TY - JOUR
T1 - PESrank
T2 - An Explainable online password strength estimator
AU - David, Liron
AU - Wool, Avishai
N1 - Publisher Copyright:
© 2022 - IOS Press. All rights reserved.
PY - 2022/7/4
Y1 - 2022/7/4
N2 - Human-chosen passwords are the dominant form of authentication systems. Passwords strength estimators are used to help users avoid picking weak passwords by predicting how many attempts a password cracker would need until it finds a given password. In this paper we propose a novel password strength estimator, called PESrank, which accurately models the behavior of a powerful password cracker. PESrank calculates the rank of a given password in an optimal descending order of likelihood. PESrank estimates a given password's rank in fractions of a second - without actually enumerating the passwords - so it is practical for online use. It also has a training time that is drastically shorter than previous methods. Moreover, PESrank is efficiently tweakable to allow model personalization in fractions of a second, without the need to retrain the model; and it is explainable: it is able to provide information on why the password has its calculated rank, and gives the user insight on how to pick a better password. We implemented PESrank in Python and conducted an extensive evaluation study of it. We also integrated it into the registration page of a course at our university. Even with a model based on 905 million passwords, the response time was well under 1 second, with up to a 1-bit accuracy margin between the upper bound and the lower bound on the rank.
AB - Human-chosen passwords are the dominant form of authentication systems. Passwords strength estimators are used to help users avoid picking weak passwords by predicting how many attempts a password cracker would need until it finds a given password. In this paper we propose a novel password strength estimator, called PESrank, which accurately models the behavior of a powerful password cracker. PESrank calculates the rank of a given password in an optimal descending order of likelihood. PESrank estimates a given password's rank in fractions of a second - without actually enumerating the passwords - so it is practical for online use. It also has a training time that is drastically shorter than previous methods. Moreover, PESrank is efficiently tweakable to allow model personalization in fractions of a second, without the need to retrain the model; and it is explainable: it is able to provide information on why the password has its calculated rank, and gives the user insight on how to pick a better password. We implemented PESrank in Python and conducted an extensive evaluation study of it. We also integrated it into the registration page of a course at our university. Even with a model based on 905 million passwords, the response time was well under 1 second, with up to a 1-bit accuracy margin between the upper bound and the lower bound on the rank.
KW - Password strength estimator
KW - rank estimation
KW - side-channel attack
UR - http://www.scopus.com/inward/record.url?scp=85145648497&partnerID=8YFLogxK
U2 - 10.3233/JCS-210166
DO - 10.3233/JCS-210166
M3 - ???researchoutput.researchoutputtypes.contributiontojournal.article???
AN - SCOPUS:85145648497
SN - 0926-227X
VL - 30
SP - 877
EP - 901
JO - Journal of Computer Security
JF - Journal of Computer Security
IS - 6
ER -