Bio: Sudhir Aggarwal is an academic researcher from Florida State University. The author has contributed to research in topics: Password & Formal specification. The author has an hindex of 18, co-authored 67 publications receiving 1737 citations. Previous affiliations of Sudhir Aggarwal include Telcordia Technologies & Bell Labs.
Papers published on a yearly basis
••17 May 2009
TL;DR: This paper discusses a new method that generates password structures in highest probability order by automatically creating a probabilistic context-free grammar based upon a training set of previously disclosed passwords, and then generating word-mangling rules to be used in password cracking.
Abstract: Choosing the most effective word-mangling rules to use when performing a dictionary-based password cracking attack can be a difficult task In this paper we discuss a new method that generates password structures in highest probability order We first automatically create a probabilistic context-free grammar based upon a training set of previously disclosed passwords This grammar then allows us to generate word-mangling rules, and from them, password guesses to be used in password cracking We will also show that this approach seems to provide a more effective way to crack passwords as compared to traditional methods by testing our tools and techniques on real password sets In one series of experiments, training on a set of disclosed passwords, our approach was able to crack 28% to 129% more passwords than John the Ripper, a publicly available standard password cracking program
••04 Oct 2010
TL;DR: This paper attempts to determine the effectiveness of using entropy, as defined in NIST SP800-63, as a measurement of the security provided by various password creation policies, by modeling the success rate of current password cracking techniques against real user passwords.
Abstract: In this paper we attempt to determine the effectiveness of using entropy, as defined in NIST SP800-63, as a measurement of the security provided by various password creation policies. This is accomplished by modeling the success rate of current password cracking techniques against real user passwords. These data sets were collected from several different websites, the largest one containing over 32 million passwords. This focus on actual attack methodologies and real user passwords quite possibly makes this one of the largest studies on password security to date. In addition we examine what these results mean for standard password creation policies, such as minimum password length, and character set requirements.
••30 Aug 2004
TL;DR: In this paper, the authors proposed a time-stamp augmented dead reckoning vector that enables the receiver to render the entity accurately and compared the accuracy seen in game playing using the traditional method and the proposed technique.
Abstract: Distributed multi-player games use dead reckoning vectors to intimate other (at a distance) participating players about the movement of any entity by a controlling player. The dead reckoning vector contains the current position of the entity and the velocity components. When a participating player receives a vector, traditionally it puts the entity at the current position specified by the vector and starts projecting the path of the entity from that point using the local clock of the receiver. In this paper we show that this traditional method of usage of dead reckoning vector brings in inaccuracy in the receivers' rendering of the entity. This inaccuracy can be substantial even with low network delay between the sender-receiver pairs and increases with network delay. We propose the use of globally synchronized clocks among the participating players and a time-stamp augmented dead reckoning vector that enables the receiver to render the entity accurately. We modified the popular game BZFlag with this technique, and compared the accuracy seen in game playing using the traditional method and the proposed technique. We conducted several types of experiments varying the frequency of generation of dead reckoning vectors and the delay between the sender and the receivers. The experiments show significant quantitative improvement in accuracy even for 100ms delay between the sender-receiver pairs and appreciable qualitative improvement in game playing experience.
•30 Jul 1998
TL;DR: In this paper, a Steiner spanning tree-based system and method for multicast conferencing and online discussion groups using periodically determined a close-to-optimal spanning tree is presented.
Abstract: A system and method for multicast conferencing and online discussion groups using a periodically determined a close-to-optimal Steiner spanning tree.Both the system and method are suitable for stationary and/or mobile group members.
01 Jan 1983
••01 Jan 1989
TL;DR: The focus is on the qualitative aspects of control, but computation and the related issue of computational complexity are also considered.
Abstract: A discrete event system (DES) is a dynamic system that evolves in accordance with the abrupt occurrence, at possibly unknown irregular intervals, of physical events. Such systems arise in a variety of contexts ranging from computer operating systems to the control of complex multimode processes. A control theory for the logical aspects of such DESs is surveyed. The focus is on the qualitative aspects of control, but computation and the related issue of computational complexity are also considered. Automata and formal language models for DESs are surveyed. >
••01 Jul 1990
TL;DR: To model the behavior of finite-state asynchronous real-time systems, the notion of timed Buchi automata (TBA) is proposed, coupled with a mechanism to express constant bounds on the timing delays between system events.
Abstract: To model the behavior of finite-state asynchronous real-time systems we propose the notion of timed Buchi automata (TBA). TBAs are Buchi automata coupled with a mechanism to express constant bounds on the timing delays between system events. These automata accept languages of timed traces, traces in which each event has an associated real-valued time of occurrence.
01 Jan 1995
••12 Jun 1989
TL;DR: A scheme that allows timing assumptions to be incorporated into automatic proofs of arbitrary finite-state temporal properties is described, and it is conjecture that the method presented can be extended in this way.
Abstract: We have described a scheme that allows timing assumptions to be incorporated into automatic proofs of arbitrary finite-state temporal properties. The obvious extension is to be able to prove timing properties, not just assume them. This would provide a verification framework for finite-state hard real-time systems. We conjecture that the method presented can, in fact, be extended in this way.
••20 May 2012
TL;DR: It is estimated that passwords provide fewer than 10 bits of security against an online, trawling attack, and only about 20 bits ofSecurity against an optimal offline dictionary attack, when compared with a uniform distribution which would provide equivalent security against different forms of guessing attack.
Abstract: We report on the largest corpus of user-chosen passwords ever studied, consisting of anonymized password histograms representing almost 70 million Yahoo! users, mitigating privacy concerns while enabling analysis of dozens of subpopulations based on demographic factors and site usage characteristics. This large data set motivates a thorough statistical treatment of estimating guessing difficulty by sampling from a secret distribution. In place of previously used metrics such as Shannon entropy and guessing entropy, which cannot be estimated with any realistically sized sample, we develop partial guessing metrics including a new variant of guesswork parameterized by an attacker's desired success rate. Our new metric is comparatively easy to approximate and directly relevant for security engineering. By comparing password distributions with a uniform distribution which would provide equivalent security against different forms of guessing attack, we estimate that passwords provide fewer than 10 bits of security against an online, trawling attack, and only about 20 bits of security against an optimal offline dictionary attack. We find surprisingly little variation in guessing difficulty; every identifiable group of users generated a comparably weak password distribution. Security motivations such as the registration of a payment card have no greater impact than demographic factors such as age and nationality. Even proactive efforts to nudge users towards better password choices with graphical feedback make little difference. More surprisingly, even seemingly distant language communities choose the same weak passwords and an attacker never gains more than a factor of 2 efficiency gain by switching from the globally optimal dictionary to a population-specific lists.