The goal of the method is to test password polices and gather some measurable parameters that can be compared between polices.
|Policy||Wrapper code or code that implements specific policy.|
|Password bases||Password bases used for testing policies. Real passwords dumps used as well as password bases with presumably good passwords to see if policy accepts knowingly good passwords.|
|Dictionaries||Attackers dictionaries of different sizes for guessing passwords.|
|Rules||John the Ripper rules to expand dictionaries.|
|Dictionaries||—>||JtR with Rules||—>||Original + extended dictionaries|
|Password bases||—>||Policy||—>||Passed passwords|
|Passed password||—>||JtR + Dictionaries||—>||Guessed passwords|
- Number of passwords passed specific policy.
- Number of passwords have been guessed using specific dictionary.
- Total number of guessed passwords per policy, passwords base.
- Mean value for success guesses for dictionaries of different sizes.