Password Strength Meters Research Articles

A statistical Markov-based password strength meter

Although multi-factor authentication is gaining popularity, password-based authentication remains the most commonly employed method for both online login and data encryption. To help users choose secure passwords, password strength meters (PSMs) are a well-known and important tool. However, many PSMs still use simple rule sets or rely on heuristic results. With the continuous development of password-cracking methods, it is difficult for such PSMs to provide accurate assessment results. In this paper, we present a new PSM based on statistical results from a huge number of leaked passwords. The proposed method has a very simple structure, requires only a small amount of storage space, and succeeds in providing reliable feedback in real time. We also confirm the influence of linguistic features on user-created passwords and, therefore, recommend evaluating passwords based on the users’ language.

A Study on Markov-Based Password Strength Meters

A Study on Markov-Based Password Strength Meters

Augmenting Password Strength Meter Design Using the Elaboration Likelihood Model: Evidence from Randomized Experiments

In this research, we study an effective method to encourage users to generate stronger passwords. Specifically, we propose a novel design of password strength meters that incorporates contextual information to help users digest the message generated by the password strength meter. We evaluate our design by leveraging three independent and complementary methods: a survey-based experiment using students to evaluate the saliency of our conceptual design (proof of concept), a controlled laboratory experiment conducted on Amazon Mechanical Turk to test the effectiveness of the proposed design (proof of value), and a randomized field experiment conducted in collaboration with an online forum in Asia to establish proof of use. In each study, we observe that users exposed to the proposed password strength meter are more likely to change their passwords, leading to a new password that is significantly stronger. Our findings suggest that the proposed design of augmented password strength meters is an effective method for promoting secure password behavior among end users. Our design also requires minimal computational resources and technical capabilities.

RLS-PSM: A Robust and Accurate Password Strength Meter Based on Reuse, Leet and Separation

Password strength meters (PSMs) are being widely used, but they often give conflicting, inaccurate and misleading feedback, which defeats their purpose. Except for fuzzyPSM, all PSMs assume passwords are newly constructed, which is not true in reality. FuzzyPSM considers password reuse, six major leet transformations and initial capitalization, and performs the best as evaluated by Golla and Durmuth at ACM CCS’18. On the basis of fuzzyPSM, we propose a new PSM based on R euse, L eet and S eparation, namely RLS-PSM. First, we classify password reuse behaviors into capitalization and those that use special characters for leet or separation, and calculate the corresponding probabilities. Then, to balance efficiency and precision, we use Long Short-Term Memory to calculate the probabilities of alphanumeric strings. Besides, we propose to use benchmark passwords to show the relative strength of a password. Due to the varied impacts of different service types and diversified economic value of websites, we consider parameter settings of RLS-PSM under six different service types. Finally, we use the Monte Carlo method and weighted Spearman coefficient to measure and compare the robustness and accuracy of RLS-PSM, leading PSMs (including Markov-based PSM, PCFG-based PSM, fuzzyPSM, RNN, and Zxcvbn), and password cracking tools (including JtR and Hashcat). We find that the robustness of RLS-PSM is significantly higher than all counterparts when evaluating attempts > 104 (e.g., on average, Fraction of Successfully Evaluated passwords of RLS-PSM is 18.9% higher than fuzzyPSM). The accuracy of RLS-PSM is also better than other mainstream PSMs used for comparison in this paper, except for fuzzyPSM.

Group Password Strength Meter Based on Attention Mechanism

User authentication is an important means to ensure the security of users' cyber accounts. Although there are various authentication means such as irises and fingerprints, passwords are still the main authentication method for the foreseeable future due to their low cost and easy implementation. Password strength evaluation is to measure the security strength of passwords, which has been widely studied. However, we found that the current password strength evaluation methods ignore the characteristics from password creators and do not consider the impact of regional groups on password generation. In this paper, we propose the concept of group passwords to analyze the password characteristics of different groups. Based on this notion, a group-based password strength evaluation method is proposed. In addition, we analyze the vulnerabilities of largescale real-world password groups leaked in previous security incidents. The analysis results show that different password groups have different characteristics. Then, we use the attention mechanism (AM) in the neural network model to learn the dependence between group characteristics and password context features. A long short-term memory (LSTM) model with natural advantages in processing timing features is used to process the password to achieve a more accurate password strength evaluation. We demonstrate the effectiveness of groupbased password evaluation using the real-world password data sets.

Using Gamification and Fear Appeal Instead of Password Strength Meters to Increase Password Entropy

Abstract It is very common for users to create weak passwords. Currently, the majority of websites deploy password strength meters to provide timely feedback. These meters are in wide use and their effects on the security of passwords have been relatively well studied. In this paper another type of feedback is studied: a gamified approach supported by fear appeal. In this approach, users are encouraged to make passwords stronger through the use of visual and textual stories. This approach is supported by data-driven suggestions about how to improve password security as well as by fear appeal. To prove the effectiveness of this gamified password creation process, an experiment was performed in which users changed their passwords in two ways: without any feed-back, and with gamified feedback with fear appeal. To support the initial findings a questionnaire was completed by participants at the end of research.

An Explainable Password Strength Meter Addon via Textual Pattern Recognition

Textual passwords are still dominating the authentication of remote file sharing and website logins, although researchers recently showed several vulnerabilities about this authentication mechanism. When a user creates or changes a password, a website usually leverages a password strength meter (PSM for short) to show the strength of the password. When the password is evaluated as a weak one, the user may replace the password with a stronger or securer one. However, the user is usually confused when the password, especially a frequently used password, is shown as a weak one. We argue that an explainable password strength meter addon, which could show the reasons of weak, may help users to more effectively create a secure password. Unfortunately, we find few sites in Alexa global top 100 showing these details. Motivated to help users with an explainable PSM, this paper proposes an addon to PSMs providing feedbacks in the form of pattern passwords explaining why a password is weak. This PSM addon can detect twelve types of patterns, which cover a very large proportion among 70 million of leaked real passwords from high-profile websites. According to our evaluation and user study, our PSM addon, which leverages textual pattern passwords, can effectively detect these popular patterns and effectively help users create securer passwords.

SPSR-FSPG: A Fast Simulative Password Set Generation Algorithm

Identity authentication is a main line of defense for network security, and passwords have long been the mainstream of identity authentication. In the field of password security research, large-scale password datasets have played an important role in the efficiency evaluation of password attack algorithms, the feasibility detection of password strength meters, and the correction of password probability models. However, due to user privacy, timeliness, effectiveness and other factors, it is still very difficult for researchers to obtain real large-scale user plaintext passwords. Based on this, this paper proposes a fast simulative password set generation algorithm based on structure partitioning and string recombination, denoted as SPSR-FSPG. The algorithm uses the probability context-free grammar to model the structure of the password, and constructs a string generation model based on the recurrent neural network to generate different types of strings, so as to learn the character composition of the password in the original dataset. In addition, the model fully considers the user's password reuse and modification behavior. Finally, the method is verified by experiment on six real Chinese and English password sets. The results show that the generation rate of SPSR-FSPG is faster than other algorithms. In terms of true password coverage, the SPSR-FPSG simulative password set is increased by 11.36% and 17.5, respectively, relative to SPPG and PCFG, and is increased by about 122.73% and 130.3%, respectively, compared to OMEN and 4-Markov. And the fit of the Zipf distribution is maintained at a level above 0.95, it is better than 0.9 of SPPG. At the same time, the SPPR-FPSG simulative password set is closer to the real password set in terms of length and character composition.

An Alternative Method for Understanding User-Chosen Passwords

We present in this paper an alternative method for understanding user-chosen passwords. In password research, much attention has been given to increasing the security and usability of individual passwords for common users. Few of them focus on the relationships between passwords; therefore we explore the relationships between passwords: modification-based, similarity-based, and probability-based. By regarding passwords as vertices, we shed light on how to transform a dataset of passwords into a password graph. Subsequently, we introduce some novel notions from graph theory and report on a number of inner properties of passwords from the perspective of graph. With the assistance of Python Graph-tool, we are able to visualize our password graph to deliver an intuitive grasp of user-chosen passwords. Five real-world password datasets are used in our experiments to fulfill our thorough experiments. We discover that (1) some passwords in a dataset are tightly connected with each other; (2) they have the tendency to gather together as a cluster like they are in a social network; (3) password graph has logarithmic distribution for its degrees. Top clusters in password graph could be exploited to obtain the effective mangling rules for cracking passwords. Also, password graph can be utilized for a new kind of password strength meter.

Zero-Sum Password Cracking Game: A Large-Scale Empirical Study on the Crackability, Correlation, and Security of Passwords

In this paper, we conduct a large-scale study on the crackability, correlation, and security of ${\sim}145$ million real world passwords, which were leaked from several popular Internet services and applications. To the best of our knowledge, this is the largest empirical study that has been conducted. Specifically, we first evaluate the crackability of ${\sim}145$ million real world passwords against 6+ state-of-the-art password cracking algorithms in multiple scenarios. Second, we examine the effectiveness and soundness of popular commercial password strength meters (e.g., Google, QQ) and the security impacts of username/email leakage on passwords. Finally, we discuss the implications of our results, analysis, and findings, which are expected to help both password users and system administrators to gain a deeper understanding of the vulnerability of real passwords against state-of-the-art password cracking algorithms, as well as to shed light on future password security research topics.

Using Context-Based Password Strength Meter to Nudge Users' Password Generating Behavior: A Randomized Experiment

Encouraging users to create stronger passwords has always been one of the key issues in password-based authentication. It is particularly important as passwords are still the most common user authentication method. Furthermore, prior works have highlighted that most passwords are significantly weak. In this paper, we seek to mitigate such an issue by proposing a context-based password strength meter and investigating its effectiveness on users' password generating behavior. We conduct a randomized experiment on Amazon MTurk involving hypothetical account creating scenarios. We observe the change in users' behavior in terms of the number of occasions where users change their password after seeing the warning message, the number of occasions where users want to learn more about creating stronger passwords, and the changes in password strength. We find that our proposed password strength meter is significantly effective. Users exposed to our password strength meter are more likely to change their password, and those new passwords are stronger. Furthermore, if the information is readily available, users are willing to invest their time to learn about creating a stronger password, even in a traditional password strength meter setting. Our findings suggest that simply incorporating a contextual information to password strength meters could be one of potential methods in promoting secure behaviors among end users.

A model counter for constraints over unbounded strings

Model counting is the problem of determining the number of solutions that satisfy a given set of constraints. Model counting has numerous applications in the quantitative analyses of program execution time, information flow, combinatorial circuit designs as well as probabilistic reasoning. We present a new approach to model counting for structured data types, specifically strings in this work. The key ingredient is a new technique that leverages generating functions as a basic primitive for combinatorial counting. Our tool SMC which embodies this approach can model count for constraints specified in an expressive string language efficiently and precisely, thereby outperforming previous finite-size analysis tools. SMC is expressive enough to model constraints arising in real-world JavaScript applications and UNIX C utilities. We demonstrate the practical feasibility of performing quantitative analyses arising in security applications, such as determining the comparative strengths of password strength meters and determining the information leakage via side channels.