PESrank: An Explainable online password strength estimator

Liron David*, Avishai Wool

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

Abstract

Human-chosen passwords are the dominant form of authentication systems. Passwords strength estimators are used to help users avoid picking weak passwords by predicting how many attempts a password cracker would need until it finds a given password. In this paper we propose a novel password strength estimator, called PESrank, which accurately models the behavior of a powerful password cracker. PESrank calculates the rank of a given password in an optimal descending order of likelihood. PESrank estimates a given password's rank in fractions of a second - without actually enumerating the passwords - so it is practical for online use. It also has a training time that is drastically shorter than previous methods. Moreover, PESrank is efficiently tweakable to allow model personalization in fractions of a second, without the need to retrain the model; and it is explainable: it is able to provide information on why the password has its calculated rank, and gives the user insight on how to pick a better password. We implemented PESrank in Python and conducted an extensive evaluation study of it. We also integrated it into the registration page of a course at our university. Even with a model based on 905 million passwords, the response time was well under 1 second, with up to a 1-bit accuracy margin between the upper bound and the lower bound on the rank.

Original languageEnglish
Pages (from-to)877-901
Number of pages25
JournalJournal of Computer Security
Volume30
Issue number6
DOIs
StatePublished - 4 Jul 2022

Keywords

  • Password strength estimator
  • rank estimation
  • side-channel attack

Fingerprint

Dive into the research topics of 'PESrank: An Explainable online password strength estimator'. Together they form a unique fingerprint.

Cite this