Markov Model for Password Attack Prevention

  • Umesh BodkheEmail author
  • Jay Chaklasiya
  • Pooja Shah
  • Sudeep Tanwar
  • Maanuj Vora
Conference paper
Part of the Lecture Notes in Networks and Systems book series (LNNS, volume 121)


With the rapid increase in multi-user systems, the strength of passwords plays a crucial role in password authentication methods. Password strength meters help the users for the selection of secured passwords. But existing password strength meters are not enough to provide high level of security that makes the selection of strong password by users. Rule-based methods that measure the strength of passwords fall short in terms of accuracy and password frequencies differ among platforms. Use of Markov model-based strength meters improves the strength of password in more accurate way than the existing state-of-the-art methods. This paper describes how to proactively evaluate passwords with a strength meter by using Markov models. A mathematical proof of the prevention of guessable password attacks is presented. The proposed method improves the accuracy of current password protection methods significantly with a simpler, faster, and more secure implementation.


Proactive Markov models Accuracy Password-based authentication 


  1. 1.
    Guo, Y., Zhang, Z.: LPSE: lightweight password-strength estimation for password meters. J. Comput. Secur. 73, 507–518 (2018)Google Scholar
  2. 2.
    Blundo, C., DArco, P., De Santis, A., Galdi, C.: Hyppocrates: a new proactive password checker. J. Syst. Softw. 71(1–2), 163–175 (2004)Google Scholar
  3. 3.
    Castelluccia, C., Drmuth, M., Perito, D.: Adaptive password-strength meters from markov models. In: NDSS Symposium (2012)Google Scholar
  4. 4.
    Vu, K.P.L.: Improving password security and memorability to protect personal and organizational information. Int. J. Hum. Comput. Stud. 65, 744–757 (2007)CrossRefGoogle Scholar
  5. 5.
    Ma, J., Yang, W., Luo, M., Li, N.: A study of probabilistic password models. In: IEEE Symposium on Security and Privacy, pp. 689–704 (2014)Google Scholar
  6. 6.
    Iqbal, S., Kiah, M.L.M., Dhaghighi, B., Hussain, M., Khan, S., Khan, M.K., Choo, K.K.R.: On cloud security attacks: a taxonomy and intrusion detection and prevention as a service. J. Netw. Comput. Appl. 74, 98–120 (2016)CrossRefGoogle Scholar
  7. 7.
    Van Heerden, R.P., Vorster, J.S.: Using Markov Models to crack passwords. In: The 3rd International Conference on Information Warfare and Security: Peter Kiewit Institute, University of Nebraska, Omaha, USA (2008)Google Scholar
  8. 8.
    Morris, R., Thompson, K.: Password security: a case history. Commun. ACM 22(11), 594–597 (1979)Google Scholar
  9. 9.
    Chen, W., Chang, W.: Applying hidden Markov Models to keystroke pattern analysis for password verification. In: Proceedings of the IEEE International Conference on Information Reuse and Integration, pp. 467–474 (20040Google Scholar
  10. 10.
    Galbally, J., Coisel, I., Sanchez, I.: A probabilistic framework for improved password strength metrics. In: International Carnahan Conference on Security Technology (ICCST), pp. 1–6 (2014)Google Scholar
  11. 11.
    Vaithyasubramanian, S., Christy, A., Saravanan, D.: An analysis of Markov password against brute force attack for effective web applications. J. Appl. Math. Sci. 8(117), 5823–5830 (2014)Google Scholar
  12. 12.
    Han, W., Li, Z., Yuan, L., Xu, W.: Regional patterns and vulnerability analysis of chinese web passwords. IEEE Trans. Inf. Forensics Secur. 11(2), 258–272 (2015)CrossRefGoogle Scholar
  13. 13.
    Xia, Z., Yi, P., Liu, Y., Jiang, B., Wang, W., Zhu, T.: GENPass: a multi-source deep learning model for password guessing. In: IEEE Transactions on Multimedia (2019)Google Scholar
  14. 14.
    Khan, S., Khan, F.: Attempt based password. In: 13th International Bhurban Conference on Applied Sciences and Technology (IBCAST), pp. 300–304 (2016)Google Scholar
  15. 15.
    Golla, M., Drmuth, M.: On the accuracy of password strength meters. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, pp. 1567–1582 (2018)Google Scholar
  16. 16.
    Rabiner, L., Juang, B.-H.: An introduction to hidden Markov models. In: IEEE ASSP Magazine, vol. 3, pp. 4–16 (1986)Google Scholar
  17. 17.
    Ganitkevitch, J., Van Durme, B., Callison-Burch, C.: PPDB: The paraphrase database. In: Proceedings of the 2013 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies (2013)Google Scholar
  18. 18.
    Sekine, S.: A linguistic knowledge discovery tool: very large ngram database search with arbitrary wildcards. In: 22nd International Conference on Computational Linguistics: Demonstration Papers. Association for Computational Linguistics (2008)Google Scholar
  19. 19.
    Mamonov, S., Benbunan-Fich, R.: The impact of information security threat awareness on privacy-protective behaviors. J. Comput. Hum. Behav. 83, 32–44 (2018)CrossRefGoogle Scholar
  20. 20.
    Mahmoud, M.S., Hamdan, M.M., Baroudi, U.A.: Modeling and control of cyber-physical systems subject to cyber attacks: a survey of recent advances and challenges. J. Neurocomput. 338, 101–115 (2019)CrossRefGoogle Scholar
  21. 21.
    Almasizadeh, J., Azgomi, M.A.: A stochastic model of attack process for the evaluation of security metrics. J. Comput. Netw. 57(10), 2159–2180 (2013)Google Scholar
  22. 22.
    Barkadehi, M.H., Nilashi, M., Ibrahim, O., Fardi, A.Z., Samad, S.: Authenticationsystems: a literature review and classification. J. Telematics Inform. 35(5), 1491–1511 (2018)CrossRefGoogle Scholar

Copyright information

© Springer Nature Singapore Pte Ltd. 2020

Authors and Affiliations

  • Umesh Bodkhe
    • 1
    Email author
  • Jay Chaklasiya
    • 1
  • Pooja Shah
    • 1
  • Sudeep Tanwar
    • 1
  • Maanuj Vora
    • 2
  1. 1.Department of Computer Science and EngineeringInstitute of Technology, Nirma UniversityGujratIndia
  2. 2.SaralSoft LLCPleasantonUSA

Personalised recommendations