Statistical metrics for individual password strength

Authors:
Joseph Bonneau
Affiliations:
University of Cambridge, UK
Venue:
SP'12 Proceedings of the 20th international conference on Security Protocols
Year:
2012

Citing 9
Cited 3

Fast dictionary attacks on passwords using time-space tradeoff

Proceedings of the 12th ACM conference on Computer and communications security
Personal choice and challenge questions: a security and usability assessment

Proceedings of the 5th Symposium on Usable Privacy and Security
Password Cracking Using Probabilistic Context-Free Grammars

SP '09 Proceedings of the 2009 30th IEEE Symposium on Security and Privacy
Power-Law Distributions in Empirical Data

SIAM Review
Password strength: an empirical analysis

INFOCOM'10 Proceedings of the 29th conference on Information communications
Encountering stronger password requirements: user attitudes and behaviors

Proceedings of the Sixth Symposium on Usable Privacy and Security
Testing metrics for password creation policies by attacking large sets of revealed passwords

Proceedings of the 17th ACM conference on Computer and communications security
Of passwords and people: measuring the effect of password-composition policies

Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords

SP '12 Proceedings of the 2012 IEEE Symposium on Security and Privacy

Measuring password guessability for an entire university

Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
SAuth: protecting user accounts from password database leaks

Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Revisiting graphical passwords for augmenting, not replacing, text passwords

Proceedings of the 29th Annual Computer Security Applications Conference

Quantified Score

Hi-index	0.00

Visualization

Abstract

We propose several possible metrics for measuring the strength of an individual password or any other secret drawn from a known, skewed distribution. In contrast to previous ad hoc approaches which rely on textual properties of passwords, we consider the problem without any knowledge of password structure. This enables rating the strength of a password given a large sample distribution without assuming anything about password semantics. We compare the results of our generic metrics against those of the NIST metrics and other previous "entropy-based" metrics for a large password dataset, which suggest over-fitting in previous metrics.