An official website of the European Union How do you know?      
European Commission logo
JRC Publications Repository Menu

A probabilistic framework for improved password strength metrics

cover
In spite of the growing adoption of two factor authentication systems, sometimes combined with hardware tokens and biometrics, the usage of passwords is still by far the most wide spread authentication method for both on-line systems and off-line applications. The password is in most of the cases chosen by the weakest link of the security chain, the user. For that reason, user passwords are audited and passwords policies are carefully created, in an attempt to maximize the security of the passwords chosen by the users following existing password strength metrics. The purpose of the password metrics is the identification of weak passwords based on the estimated resistance of a given password to a password guessing attack. In doing so, typically a set of expert rules are applied against the password in order to measure its complexity, under the assumption that a more complex password will offer higher resistance against classical password guessing attacks. However, a new generation of password guessing attacks is emerging, taking advantage of the laziness and predictability of human beings, and the influence of language in the selection of passwords. In this paper we propose a new metric for the calculation of the strength of passwords, based on a novel probabilistic framework for the modelling of user behaviour in choosing passwords. Our model undertakes the intrinsically difficult task of assigning a probability to a specific password. Whilst from a subjective point of view, most security experts would agree that an 8-length password such as ``mypet007' is much more likely than ``y/Tg\#3@'', it is very complicated to objectively quantify such a difference. Furthermore, it would be much more difficult to objectively quantify the strength of two passwords such as ``mypet007'' and ``rachel33''. The probabilistic model we propose in the present paper is based on a Hidden Markov Model (HMM), that we have trained using a subset of the public password dataset. Once trained, the nature of our model allows us to compute the likelihood that a certain password is generated by it, in the context of a password guessing attack. Such a probability becomes an excellent metric of the strength of the password, since it is directly proportional to its resistance to a password guessing attack.
2015-01-23
Institute of Electrical and Electronics Engineers (IEEE)
JRC89778
978-1-4799-3530-7,   
http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6986985,    https://publications.jrc.ec.europa.eu/repository/handle/JRC89778,   
10.1109/CCST.2014.6986985,   
NameCountryCityType
Datasets
IDTitlePublic URL
Dataset collections
IDAcronymTitlePublic URL
Scripts / source codes
DescriptionPublic URL
Additional supporting files
File nameDescriptionFile type 
Show metadata record  Copy citation url to clipboard  Download BibTeX
Items published in the JRC Publications Repository are protected by copyright, with all rights reserved, unless otherwise indicated. Additional information: https://ec.europa.eu/info/legal-notice_en#copyright-notice