Monte Carlo Strength Evaluation: Fast and Reliable Password Checking
Date: October 2015
Publication: Proceedings of the 22nd ACM SIGSAC Conference on Computer & Communications Security, CCS '15
Page(s): 158 - 169
Source 1: http://www.eurecom.fr/en/publication/4711/download/rs-publi-4711.pdf
Source 2: http://dx.doi.org/10.1145/2810103.2813631 - Subscription or payment required
Abstract or Summary:
Modern password guessing attacks adopt sophisticated probabilistic techniques that allow for orders of magnitude less guesses to succeed compared to brute force. Unfortunately, best practices and password strength evaluators failed to keep up: they are generally based on heuristic rules designed to defend against obsolete brute force attacks. Many passwords can only be guessed with significant effort, and motivated attackers may be willing to invest resources to obtain valuable passwords. However, it is eminently impractical for the defender to simulate expensive attacks against each user to accurately characterize their password strength. This paper proposes a novel method to estimate the number of guesses needed to find a password using modern attacks. The proposed method requires little resources, applies to a wide set of probabilistic models, and is characterised by highly desirable convergence properties.
The experiments demonstrate the scalability and generality of the proposal. In particular, the experimental analysis reports evaluations on a wide range of password strengths, and of state-of-the-art attacks on very large datasets, including attacks that would have been prohibitively expensive to handle with existing simulation-based approaches.
Do you have additional information to contribute regarding this research paper? If so, please email firstname.lastname@example.org with the details.