A Canonical Password Strength Measure
نویسنده
چکیده
We notice that the “password security” discourse is missing a fundamental notion of the “password strength”. We propose a canonical measure of password’s strength. We give formal definition of the “guessing attack”, and the “attacker’s strategy”. The measure is based on the assessment of the efficiency of the best possible guessing attack. Unlike naive password strength assessments our measure takes into account the attacker’s strategy. We argue strongly against widespread informal assumptions about “strong” and “weak” passwords, and advise to adopt formal metrics such as proposed one. This paper does NOT advise you to include “at least three capital letters”, seven underscores, and a number thirteen in your password.
منابع مشابه
Adaptive Password-Strength Meters from Markov Models
Measuring the strength of passwords is crucial to ensure the security of password-based authentication. However, current methods to measure password strength have limited accuracy, first, because they use rules that are too simple to capture the complexity of passwords, and second, because password frequencies widely differ from one application to another. In this paper, we present the concept ...
متن کاملPassword Strength Meters using Social Influence
Millions of people now use password strength meter when the user starts to sign up a service. The impact on password strength meter has been evaluated for several aspects. However, it is believed that there are still ways to design more e ective password strength meters. Recently, Das et al shows that social in uence or social proof is e ective to adopt security features[1, 2, 3]. It seems that...
متن کاملA A Large-Scale Evaluation of High-Impact Password Strength Meters
Passwords are ubiquitous in our daily digital lives. They protect various types of assets ranging from a simple account on an online newspaper website to our health information on government websites. However, due to the inherent value they protect, attackers have developed insights into cracking/guessing passwords both offline and online. In many cases, users are forced to choose stronger pass...
متن کاملHow Does Your Password Measure Up? The Effect of Strength Meters on Password Creation
To help users create stronger text-based passwords, many web sites have deployed password meters that provide visual feedback on password strength. Although these meters are in wide use, their effects on the security and usability of passwords have not been well studied. We present a 2,931-subject study of password creation in the presence of 14 password meters. We found that meters with a vari...
متن کاملMeasuring Real-World Accuracies and Biases in Modeling Password Guessability
Parameterized password guessability—how many guesses a particular cracking algorithm with particular training data would take to guess a password—has become a common metric of password security. Unlike statistical metrics, it aims to model real-world attackers and to provide per-password strength estimates. We investigate how cracking approaches often used by researchers compare to real-world c...
متن کامل