Author(s): Weining Yang, Ninghui Li, Ian Molloy, Youngja Park, Suresh Chari

Date: September 26 2016
Publication: ESORICS 2016, Lecture Notes in Computer Science Volume 9878
Page(s): 69 - 90
Publisher: Springer
Source 1: https://dx.doi.org/10.1007/978-3-319-45744-4_4 - Subscription or payment required

Abstract or Summary:
Password-based authentication is the most widely used authentication mechanism. One major weakness of password-based authentication is that users generally choose predictable and weak passwords. In this paper, we address the question: How to best check weak passwords? We model different password strength checking methods as Password Ranking Algorithms (PRAs), and introduce two methods for comparing different PRAs: the $$\beta$$-Residual Strength Graph ($$\beta$$-RSG) and the Normalized $$\beta$$-Residual Strength Graph ($$\beta$$-NRSG). In our experiments, we find some password datasets that have been widely used in password research contain many problematic passwords that are not naturally created. We develop techniques to cleanse password datasets by removing these problematic accounts. We then apply the two metrics on cleansed datasets and show that several PRAs, including the dictionary-based PRA, the Markov Models with and without backoff, have similar performances. If the size of PRAs are limited in order to be able to be transmitted over the internet, a hybrid method combining a small dictionary of weak passwords and a Markov model with backoff with a limited size can provide the most accurate strength measurement.