LPSE: Lightweight password-strength estimation for password meters

Abstract User-created strong passwords are the key to guaranteeing the security of password authentication. In practice, users often choose passwords that feel safe and that they can remember easily. However, the user's perception of the strength of passwords is inconsistent with the actual strength of these passwords. To encourage users to create strong passwords, many websites use password meters to visualize the strengths of user-chosen passwords, whereas the existing password meters have limited accuracy. The state-of-the-art password-guessing approaches have high accuracy in testing the strengths of passwords, but these algorithms are not suitable for detecting user password strength directly on the client side, due to the long running time and the data storage problem. In this paper, we propose a lightweight password-strength estimation method (LPSE). By testing the strong and weak passwords selected by a state-of-the-art password cracking-algorithm, we observed that our LPSE algorithm is superior to the existing lightweight password-strength estimation algorithms in the accurate identification of strong passwords and weak passwords. Moreover, the LPSE algorithm requires notably little storage space and is sufficiently fast for client-side measurement of password strength.

[1]  Lujo Bauer,et al.  Of passwords and people: measuring the effect of password-composition policies , 2011, CHI.

[2]  Lujo Bauer,et al.  Encountering stronger password requirements: user attitudes and behaviors , 2010, SOUPS.

[3]  Jun Ho Huh,et al.  Surpass: System-initiated User-replaceable Passwords , 2015, CCS.

[4]  Nikita Borisov,et al.  The Tangled Web of Password Reuse , 2014, NDSS.

[5]  Wenyuan Xu,et al.  A Large-Scale Empirical Analysis of Chinese Web Passwords , 2014, USENIX Security Symposium.

[6]  Rick Wash,et al.  Understanding Password Choices: How Frequently Entered Passwords Are Re-used across Websites , 2016, SOUPS.

[7]  Peter N. Yianilos,et al.  Learning String-Edit Distance , 1996, IEEE Trans. Pattern Anal. Mach. Intell..

[8]  Liam Paninski,et al.  Estimation of Entropy and Mutual Information , 2003, Neural Computation.

[9]  Paul C. van Oorschot,et al.  Pushing on string , 2016, Commun. ACM.

[10]  Blase Ur,et al.  How Does Your Password Measure Up? The Effect of Strength Meters on Password Creation , 2012, USENIX Security Symposium.

[11]  Joseph Bonneau,et al.  The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords , 2012, 2012 IEEE Symposium on Security and Privacy.

[12]  Sudhir Aggarwal,et al.  Password Cracking Using Probabilistic Context-Free Grammars , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[13]  Claude Castelluccia,et al.  Adaptive Password-Strength Meters from Markov Models , 2012, NDSS.

[14]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[15]  Joseph Bonneau Statistical Metrics for Individual Password Strength , 2012, Security Protocols Workshop.

[16]  Pietro Michiardi,et al.  Password Strength: An Empirical Analysis , 2010, 2010 Proceedings IEEE INFOCOM.

[17]  Vitaly Shmatikov,et al.  Fast dictionary attacks on passwords using time-space tradeoff , 2005, CCS '05.

[18]  Ninghui Li,et al.  A Study of Probabilistic Password Models , 2014, 2014 IEEE Symposium on Security and Privacy.

[19]  Sudhir Aggarwal,et al.  Testing metrics for password creation policies by attacking large sets of revealed passwords , 2010, CCS '10.

[20]  Mohammad Mannan,et al.  A Large-Scale Evaluation of High-Impact Password Strength Meters , 2015, TSEC.

[21]  Claude Castelluccia,et al.  OMEN: Faster Password Guessing Using an Ordered Markov Enumerator , 2015, ESSoS.

[22]  Blase Ur,et al.  "I Added '!' at the End to Make It Secure": Observing Password Creation in the Lab , 2015, SOUPS.

[23]  Maurizio Filippone,et al.  Monte Carlo Strength Evaluation: Fast and Reliable Password Checking , 2015, CCS.

[24]  Konstantin Beznosov,et al.  Does my password go up to eleven?: the impact of password meters on password selection , 2013, CHI.

[25]  Alain Forget,et al.  Improving text passwords through persuasion , 2008, SOUPS '08.

[26]  Daniel Lowe Wheeler zxcvbn: Low-Budget Password Strength Estimation , 2016, USENIX Security Symposium.

[27]  Paul C. van Oorschot,et al.  An Administrator's Guide to Internet Password Research , 2014, LISA.

[28]  Ting Wang,et al.  PARS: A Uniform and Open-source Password Analysis and Research System , 2015, ACSAC 2015.

[29]  Lujo Bauer,et al.  Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms , 2012, 2012 IEEE Symposium on Security and Privacy.

[30]  Matt Bishop,et al.  Improving system security via proactive password checking , 1995, Comput. Secur..

[31]  Blase Ur,et al.  A Spoonful of Sugar?: The Impact of Guidance and Feedback on Password-Creation Behavior , 2015, CHI.

[32]  Blase Ur,et al.  Designing Password Policies for Strength and Usability , 2016, ACM Trans. Inf. Syst. Secur..

[33]  Frank Stajano,et al.  Passwords and the evolution of imperfect authentication , 2015, Commun. ACM.

[34]  Blase Ur,et al.  Do Users' Perceptions of Password Security Match Reality? , 2016, CHI.

[35]  Mahdi N. Al-Ameen,et al.  The Impact of Cues and User Interaction on the Memorability of System-Assigned Recognition-Based Graphical Passwords , 2015, SOUPS.

[36]  Elizabeth Stobert,et al.  The Password Life Cycle: User Behaviour in Managing Passwords , 2014, SOUPS.

[37]  Jianhua Lin,et al.  Divergence measures based on the Shannon entropy , 1991, IEEE Trans. Inf. Theory.

[38]  M. Angela Sasse,et al.  The true cost of unusable password policies: password use in the wild , 2010, CHI.

[39]  Roberto J. Bayardo,et al.  Scaling up all pairs similarity search , 2007, WWW '07.

[40]  Blase Ur,et al.  Fast, Lean, and Accurate: Modeling Password Guessability Using Neural Networks , 2016, USENIX Annual Technical Conference.

[41]  Blase Ur,et al.  Measuring Real-World Accuracies and Biases in Modeling Password Guessability , 2015, USENIX Security Symposium.

[42]  Mohammad Mannan,et al.  From Very Weak to Very Strong: Analyzing Password-Strength Meters , 2014, NDSS.

[43]  Thomas D. Gautheir Detecting Trends Using Spearman's Rank Correlation Coefficient , 2001 .

[44]  Blase Ur,et al.  Can long passwords be secure and usable? , 2014, CHI.

[45]  Wouter Joosen,et al.  Password Meters and Generators on the Web: From Large-Scale Empirical Study to Getting It Right , 2015, CODASPY.