News Story
Mazurek Receives Test of Time Award at IEEE S&P
Published May 22, 2023
Michelle Mazurek, an associate professor of computer science and director of the Maryland Cybersecurity Center (MC2), was recognized with a IEEE Security and Privacy Test of Time award for a paper she co-authored in 2012 that presents a novel, efficient technique for evaluating password strength.
She was honored at the 44th IEEE Symposium on Security and Privacy (IEEE S&P), held this year from May 22–25 in San Francisco.
The Test of Time award recognizes papers published at IEEE’s flagship security conference that have made a lasting impact on the field. To qualify, a paper must have been published at IEEE S&P between 10 and 12 years prior.
“Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms”—co-authored by Mazurek while working on her Ph.D. in electrical and computer engineering at Carnegie Mellon University—takes a substantial step forward in understanding the effects of password-composition policies on the guessability of passwords.
For their study, the Carnegie Mellon researchers analyzed 12,000 plaintext passwords collected under seven composition policies via an online study. Then they developed an efficient distributed method for calculating how effectively several password-guessing algorithms guess passwords.
Using this technique, they were able to perform a more comprehensive password analysis than had previously been possible.
Mazurek, who has an appointment in the University of Maryland Institute for Advanced Computer Studies, believes the paper was selected because it was one of the earlier papers in what turned out to be a “real renaissance of password research.”
“We invented a metric—guess numbers or guessing curves—for password strength that has gone on to become pretty standard for future passwords research,” she says. “The specifics of how to calculate guess numbers has been improved significantly over the years but the general approach—measuring how many passwords can be guessed by an optimized attacker by a certain number of guesses—is now pretty much the generally accepted way to do it.”
—Story by Melissa Brachfeld, UMIACS communications group