This resource is no longer available
By Yiannis Chrysanthou and Allan Tomlinson
Attackers are increasingly turning to human psychology and the study of password selection patterns among user groups to develop sophisticated techniques that can quickly and effectively recover passwords.
Passwords are commonly protected by applying a one-way cryptographic algorithm that produces a hash of set length given any password as input. However, cryptography can only protect something to the point where the only feasible attack on the encrypted secret is to try to guess it. When it comes to passwords, guessing can be easy.
Passwords are insecure by nature because they are used to prevent humans from guessing a small secret created by humans themselves.
This article shows that guessing passwords is as easy as creating them: most commonly used passwords are easy to guess and harder passwords are almost never used.
Royal Holloway Information Security Thesis Series