Method
The goal of the method is to test password polices and gather some measurable parameters that can be compared between polices.
Input parameters
Policy | Wrapper code or code that implements specific policy. |
Password bases | Password bases used for testing policies. Real passwords dumps used as well as password bases with presumably good passwords to see if policy accepts knowingly good passwords. |
Dictionaries | Attackers dictionaries of different sizes for guessing passwords. |
Rules | John the Ripper rules to expand dictionaries. |
The process
Input | Procedure | Output | ||
Dictionaries | —> | JtR with Rules | —> | Original + extended dictionaries |
Password bases | —> | Policy | —> | Passed passwords |
Passed password | —> | JtR + Dictionaries | —> | Guessed passwords |
Measured parameters
- Number of passwords passed specific policy.
- Number of passwords have been guessed using specific dictionary.
- Total number of guessed passwords per policy, passwords base.
- Mean value for success guesses for dictionaries of different sizes.