manager of Release Engineering Operations at Mozilla
"LISA is where professionals share what's hot in designing, building, and maintaining critical systems."
Tom Limoncelli, author, speaker, and system administrator
"LISA is the place where industry best practices and cutting-edge research come together to advance system administration."
Nicole Forsgren Velasquez, Utah State University
"LISA is where professionals share what's hot in designing, building, and maintaining critical systems."
Tom Limoncelli, author, speaker, and system administrator
An Administrator’s Guide to Internet Password Research
Refereed Paper
Wednesday, November 12, 2014 - 2:30pm-2:45pm
Authors:
Dinei Florêncio and Cormac Herley, Microsoft Research; Paul C. van Oorschot, Carleton University
Abstract:
The research literature on passwords is rich but little of it directly aids those charged with securing web-facing services or setting policies. With a view to improving this situation we examine questions of implementation choices, policy and administration using a combination of literature survey and first-principles reasoning to identify what works, what does not work, and what remains unknown. Some of our results are surprising. We find that offline attacks, the justification for great demands of user effort, occur in much more limited circumstances than is generally believed (and in only a minority of recently-reported breaches). We find that an enormous gap exists between the effort needed to withstand online and offline attacks, with probable safety occurring when a password can survive 106 and 1014 guesses respectively. In this gap, eight orders of magnitude wide, there is little return on user effort: exceeding the online threshold but falling short of the offline one represents wasted effort. We find that guessing resistance above the online threshold is also wasted at sites that store passwords in plaintext or reversibly encrypted: there is no attack scenario where the extra effort protects the account.
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
BibTeX
@inproceedings {186500,
author = {Dinei Flor{\^e}ncio and Cormac Herley and Paul C. van Oorschot},
title = {An {Administrator{\textquoteright}s} Guide to Internet Password Research},
booktitle = {28th Large Installation System Administration Conference (LISA14)},
year = {2014},
isbn = {978-1-931971-17-1},
address = {Seattle, WA},
pages = {44--61},
url = {https://www.usenix.org/conference/lisa14/conference-program/presentation/florencio},
publisher = {USENIX Association},
month = nov,
}
Twitter
Facebook
LinkedIn
Google+
YouTube
connect with us