Title: A probabilistic framework for improved password strength metrics
Citation: Proceedings 2014 International Carnahan Conference on Security Technology (ICCST) p. 112-117
Publisher: Institute of Electrical and Electronics Engineers (IEEE)
Publication Year: 2014
JRC N°: JRC89778
ISBN: 978-1-4799-3530-7
URI: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6986985
DOI: 10.1109/CCST.2014.6986985
Type: Articles in periodicals and books
Abstract: In spite of the growing adoption of two factor authentication systems, sometimes combined with hardware tokens and biometrics, the usage of passwords is still by far the most wide spread authentication method for both on-line systems and off-line applications. The password is in most of the cases chosen by the weakest link of the security chain, the user. For that reason, user passwords are audited and passwords policies are carefully created, in an attempt to maximize the security of the passwords chosen by the users following existing password strength metrics. The purpose of the password metrics is the identification of weak passwords based on the estimated resistance of a given password to a password guessing attack. In doing so, typically a set of expert rules are applied against the password in order to measure its complexity, under the assumption that a more complex password will offer higher resistance against classical password guessing attacks. However, a new generation of password guessing attacks is emerging, taking advantage of the laziness and predictability of human beings, and the influence of language in the selection of passwords. In this paper we propose a new metric for the calculation of the strength of passwords, based on a novel probabilistic framework for the modelling of user behaviour in choosing passwords. Our model undertakes the intrinsically difficult task of assigning a probability to a specific password. Whilst from a subjective point of view, most security experts would agree that an 8-length password such as ``mypet007' is much more likely than ``y/Tg\#3@'', it is very complicated to objectively quantify such a difference. Furthermore, it would be much more difficult to objectively quantify the strength of two passwords such as ``mypet007'' and ``rachel33''. The probabilistic model we propose in the present paper is based on a Hidden Markov Model (HMM), that we have trained using a subset of the public password dataset. Once trained, the nature of our model allows us to compute the likelihood that a certain password is generated by it, in the context of a password guessing attack. Such a probability becomes an excellent metric of the strength of the password, since it is directly proportional to its resistance to a password guessing attack.
JRC Directorate:Space, Security and Migration

Files in This Item:
There are no files associated with this item.

Items in repository are protected by copyright, with all rights reserved, unless otherwise indicated.