Statistical Metrics for Individual Password Strength

Bonneau, Joseph

doi:10.1007/978-3-642-35694-0_10

Joseph Bonneau¹⁹

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7622))

Included in the following conference series:

International Workshop on Security Protocols

1102 Accesses
10 Citations

Abstract

We propose several possible metrics for measuring the strength of an individual password or any other secret drawn from a known, skewed distribution. In contrast to previous ad hoc approaches which rely on textual properties of passwords, we consider the problem without any knowledge of password structure. This enables rating the strength of a password given a large sample distribution without assuming anything about password semantics. We compare the results of our generic metrics against those of the NIST metrics and other previous “entropy-based” metrics for a large password dataset, which suggest over-fitting in previous metrics.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 49.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

Bishop, M., Klein, D.V.: Improving System Security via Proactive Password Checking. Computers & Security 14(3), 233–249 (1995)
Article Google Scholar
Bonneau, J.: The science of guessing: analyzing an anonymized corpus of 70 million passwords. In: SP 2012: Proceedings of the 2012 IEEE Symposium on Security and Privacy (2012)
Google Scholar
Burr, W.E., Dodson, D.F., Timothy Polk, W.: Electronic Authentication Guideline. NIST Special Publication 800-63 (2006)
Google Scholar
Castelluccia, C., Dürmuth, M., Perito, D.: Adaptive Password-Strength Meters from Markov Models. In: NDSS 2012: Proceedings of the Network and Distributed System Security Symposium (2012)
Google Scholar
Clauset, A., Shalizi, C.R., Newman, M.E.J.: Power-Law Distributions in Empirical Data. SIAM Review 51, 661–703 (2009)
Article MathSciNet MATH Google Scholar
Davies, C., Ganesan, C.: BApasswd: A New Proactive Password Checker. In: Proceedings of the 16th National Computer Security Conference (1993)
Google Scholar
Dell’Amico, M., Michiardi, P., Roudier, Y.: Password Strength: An Empirical Analysis. In: INFOCOM 2010: Proceedings of the 29th Conference on Information Communications, pp. 983–991. IEEE (2010)
Google Scholar
Gale, W.A., Sampson, G.: Good-Turing Frequency Estimation Without Tears. Journal of Quantitative Linguistics 2(3), 217–237 (1995)
Article Google Scholar
Just, M., Aspinall, D.: Personal Choice and Challenge Questions: A Security and Usability Assessment. In: SOUPS 2009: Proceedings of the 5th Symposium on Usable Privacy and Security (2009)
Google Scholar
Kelley, P.G., Komanduri, S., Mazurek, M.L., Shay, R., Vidas, T., Bauer, L., Christin, N., Cranor, L.F., Lopez, J.: Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms. Technical Report CMU-CyLab-11-008, Carnegie Mellon University (2011)
Google Scholar
Kelley, P.G., Mazurek, M.L., Shay, R., Bauer, L., Christin, N., Cranor, L.F., Komanduri, S., Egelman, S.: Of Passwords and People: Measuring the Effect of Password-Composition Policies. In: CHI 2011: Proceedings of the 29th ACM SIGCHI Conference on Human Factors in Computing Systems (2011)
Google Scholar
Narayanan, A., Shmatikov, V.: Fast Dictionary Attacks on Passwords Using Time-Space Tradeoff. In: CCS 2005: Proceedings of the 12th ACM Conference on Computer and Communications Security, pp. 364–372. ACM (2005)
Google Scholar
Shannon, C.E.: A Mathematical Theory of Communication. Bell System Technical Journal 7, 379–423 (1948)
MathSciNet Google Scholar
Shay, R., Komanduri, S., Kelley, P.G., Leon, P.G., Mazurek, M.L., Bauer, L., Christin, N., Cranor, L.F.: Encountering Stronger Password Requirements: User Attitudes and Behaviors. In: SOUPS 2010: Proceedings of the 6th Symposium on Usable Privacy and Security. ACM (2010)
Google Scholar
Weir, M., Aggarwal, S., Collins, M., Stern, H.: Testing Metrics for Password Creation Policies by Attacking Large Sets of Revealed Passwords. In: CCS 2010: Proceedings of the 17th ACM Conference on Computer and Communications Security, pp. 162–175. ACM (2010)
Google Scholar
Weir, M., Aggarwal, S., de Medeiros, B., Glodek, B.: Password Cracking Using Probabilistic Context-Free Grammars. In: SP 2009: Proceedings of the 2009 IEEE Symposium on Security and Privacy, pp. 391–405. IEEE (2009)
Google Scholar

Download references

Author information

Authors and Affiliations

University of Cambridge, UK
Joseph Bonneau

Authors

Joseph Bonneau
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

School of Computer Science, University of Hertfordshire, AL10 9AB, Hatfield, UK
Bruce Christianson
Department of Computer Science, University of Hertfordshire, AL10 9AB, Hatfield, UK
James Malcolm
Computer Laboratory, University of Cambridge, 15 JJ Thomson Avenue, CB3 0FD, Cambridge, UK
Frank Stajano & Jonathan Anderson &

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Bonneau, J. (2012). Statistical Metrics for Individual Password Strength. In: Christianson, B., Malcolm, J., Stajano, F., Anderson, J. (eds) Security Protocols XX. Security Protocols 2012. Lecture Notes in Computer Science, vol 7622. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-35694-0_10

Download citation

DOI: https://doi.org/10.1007/978-3-642-35694-0_10
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-35693-3
Online ISBN: 978-3-642-35694-0
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics