Password Strength Measurement without Password Disclosure

As a mechanism for promoting improvement in the strength of the user password, there is a mechanism that measures the password strength and gives feedback to the user. There are a wide variety of current strength measurement methods, and there are also methods that transmit a password during input to the remote server to perform strength measurement. However, the threat of sending passwords externally during input has not been sufficiently discussed. In this paper, we first survey the current password strength measurement method, and clarify how much remote side strength measurement exists. Then, the threat of remote strength measurement is organized, and the need for its protection is indicated. The necessity of the method of measuring the password strength without disclosure as the protection method is described, and three approaches are shown. Furthermore, the feasibility of each approach is discussed, and the prototype with the highest feasibility was developed. Moreover, we evaluate the performance and usability of the prototype system. As a result, although basic performance changes depending on system configuration, the result of the user study shows that the usability is not low, and the proposed method is sufficiently practical while reducing the threat.

[1]  Sudhir Aggarwal,et al.  Testing metrics for password creation policies by attacking large sets of revealed passwords , 2010, CCS '10.

[2]  David Cash,et al.  Leakage-Abuse Attacks Against Searchable Encryption , 2015, IACR Cryptol. ePrint Arch..

[3]  Paul C. van Oorschot,et al.  An Administrator's Guide to Internet Password Research , 2014, LISA.

[4]  Carmit Hazay,et al.  Computationally Secure Pattern Matching in the Presence of Malicious Adversaries , 2010, Journal of Cryptology.

[5]  Lujo Bauer,et al.  Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms , 2012, 2012 IEEE Symposium on Security and Privacy.

[6]  Blase Ur,et al.  Measuring Real-World Accuracies and Biases in Modeling Password Guessability , 2015, USENIX Security Symposium.

[7]  Mohammad Mannan,et al.  From Very Weak to Very Strong: Analyzing Password-Strength Meters , 2014, NDSS.

[8]  Scott Ruoti,et al.  End-to-End Passwords , 2017, NSPW.

[9]  Blase Ur,et al.  How Does Your Password Measure Up? The Effect of Strength Meters on Password Creation , 2012, USENIX Security Symposium.

[10]  Stefan Katzenbeisser,et al.  Privacy preserving error resilient dna searching through oblivious automata , 2007, CCS '07.

[11]  Maurizio Filippone,et al.  Monte Carlo Strength Evaluation: Fast and Reliable Password Checking , 2015, CCS.

[12]  Frank Stajano,et al.  The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes , 2012, 2012 IEEE Symposium on Security and Privacy.

[13]  Daniel Lowe Wheeler zxcvbn: Low-Budget Password Strength Estimation , 2016, USENIX Security Symposium.

[14]  Konstantin Beznosov,et al.  Does my password go up to eleven?: the impact of password meters on password selection , 2013, CHI.