Computer Laboratory


Users hate passwords - so are they on their way out?

Angela Sasse

M. Angela Sasse is the Professor of Human-Centred Technology at University College London. A usability researcher by training, for over 15 years her work has focused on the human-centred aspects of security, privacy, identity and trust. She is the Director of the UK Research Institute in the Science of Cyber Security (RISCS) and was elected a Fellow of the Royal Academy of Engineering in 2015.


BitLocker Dictionary Attack using GPUs

Elena Agostini and Massimo Bernaschi

Abstract: BitLocker is a full-disk encryption feature included in recent Windows versions. It is designed to protect data by providing encryption for entire volumes, by using a number of different authentication methods. In this paper we present a solution, named BitCracker, to try the decryption, by means of a dictionary attack, of memory units encrypted by BitLocker with a user supplied password. To that purpose, we resort to GPU (Graphics Processing Units) that are, by now, widely used as general-purpose coprocessors in high performance computing applications. BitLocker decryption process requires the execution of a large number of SHA-256 hashes and also AES, so we propose a very fast solution, highly tuned for Nvidia GPU, for both of them. To evaluate BitCracker performance we made a comparison with oclHashcat and John the Ripper password crackers.


Preventing Keystroke Dynamics Identification And Tracking: The Hard Way

Per Thorsheim and Paul Moore

Per Thorsheim is the founder & main organizer of PasswordsCon. During daytime he works as an information security consultant. Evenings are spent researching & coordinating all things passwords worldwide. He is certified CISA, CISM, CISSP & ISSAP. He knows your next password.


Efficient Wordlists - Why you don't need 25GB To Be a Pro

Dimitri Fousekis

Abstract: A common question asked by many who wish to analyse, "crack" or recover passwords is "what wordlist do I use?"
Unfortunately there is much mis-information out there, including for example, that people should be using 25GB or greater Wordlists for the best effect. The result is that cracking passwords becomes a tedious, long-time and relatively fruitless excersize.
The goal of this talk is to practically show how to go from "beginner" to "advanced" password cracking capabilities just by creating, managing and using efficient wordlists. It will also assist with the latest information on non-English wordlists, UTF-character-based wordlists and more.
The Talk will cover;

  1. Efficient vs Inefficient Wordlists - Why less is more.
  2. Where to start? Sourcing good Wordlists
  3. Processing Wordlists - Boosting your Cracking Efficiency
  4. Tools to create, manage and process Wordlists (covers current, and a custom tool by myself and others)
  5. Non-English Wordlists: Chinese, Arabic and Greek.
  6. Re-use, Process, Re-use, Process, Repeat.
  7. A quick word about Brute-force vs Wordlists
  8. Conclusion

The talk will be 70% technical and 30% theoretical, showing real-world statistics on what makes Wordlists crack faster and better, how they can be properly targeted for your jobs and what mistakes you should avoid.


A Framework for Comparing Password Guessing Strategies

Maximillian Golla

I am a second year PhD student at the Mobile Security Group of Prof. Dr. Markus Dürmuth at the Horst-Görtz-Institute for IT-Security (Ruhr-University Bochum). My research interests cover ubiquitous authentication that does not require user interaction to provide implicit security. One focus of my research is the standardization of password guessing performance evaluations. Furthermore, we build, test, and break authentication schemes and explore alternative approaches.

Abstract: Several password guessers have been proposed in recent years. Comparing the reported performance numbers is difficult, as the experiments were performed on different datasets, with miscellaneous pre-processing applied, with varying numbers of guesses, and with different parameters. Re-running experiments under controlled conditions thus is essential for a fair comparison. Furthermore, re-running the experiments on newer password leaks not available earlier eliminates the risk of over-training a guesser to the available datasets.
In our first contribution, we developed a framework to automate and facilitate the comparison of password guessers on a large set of configurations. Central design criteria were ease-of-use, modularity, and easy expandability. Similar software is available in other disciplines (such as fingerprint matching and face recognition), and we believe the framework will help to drive and facilitate the future development of password guessers. In our second contribution, we used this framework to compare four well-known password guessers on a range of different password lists, resulting in a total of 148 experiments. We will make the framework publicly available and provide regular updates for the password guesser comparison online.


Debunking Graphical Password Myths

Jeunese Payne

Abstract: There have been numerous attempts to replace or re-design knowledge-based authentication. Despite these endeavours, driven by known usability and security weaknesses, traditional password-based systems have remained ubiquitous. Graphical passwords have emerged and re-emerged in different forms as a proposed solution. The broad argument is that such passwords should be easier to remember, easier to use, and more secure. Psychological jargon is often used to justify these claims, but what does the real psychology suggest?


Linguistic Cracking of Passphrases using Markov Chains

Peder Sparell and Mikael Simovits

Abstract: In order to remember long passwords, it is not uncommon users are recommended to create a sentence which then is assembled to form a long password, a passphrase. However, theoretically a language is very limited and predictable, why a linguistically correct passphrase according to Shannon's definition of information theory should be relatively easy to crack compared to brute-force. This work focuses on cracking linguistically correct passphrases, partly to determine to what extent it is advisable to base a password policy on such phrases for protection of data, and partly because today, widely available effective methods to crack passwords based on phrases are missing. Within this work, phrases were generated for further processing by available cracking applications, and the language of the phrases were modeled using a Markov process. In this process, phrases were built up by using the number of observed instances of subsequent characters or words in a source text, known as n-grams, to determine the possible/probable next character/word in the phrases. The work shows that by creating models of language, linguistically correct passphrases can be broken in a practical way compared to an exhaustive search. In the tests, passphrases consisting of up to 20 characters were broken.


HPKP, HSTS & CSP for securing your password

Scott Helme

Scott is an information security consultant at Pentest Limited. He has received worldwide attention for his free online web security services and, and he blogs frequently about web security at


Rethinking factors, and (not) to store oracles

Jeffrey Goldberg

Jeff is the Chief Defender against the Dark Arts at AgileBits, Inc, the makers of 1Password. He writes about password security on the AgileBits blog, and is active in the security design of 1Password.

Abstract: Multi-factor Authentication is typically thought of in terms of "something you have", "something you know", "something you are". But those distinctions are only useful in so far as they tell us what different kinds of threats the factors are or aren't vulnerable to. It is far more useful to think directly in terms of the threats that they do and don't defend against when considering what factors to introduce.
For example different factors might better be thought of in terms of "something that can be stolen", "something that can be guessed", and "something that can be captured and replayed". At the same time, adding factors is a threat to data availability and can be thought of in terms of "something that might be lost" and "something that might be forgotten".
Whether to add factors and how it should be done should be thought of in this light. In particular, we are exploring in a work in progress how user factors can be added so that server stored data cannot be used for password cracking.
We would like to discuss some of our work in progress in this area both explaining our thoughts and seeking insights from participants.


Experimental Study of DIGIPASS GO3 and the Security of Authentication

Igor Semaev

Graduated from the Institute for Cryptography and Communication, Moscow in 1981. Worked for the Government of Russia in 1981-2002, then for the Department of Mathematics, University of Leuven, Belgium. Since 2004 professor at the Department of Informatics, University of Bergen, Norway.

Abstract: Based on the analysis of 6-digit combinations(OTP) generated by DIGIPASS GO3 we were able to reconstruct the synchronisation system of the token, the OTP generating algorithm and the verification protocol in details essential for an attack. The OTPs are more predictable than expected. A forgery attack is described. We argue the attack success probability is 8^{-5}. That is much higher than 10^{-6} which may be expected if all the digits are independent and uniformly distributed. The implications for the security of authentication are discussed and open questions are formulated.


"To whom it's not concern" (ethical problems of information leaks research)

Alexandra Strigunkova

Alexandra works in the field of implementing and improving the IT service management processes: writing process documents, instructions, policies and also she has experience of working in information security. But on the other hand she has a 2 years training in psychological consulting in People's Friendship University of Russia and additional 5 year education in Moskow Institute of Gestalt and Psychodrama as a gestalt consultant. This allows her to see the world of information security from an interesting perspective we often forget: how we actually think and behave with challenges and solutions. And last but not least: she is married to a Russian password cracking expert.

Abstract: Any information posted on the Internet could fall into the hands of persons, for whom it is not intended. And it's not just about the password and login of users of various systems, but also about highly delicate personal data. There are rules and regulations in academic circles for handling information, especially containing personal data. But among researchers in the field of information security not all follow such rules and restrictions. Do not forget about the legal side of the issue, because the law of different countries try to protect the privacy of citizens. The case of the Ashley Madison raises the very question that I want to discuss: is it ethical to use the information obtained as a result of leaks for research? Especially if it is information of a delicate nature. After all, virtually every researcher is the person for whom this information is not intended.


Beyond Words

Sebastein Raveau

Sebastien works with information security. He has previously spoken at PasswordsCon in 2012, and he is well known for his work based on extracting data from wikipedia and other wikis to generate a wordlist for password cracking.

Abstract: XKCD's "correcthorsebatterystaple" suggestion is often dismissed on the basis that trying word combinations is still too easy for computers, but are we sure that we have all the words? What if the password was a concatenation of "9/11", "767-223ER", ".40 S&W" and "John 3:16" ?
At Passwords^12 I presented the technical challenges in creating a Wikipedia Wordlist and notably the unexpected amount of junk; since 2009 I kept improving those algorithms, becoming happier and happier with cleaner and cleaner output, but at Passwords^14 I unfortunately had to cancel my rump session when I discovered that the wordlist was actually cracking fewer and fewer passwords.
Taking a completely different approach I was able to crack passwords like "Lupo 1.2 TDI 3L", "Proverbs 14:12", "Calvin & Hobbes" and "bornontheforthofjuly" (sic) in the LinkedIn hashes for example. There are opposing directions that I can take from here however so if the only true wisdom is knowing that I know nothing, I would like to submit my ideas to the community and brainstorm the future of the wordlist.


Verification Code Forwarding Attack

Seyedhossein Siadati, Toan Nguyen and Nasir Memon

Toan Nguyen is a PhD candidate at New York University where he conducts research on user authentication, including, but not limited to, passwords, PINs, behavioral biometrics, and multi-factor authentication. He holds a Bachelor of Engineering in Information Technology and a Master of Science in Computer and Communication Engineering from Hanoi University of Science and Technology, Vietnam

Nasir Memon is a professor in the Department of Computer Science and Engineering at NYU Tandon School of Engineering. He is an affiliate faculty at the Computer Science department in the Courant Institute of Mathematical Sciences at NYU. He is the founding director of the Center for Interdisciplinary Studies in Security and Privacy (CRISSP), a collaborative initiative of multiple schools within NYU including NYU-Steinhardt, NYU-Wagner, NYU-Stern, and NYU-Courant well as NYU Abu Dhabi. Prof. Memon is the founder and director of the Information Systems and Internet Security laboratory. His research interests include digital forensics, biometrics, data compression, network security and security, and human behavior.

Abstract: Major Internet service providers deploy SMS-based verification mechanisms to fortify the security of users' accounts for critical actions such as password reset and logging in from a new computer. In this paper, we describe a new type of phishing attack where an attacker triggers the delivery of a verification code from a service provider to a user and lures the user to forward the code to him so that he can bypass the SMS verification process. We call this a Verification Code Forwarding Attack (VCFA). The attacker can use VCFA to reset a password of a user's account or to get access to a 2-factor enabled account which he already knows its password (e.g., through leaked databases). We attribute the success of this attack to the lack of an effective and usable means for the user to verify the service provider, the lack of context for the message sent, and an assumption about users' understanding of the authentication process. To show the susceptibility of the users to such an attack, we conducted an experiment with 20 mobile phone users and found that more than 25% of users were vulnerable against this type of attack. A semi-structured interview with the subjects of the experiment and a survey of 100 subjects on Amazon Mechanical Turk were done to explore possible causes for the success of this type of attack. We also discuss the possible remediation.


What Lies Beneath? Analyzing Automated SSH Bruteforce Attacks

Abdelrahman Abdou, David Barrera and Paul van Oorschot.

David Barrera is a postdoc in the Network Security group at ETH Zürich in Switzerland. He received his PhD from Carleton University where he worked on secure software installation and updates. He is currently doing research on security and privacy of next-generation networks.

Abstract:We report on what we believe to be the largest dataset (to date) of automated secure shell (SSH) bruteforce attacks. The dataset includes plaintext password guesses in addition to timing, source, and username details, which allows us to analyze attacker behaviour and dynamics (e.g., coordinated attacks and password dictionary sharing). Our methodology involves hosting six instrumented SSH servers in six cities. Over the course of a year, we recorded a total of about 17M login attempts originating from 112 different countries and over 6K distinct source IP addresses. We shed light on attacker behaviour, and based on our findings provide recommendations for SSH users and administrators.


Expert Password Management

Elizabeth Stobert and Robert Biddle

Elizabeth Stobert is a postdoc in the System Security group at ETH Zurich in Switzerland. She recently finished her PhD at Carleton University in Canada, where she worked on human factors in authentication. Her research is in usable security, and is currently working on projects relating to location-based authentication.

Robert Biddle is a Professor in the School of Computer Science and Institute of Cognitive Science at Carleton University in Ottawa, Canada. His research is in Human-Computer Interaction and Software Design. His current research projects are on usable security, especially authentication and security decision-making, and on large-scale multi-touch devices, especially environments for collaborative design and visualization.

Abstract:Experts are often asked for advice about password management, but how do experts manage their own passwords? Is their behaviour different from that of non-experts? We conducted a series of interviews with researchers and practitioners in computer security, asking them about their password management behaviour. We used thematic analysis to analyze our interview data, and found that expert users described a dichotomy of behaviour where they employed more secure behaviour on important accounts that they deemed more worthy, but had similar practices to non-expert users on remaining accounts. Experts' greater situation awareness allowed them to more easily make informed decisions about password management, and expert practices can be used to suggest ways for non-experts to better manage their passwords.


On Password-Authenticated Key Exchange Security Modeling

Jean Lancrenon has been a research associate at SnT since January 2012, in Prof. Peter YA Ryan’s group (ApSIA). He obtained his PhD from the Université Joseph Fourier (Grenoble, France) in June 2011. His research mainly focuses on the security modeling of cryptographic services with a particular emphasis on authenticated key exchange protocols.

Jean Lancrenon

Abstract:Deciding which security model is the right one for Authenticated Key Exchange (AKE) is well-known to be a difficult problem. In this paper, we examine definitions of security for Password-AKE (PAKE) in the style proposed by Bellare et al. at Eurocrypt 2000. Indeed, there does not seem to be any consensus, even when narrowing the study down to this particular authentication method and model style, on how to precisely define fundamental notions such as accepting, terminating, and partnering. The aim of this paper is to begin addressing this problem. We first show how definitions vary from paper to paper. We then propose and thoroughly motivate a definition of our own, and use the opportunity to correct a minor flaw in a more recent and more PAKE-appropriate model proposed by Abdalla et al. at Public Key Cryptography 2005. Finally, we argue that the uniqueness of partners holding with overwhelming probability ought to be an explicitly required and proven property for AKE in general, but even more so in the password case, where the optimal security bound one aims to achieve is no longer a negligible value. To drive this last point, we exhibit a protocol that is provably secure following the Abdalla et al. definition, and at the same time fails to satisfy this property.


Catena Variants - Different Instantiations for an Extremely Flexible Password-Hashing Framework

Jakob Wenzel and Stefan Lucks

In 2011, after finishing my B. Sc. and M. Sc. in Computer Science and Media, I startet my PhD at the Bauhaus-Universität Weimar, Germany. Since then, I am working in the group of Prof. Stefan Lucks and we are focusing on symmetric cryptographc. More detailed, we mainly work on provable security, differential cryptanalysis, and since 2012 we also focus on password security. I am a co-author of the PHC finalist Catena as well as the 2nd-round candidate POET (CAESAR competition).

Abstract:Catena is a password-scrambling framework characterized by its high flexibility. The user (defender) can simply adapt the underlying (cryptographic) primitives, the underlying memory-hard function, and the time (λ) and memory (garlic) parameters, to render it suitable for a wide range of applications. This enables Catena to maximize the defense against specific adversaries, their capabilities and goals, and to cope with a high variation of hardware and constraints on the side of the defender. Catena has obtained special recognition of the Password Hashing Competition (PHC), alongside of the winner Argon2. Since the specification document of the PHC submission discusses and specifies only six default instantiations with limited parameter recommendations, we want to use this document to introduce further variants of Catena, or rather, further instantiations of the Catena framework. Our instantiations use different hash functions, and we evaluate their influence on the computational time and the throughput. Next, we discuss how instantiations of the memory-hard graph-based algorithm influence the computational time and resistance against low-memory attacks. Furthermore, we introduce possible extensions of Catena accommodat ing strong resistance against GPU- and ASIC-based adversaries, e.g., by providing sequential memory-hardness due to a data-dependent indexing function. At the end, we combine particular instantiations discussed so far to construct full-fledged variants of Catena for certain goals. Hence, this document can be seen as an additional guide to the PHC submission of Catena when considering its usage under certain restrictions.


Analyzing 4 Million Real-World Personal Knowledge Questions

Maximilian Golla and Markus Dürmuth

I am a second year PhD student at the Mobile Security Group of Prof. Dr. Markus Dürmuth at the Horst-Görtz-Institute for IT-Security (Ruhr-University Bochum). My research interests cover ubiquitous authentication that does not require user interaction to provide implicit security. One focus of my research is the standardization of password guessing performance evaluations. Furthermore, we build, test, and break authentication schemes and explore alternative approaches.

Markus Dürmuth is an assistant professor and head of the mobile security group at Ruhr-University Bochum. His main research interests are user authentication and privacy, with a special focus on mobile devices. He received his PhD from Saarland University and was a Post-doctoral Scholar at Stanford University.

Abstract:Personal Knowledge Questions are widely used for fallback authentication, i.e., recovering access to an account when the primary means of authentication is lost. It is well-known that the answers have low-entropy only, and are sometimes derivable from other data sources, but ease-of-use and supposedly good memorability seem to out-weight this drawback for some applications. In August 2015, hackers published a database dump of a famous online dating website, including 3.9 million plain text answers to personal knowledge questions, among other data, making it the largest of such publicly available lists. We analyzed this list of answers and were able to confirm previous findings that were obtained on non-public lists (WWW 2015), in particular we found that some users don't answer truthfully, which may actually reduce the answer's entropy.


Strengthening Public Key Authentication against Key Theft

Martin Kleppmann and Conrad Irwin

Martin straddles the fence between academia and industry. He is a research associate at the University of Cambridge Computer Laboratory, while also writing the O'Reilly book Designing Data-Intensive Applications (, which analyses the data infrastructure used by internet companies. He previously co-founded a startup, Rapportive, which was acquired by LinkedIn in 2012. He is active in open source, his technical blog is at, and he's @martinkl on Twitter.

Abstract:Authentication protocols based on an asymmetric keypair provide strong authentication as long as the private key remains secret, but may fail catastrophically if the private key is lost or stolen. Even when encrypted with a password, stolen key material is susceptible to offline brute-force attacks. In this paper we demonstrate a method for rate-limiting password guesses on stolen key material, without requiring special hardware or changes to servers. By slowing down offline attacks and enabling easy key revocation our algorithm reduces the risk of key compromise, even if a low-entropy password is used.


ITSME: Multi-modal and Unobtrusive Behavioural User Authentication for Smartphones

Attaullah Buriro, Bruno Crispo, Filippo Delfrari, Jeffrey Klardie and Konrad Wrona

Bruno Crispo is professor at the Leuven University in Belgium and at the University of Trento in Italy. In the last 20 years, he worked on several research topics in the area of security, trust and privacy. More recently, his research interests are mainly on mobile platforms and mobile app security and on investigating the possibility of designing secure systems using behaviour (human, device, process, etc.) as main characteristic.

Abstract:In this paper, we propose a new multi-modal behavioural biometric that uses features collected while the user slide-unlocks the smartphone to answer a call. In particular, we use the slide swipe, the arm movement in bringing the phone close to the ear and voice recognition to implement our behavioural biometric. We implemented the method on a real phone and we present a controlled user study among 26 participants in multiple scenario's to evaluate our prototype. We show that for each tested modality the Bayesian network classifier outperforms other classifiers (Random Forest algorithm and Sequential Minimal Optimization). The multimodal system using slide and pickup features improved the unimodal result by a factor two, with a FAR of 11.01% and a FRR of 4.12%. The final HTER was 7.57%.


Assessing the User Experience of Password Reset Policies in a University

Simon Parkin, Samy Driss, Kat Krol and M. Angela Sasse

Simon Parkin is a Senior Research Associate in the Information Security Research Group at University College London. Current research focuses on the human factor in IT-security and how it is managed in organisations.

Samy Driss is a recent MSc Information Security graduate from University College London, having also graduated from the University of Nottingham with a BSci Computer Science. He has a passion for IT and has experience in the telecommunications industry. Samy has a keen interest in film making and enjoys swimming on his own time. He currently resides in London.

Kat Krol is about to submit her PhD thesis at University College London, UK. Her doctoral research focuses on the role of effort in users' security and privacy behaviours online. Kat also recently became an Open Technology Fund fellow within the Secure Usability Fellowship Program (SUFP). During her fellowship, she will be studying the adoption and usability of secure messaging tools.

M. Angela Sasse is the Professor of Human-Centred Technology at University College London. A usability researcher by training, for over 15 years her work has focused on the human-centred aspects of security, privacy, identity and trust. She is the Director of the UK Research Institute in the Science of Cyber Security (RISCS) and was elected a Fellow of the Royal Academy of Engineering in 2015.

Abstract:Organisations may secure system access through use of passwords that comply with defined complexity rules. It may be required that passwords be changed regularly, using an in-person or online helpdesk. Helpdesk logs record password change events and support requests, but overlook the impact of compliance upon end-user productivity. System managers are not incentivised to investigate these impacts, so productivity costs remain with the end-user. We investigate how helpdesk log data can be analysed and augmented to expose the personal costs. Here we describe exploratory analysis of a university's helpdesk log data, spanning 30 months and 500,000 system events for approximately 10,000 staff and 20,000-plus students. End-user costs were identified, where follow-on interviews and NASA-RTLX assessments with 20 students informed issues which log data did not adequately describe. The majority of users reset passwords before expiration (75% of log events). Log analysis indicated that the online self-service system was vastly preferred to the helpdesk, but that there was a 4:1 ratio of failed to successful attempts to recover account access. Log data did not describe the effort in managing passwords, where interviews exposed points of frustration. Participants saw the need for security but voiced a lack of understanding of the numerous restrictions on passwords. Frustrations led to adoption of diverse coping strategies. We propose ways to improve support, including real-time communication of reasons for failed password creation attempts, and measurement of timing for both successful and failed login attempts.


Best paper award

Elizabeth Stobert and Robert Biddle's paper Expert Password Management is awarded our best paper award. Congratulations.


Here are the conference pre-proceedings.

Keynote Academic paper Academic short paper Tutorial Break
Monday 7th Dec Tuesday 8th Dec Wednesday 9th Dec
08:30 Registration Good morning! Good morning!
09:00-9:10 Welcome to Passwords 2015!
Keynote:The History Of L0phtCrack
09:00 Keynote:Users hate passwords - so are they on their way out? 09:00 Late start morning.
09:30 09:30 09:30
10:00 10:00 10:00
Coffee break
Coffee break
11:00 11:00 11:00
Coffee break
11:30 11:30 11:30
PICO project update
12:00 12:00
Lunch break
Lunch break
Lunch break
13:00 13:00 13:00
13:30 13:30 13:30
14:00 14:00 14:00
14:30 14:30 14:30
15:00 15:00
Good bcrypt, broken by bad MD5
Coffee break
Coffee break
Facebook OpenPGP support
16:00 Beyond words 16:00
16:30 16:30 16:30
Passwords and the Cyber Caliphate
17:00 17:00
On location easy dinner
Lightning talks
Networking 19:30 Drink reception
20:00 Trinity College Dinner
passwords logo