The goal of the method is to test password polices and gather some measurable parameters that can be compared between polices.

Input parameters

Policy Wrapper code or code that implements specific policy.
Password bases Password bases used for testing policies. Real passwords dumps used as well as password bases with presumably good passwords to see if policy accepts knowingly good passwords.
Dictionaries Attackers dictionaries of different sizes for guessing passwords.
Rules John the Ripper rules to expand dictionaries.

The process

Input Procedure Output
Dictionaries —> JtR with Rules —> Original + extended dictionaries
Password bases —> Policy —> Passed passwords
Passed password —> JtR + Dictionaries —> Guessed passwords

Measured parameters

  • Number of passwords passed specific policy.
  • Number of passwords have been guessed using specific dictionary.
  • Total number of guessed passwords per policy, passwords base.
  • Mean value for success guesses for dictionaries of different sizes.