Abstract
Passwords currently are and will be used as the main authentication mechanism across online applications for the foreseeable future. Estimating the strength of a user’s password gives the user a valuable insight into the strength or weakness of their chosen passwords. Current password strength estimators, when giving an estimate on a password’s strength, often fail to consider the plethora of leaked lists at an attacker’s disposal. This research investigates the effect of training a password strength estimator on a leaked list of 14.3 million passwords, all of which are commonly used in the password cracking world and then observing the effect that it has on the estimation of a password’s strength. Through modifying the trained dictionary lists that the zxcvbn classifier is fed, an estimate that accounts for the leaked list was achieved. Our empirical results show that there is a clear need to include leaked passwords in the password strength estimation process and that the accuracy of the estimator should not be sacrificed in order to provide a faster service.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Aloul, F., Zahidi, S., El-Hajj, W.: Two factor authentication using mobile phones. In: 2009 IEEE/ACS International Conference on Computer Systems and Applications, AICCSA 2009, pp. 641–644. IEEE (2009)
Burr, W., et al.: Nist special publication 800–63-2: Electronic authentication guideline. Technical report, National Institute of Standards and Technology (2013)
Password guessability service. https://pgs.ece.cmu.edu/. Accessed 06 July 2019
Dropbox landing. https://www.dropbox.com/login. Accessed 06 July 2019
Florencio, D., Herley, C.: A large-scale study of web password habits. In: Proceedings of the 16th international Conference on World Wide Web, pp. 657–666. ACM (2007)
Florêncio, D., Herley, C., Coskun, B.: Do strong web passwords accomplish anything? HotSec 7(6), 159 (2007)
Google: Google landing. https://accounts.google.com/signup/v2/webcreateaccount?continue=accounts.google.com/ManageAccount&gmb=exp&biz=false&flowName=GlifWebSignIn&flowEntry=SignUp. Accessed 06 July 2019
Grassi, P.A., et al.: NIST specification 800-63B. In: Digital Identity Guidelines (2017). Accessed 06 July 2019
Hashcat. https://hashcat.net/hashcat/. Accessed 06 July 2019
Herley, C., Van Oorschot, P.: A research agenda acknowledging the persistence of passwords. IEEE Secur. Priv. 10(1), 28–36 (2012)
Huang, C.Y., Ma, S.P., Chen, K.T.: Using one-time passwords to prevent password phishing attacks. J. Netw. Comput. Appl. 34(4), 1292–1301 (2011)
John the ripper (JtR). http://www.openwall.com/john/. Accessed 06 July 2019
Two factor auth (2FA). https://twofactorauth.org/. Accessed 06 July 2019
Li, Z., He, W., Akhawe, D., Song, D.: The emperor’s new password manager: security analysis of web-based password managers. In: USENIX Security Symposium, pp. 465–479 (2014)
WPA2 krack. https://www.krackattacks.com/. Accessed 06 July 2019
Melicher, W., et al.: Fast, lean, and accurate: modeling password guessability using neural networks. In: USENIX Security Symposium, pp. 175–191 (2016)
Radhappa, H., Pan, L., Zheng, J.X., Wen, S.: Practical overview of security issues in wireless sensor network applications. Int. J. Comput. Appl. 40(4), 202–213 (2018). https://doi.org/10.1080/1206212X.2017.1398214
Ross, B., Jackson, C., Miyake, N., Boneh, D., Mitchell, J.C.: Stronger password authentication using browser extensions. In: USENIX Security Symposium, pp. 17–32, Baltimore, MD, USA (2005)
Rubin, A.D.: Independent one-time passwords. Comput. Syst. 9(1), 15–27 (1996)
Schaub, F., Deyhle, R., Weber, M.: Password entry usability and shoulder surfing susceptibility on different smartphone platforms. In: Proceedings of the 11th International Conference on Mobile and Ubiquitous Multimedia, p. 13. ACM (2012)
Rockyou leak. https://wiki.skullsecurity.org/Passwords. Accessed 06 July 2019
Ur, B., et al.: Measuring real-world accuracies and biases in modeling password guessability. In: USENIX Security Symposium, pp. 463–481 (2015)
Weir, M., Aggarwal, S., Collins, M., Stern, H.: Testing metrics for password creation policies by attacking large sets of revealed passwords. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, pp. 162–175. ACM (2010)
Weir, M., Aggarwal, S., De Medeiros, B., Glodek, B.: Password cracking using probabilistic context-free grammars. In: 2009 30th IEEE Symposium on Security and Privacy, pp. 391–405. IEEE (2009)
Wheeler, D.L.: zxcvbn: low-budget password strength estimation. In: USENIX Security Symposium, pp. 157–173 (2016)
XKCD comic - password memorability. https://xkcd.com/936/. Accessed 06 July 2019
zxcvbn github: Low-budget password strength estimation. https://github.com/dropbox/zxcvbn. Accessed 06 July 2019
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Schafer, C.R., Pan, L. (2019). Password Strength Estimators Trained on the Leaked Password Lists. In: Shankar Sriram, V., Subramaniyaswamy, V., Sasikaladevi, N., Zhang, L., Batten, L., Li, G. (eds) Applications and Techniques in Information Security. ATIS 2019. Communications in Computer and Information Science, vol 1116. Springer, Singapore. https://doi.org/10.1007/978-981-15-0871-4_17
Download citation
DOI: https://doi.org/10.1007/978-981-15-0871-4_17
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-15-0870-7
Online ISBN: 978-981-15-0871-4
eBook Packages: Computer ScienceComputer Science (R0)