SOUPS 2016 Tutorial: An Introduction to Password Cracking and Research on PasswordsThis tutorial provides a gentle introduction to password cracking and recent research on passwords from the usable-security perspective. We do not expect attendees to have any prior experience conducting passwords research. We highly encourage participation from students and other relatively new members of SOUPS community, as well as veteran SOUPS attendees who may be starting to think about passwords research. Although the session will focus on text passwords, we will touch on the overall authentication ecosystem (e.g., biometric authentication, 2FA, single-sign-on systems). The tutorial includes hands-on training in password analysis tools.
Tutorial leaders:
- Blase Ur, Ph.D. Candidate, Carnegie Mellon University
- Michelle Mazurek, Assistant Professor, University of Maryland, College Park
Logistics:
This will be a half-day tutorial in the morning of June 22, the first day of SOUPS 2016. We
will be in Denver Ballroom 5-6. We
strongly encourage participants to bring a laptop computer so you can participate in the password-cracking contest, described below.
Tutorial schedule:
The tutorial will consist of three sessions, as below. Our presentation slides, including a literature review, are available.
Session
1 (8:30 to 10):
- Introduction
- Password security (threats, metrics)
- Robust, reliable password experiments
- What we know about passwords so far
Session 2 (10:30-11:10):
- Approaches to guessing passwords
- Hands-on introduction to Hashcat
- We will conduct a mini password-cracking contest modeled in spirit after the DEF CON Crack Me If You Can password-cracking contest. Tutorial participants will work together in teams to try to attack password databases that we have created expressly for the contest.
We hope you decide to join us in Denver! Please email the tutorial organizers, Blase (blase at blaseur dot com) and Michelle (mmazurek at cs dot umd dot edu), if you have any questions.