An Explainable Password Strength Meter Addon via Textual Pattern Recognition

Textual passwords are still dominating the authentication of remote file sharing and website logins, although researchers recently showed several vulnerabilities about this authentication mechanism. When a user creates or changes a password, a website usually leverages a password strength meter (PSM for short) to show the strength of the password. When the password is evaluated as a weak one, the user may replace the password with a stronger or securer one. However, the user is usually confused when the password, especially a frequently used password, is shown as a weak one. We argue that an explainable password strength meter addon, which could show the reasons of weak, may help users to more effectively create a secure password. Unfortunately, we find few sites in Alexa global top 100 showing these details. Motivated to help users with an explainable PSM, this paper proposes an addon to PSMs providing feedbacks in the form of pattern passwords explaining why a password is weak. This PSM addon can detect twelve types of patterns, which cover a very large proportion among 70 million of leaked real passwords from high-profile websites. According to our evaluation and user study, our PSM addon, which leverages textual pattern passwords, can effectively detect these popular patterns and effectively help users create securer passwords.

[1]  J. Yan,et al.  Password memorability and security: empirical results , 2004, IEEE Security & Privacy Magazine.

[2]  Wenyuan Xu,et al.  Regional Patterns and Vulnerability Analysis of Chinese Web Passwords , 2016, IEEE Transactions on Information Forensics and Security.

[3]  Vitaly Shmatikov,et al.  Fast dictionary attacks on passwords using time-space tradeoff , 2005, CCS '05.

[4]  Wenyuan Xu,et al.  Shadow Attacks Based on Password Reuses: A Quantitative Empirical Analysis , 2018, IEEE Transactions on Dependable and Secure Computing.

[5]  Ping Wang,et al.  The Emperor's New Password Creation Policies , 2015, IACR Cryptol. ePrint Arch..

[6]  Ninghui Li,et al.  A Study of Probabilistic Password Models , 2014, 2014 IEEE Symposium on Security and Privacy.

[7]  Blase Ur,et al.  Fast, Lean, and Accurate: Modeling Password Guessability Using Neural Networks , 2016, USENIX Annual Technical Conference.

[8]  Blase Ur,et al.  Design and Evaluation of a Data-Driven Password Meter , 2017, CHI.

[9]  Matt Bishop,et al.  Improving system security via proactive password checking , 1995, Comput. Secur..

[10]  Maximilian Golla,et al.  On the Accuracy of Password Strength Meters , 2018, CCS.

[11]  Sudhir Aggarwal,et al.  Password Cracking Using Probabilistic Context-Free Grammars , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[12]  Daniel Lowe Wheeler zxcvbn: Low-Budget Password Strength Estimation , 2016, USENIX Security Symposium.

[13]  Konstantin Beznosov,et al.  Does my password go up to eleven?: the impact of password meters on password selection , 2013, CHI.

[14]  Wenyuan Xu,et al.  A Large-Scale Empirical Analysis of Chinese Web Passwords , 2014, USENIX Security Symposium.

[15]  Sudhir Aggarwal,et al.  Testing metrics for password creation policies by attacking large sets of revealed passwords , 2010, CCS '10.

[16]  Blase Ur,et al.  Measuring Real-World Accuracies and Biases in Modeling Password Guessability , 2015, USENIX Security Symposium.

[17]  Mohammad Mannan,et al.  From Very Weak to Very Strong: Analyzing Password-Strength Meters , 2014, NDSS.

[18]  Shouling Ji,et al.  Zero-Sum Password Cracking Game: A Large-Scale Empirical Study on the Crackability, Correlation, and Security of Passwords , 2017, IEEE Transactions on Dependable and Secure Computing.

[19]  Harshal Tupsamudre,et al.  POSTER: Improved Markov Strength Meters for Passwords , 2016, CCS.

[20]  Haining Wang,et al.  A study of personal information in human-chosen passwords and its security implications , 2016, IEEE INFOCOM 2016 - The 35th Annual IEEE International Conference on Computer Communications.

[21]  M. Angela Sasse,et al.  The true cost of unusable password policies: password use in the wild , 2010, CHI.

[22]  Nikita Borisov,et al.  The Tangled Web of Password Reuse , 2014, NDSS.

[23]  Blase Ur,et al.  How Does Your Password Measure Up? The Effect of Strength Meters on Password Creation , 2012, USENIX Security Symposium.

[24]  Emmanuel Aroms,et al.  NIST Special Publication 800-63 Electronic Authentication Guideline , 2012 .