Affiliation:
1. School of Electrical Engineering, Tel Aviv University, Israel
Abstract
Human-chosen passwords are the dominant form of authentication systems. Passwords strength estimators are used to help users avoid picking weak passwords by predicting how many attempts a password cracker would need until it finds a given password. In this paper we propose a novel password strength estimator, called PESrank, which accurately models the behavior of a powerful password cracker. PESrank calculates the rank of a given password in an optimal descending order of likelihood. PESrank estimates a given password’s rank in fractions of a second – without actually enumerating the passwords – so it is practical for online use. It also has a training time that is drastically shorter than previous methods. Moreover, PESrank is efficiently tweakable to allow model personalization in fractions of a second, without the need to retrain the model; and it is explainable: it is able to provide information on why the password has its calculated rank, and gives the user insight on how to pick a better password. We implemented PESrank in Python and conducted an extensive evaluation study of it. We also integrated it into the registration page of a course at our university. Even with a model based on 905 million passwords, the response time was well under 1 second, with up to a 1-bit accuracy margin between the upper bound and the lower bound on the rank.
Subject
Computer Networks and Communications,Hardware and Architecture,Safety, Risk, Reliability and Quality,Software
Reference42 articles.
1. The EM Side—Channel(s)
2. A. Bogdanov, I. Kizhvatov, K. Manzoor, E. Tischhauser and M. Witteman, Fast and memory-efficient key recovery in side-channel attacks, in: Selected Areas in Cryptography (SAC), 2015.
3. C. Castelluccia, M. Dürmuth and D. Perito, Adaptive password-strength meters from Markov models, in: NDSS, 2012.
4. A. Das, J. Bonneau, M. Caesar, N. Borisov and X. Wang, The tangled web of password reuse, in: NDSS’14, 2014, pp. 23–26.
5. L. David and A. Wool, A bounded-space near-optimal key enumeration algorithm for multi-subkey side-channel attacks, in: Proc. RSA Conference Cryptographers’ Track (CT-RSA’17), LNCS, Vol. 10159, Springer Verlag, San Francisco, 2017, pp. 311–327.