An Explainable Online Password Strength Estimator

Liron David*, Avishai Wool

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

5 Scopus citations

Abstract

Human-chosen passwords are the dominant form of authentication systems. Passwords strength estimators are used to help users avoid picking weak passwords by predicting how many attempts a password cracker would need until it finds a given password. In this paper we propose a novel password strength estimator, called PESrank, which accurately models the behavior of a powerful password cracker. PESrank calculates the rank of a given password in an optimal descending order of likelihood. PESrank estimates a given password’s rank in fractions of a second—without actually enumerating the passwords—so it is practical for online use. It also has a training time that is drastically shorter than previous methods. Moreover, PESrank is efficiently tweakable to allow model personalization in fractions of a second, without the need to retrain the model; and it is explainable: it is able to provide information on why the password has its calculated rank, and gives the user insight on how to pick a better password. We implemented PESrank in Python and conducted an extensive evaluation study of it. We also integrated it into the registration page of a course at our university. Even with a model based on 905 million passwords, the response time was well under 1 s, with up to a 1-bit accuracy margin between the upper bound and the lower bound on the rank.

Original languageEnglish
Title of host publicationComputer Security – ESORICS 2021 - 26th European Symposium on Research in Computer Security, Proceedings
EditorsElisa Bertino, Haya Shulman, Michael Waidner
PublisherSpringer Science and Business Media Deutschland GmbH
Pages285-304
Number of pages20
ISBN (Print)9783030884178
DOIs
StatePublished - 2021
Event26th European Symposium on Research in Computer Security, ESORICS 2021 - Virtual, Online
Duration: 4 Oct 20218 Oct 2021

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume12972 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

Conference26th European Symposium on Research in Computer Security, ESORICS 2021
CityVirtual, Online
Period4/10/218/10/21

Fingerprint

Dive into the research topics of 'An Explainable Online Password Strength Estimator'. Together they form a unique fingerprint.

Cite this