Observing Reusable Password Choices

From experience, a significant number of recent computer breakins perhaps the majority can be traced back to an instance of a poorly-chosen reusable password. Once a system intruder has gained access to one account by breaking a password, it is often a simple matter to find system flaws and weaknesses that thereafter allow entry to other accounts and increasing amounts of privilege. The OPUS project being conducted at Purdue is an attempt to screen users' selection of passwords to prevent poor choices. The focus of the project is on using screening methods that are both time and space-efficient and to provide a mechanism that is effective for workstations with little or no disk as well as mainframes. To test this mechanism, we require a representative sample of real passwords. Thus, we constructed a method of sampling real passwords choices as they were made by users. The challenge of such a sampling mechanism is how to protect it from attack, and how to protect the results from being used against the system. This paper discusses our approach, and some of our initial observations on the words collected.