Password Requirements Markup Language

Abstract

Passwords are the most widely used authentication scheme for granting access to user accounts on the Internet. In order to choose strong passwords, security experts recommend the usage of password generators. However, automatically generated passwords often get rejected by services, because they do not fulfill the services' password requirements. Users need to manually look up the password requirements for each individual service and configure the password generator accordingly. This inconvenience induces users not to employ password generators and rather stick to weak passwords. We present a solution that enables generators to automatically create passwords in accordance with services' password requirements. First, we introduce the Password Requirements Markup Language PRML. It enables uniformly specified Password Requirements Descriptions PRDs for services. PRDs can be automatically processed by password generators and allow the generation of strong valid passwords without user interaction. Second, we present a crawler for the automatized extraction of password requirements from services' websites and the creation of the corresponding PRDs. This crawler allowed us to create PRDs of 72,124 services. Third, we describe a centralized and a decentralized approach for the provision of the PRDs to password generators. Finally, we present a password generator which uses PRDs and requires nothing but a service' URL in order to generate a strong and valid password for the service.