An Explainable Online Password Strength Estimator

Liron David; Avishai Wool

doi:10.1007/978-3-030-88418-5_14

An Explainable Online Password Strength Estimator

Liron David, Avishai Wool

School of Electrical Engineering

Tel Aviv University

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

Human-chosen passwords are the dominant form of authentication systems. Passwords strength estimators are used to help users avoid picking weak passwords by predicting how many attempts a password cracker would need until it finds a given password. In this paper we propose a novel password strength estimator, called PESrank, which accurately models the behavior of a powerful password cracker. PESrank calculates the rank of a given password in an optimal descending order of likelihood. PESrank estimates a given password’s rank in fractions of a second—without actually enumerating the passwords—so it is practical for online use. It also has a training time that is drastically shorter than previous methods. Moreover, PESrank is efficiently tweakable to allow model personalization in fractions of a second, without the need to retrain the model; and it is explainable: it is able to provide information on why the password has its calculated rank, and gives the user insight on how to pick a better password. We implemented PESrank in Python and conducted an extensive evaluation study of it. We also integrated it into the registration page of a course at our university. Even with a model based on 905 million passwords, the response time was well under 1 s, with up to a 1-bit accuracy margin between the upper bound and the lower bound on the rank.

Original language	English
Title of host publication	Computer Security – ESORICS 2021 - 26th European Symposium on Research in Computer Security, Proceedings
Editors	Elisa Bertino, Haya Shulman, Michael Waidner
Publisher	Springer Science and Business Media Deutschland GmbH
Pages	285-304
Number of pages	20
ISBN (Print)	9783030884178
DOIs	https://doi.org/10.1007/978-3-030-88418-5_14
State	Published - 2021
Event	26th European Symposium on Research in Computer Security, ESORICS 2021 - Virtual, Online Duration: 4 Oct 2021 → 8 Oct 2021

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	12972 LNCS

Conference

Conference	26th European Symposium on Research in Computer Security, ESORICS 2021
City	Virtual, Online
Period	4/10/21 → 8/10/21

All Science Journal Classification (ASJC) codes

Theoretical Computer Science
General Computer Science

Access to Document

10.1007/978-3-030-88418-5_14

Cite this

David, L., & Wool, A. (2021). An Explainable Online Password Strength Estimator. In E. Bertino, H. Shulman, & M. Waidner (Eds.), Computer Security – ESORICS 2021 - 26th European Symposium on Research in Computer Security, Proceedings (pp. 285-304). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 12972 LNCS). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-3-030-88418-5_14

David, Liron ; Wool, Avishai. / An Explainable Online Password Strength Estimator. Computer Security – ESORICS 2021 - 26th European Symposium on Research in Computer Security, Proceedings. editor / Elisa Bertino ; Haya Shulman ; Michael Waidner. Springer Science and Business Media Deutschland GmbH, 2021. pp. 285-304 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{a38199bac59848c4abc0f6c77da5e7c4,

title = "An Explainable Online Password Strength Estimator",

abstract = "Human-chosen passwords are the dominant form of authentication systems. Passwords strength estimators are used to help users avoid picking weak passwords by predicting how many attempts a password cracker would need until it finds a given password. In this paper we propose a novel password strength estimator, called PESrank, which accurately models the behavior of a powerful password cracker. PESrank calculates the rank of a given password in an optimal descending order of likelihood. PESrank estimates a given password{\textquoteright}s rank in fractions of a second—without actually enumerating the passwords—so it is practical for online use. It also has a training time that is drastically shorter than previous methods. Moreover, PESrank is efficiently tweakable to allow model personalization in fractions of a second, without the need to retrain the model; and it is explainable: it is able to provide information on why the password has its calculated rank, and gives the user insight on how to pick a better password. We implemented PESrank in Python and conducted an extensive evaluation study of it. We also integrated it into the registration page of a course at our university. Even with a model based on 905 million passwords, the response time was well under 1 s, with up to a 1-bit accuracy margin between the upper bound and the lower bound on the rank.",

author = "Liron David and Avishai Wool",

note = "Publisher Copyright: {\textcopyright} 2021, Springer Nature Switzerland AG.; 26th European Symposium on Research in Computer Security, ESORICS 2021 ; Conference date: 04-10-2021 Through 08-10-2021",

year = "2021",

doi = "10.1007/978-3-030-88418-5_14",

language = "الإنجليزيّة",

isbn = "9783030884178",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "285--304",

editor = "Elisa Bertino and Haya Shulman and Michael Waidner",

booktitle = "Computer Security – ESORICS 2021 - 26th European Symposium on Research in Computer Security, Proceedings",

address = "ألمانيا",

}

David, L & Wool, A 2021, An Explainable Online Password Strength Estimator. in E Bertino, H Shulman & M Waidner (eds), Computer Security – ESORICS 2021 - 26th European Symposium on Research in Computer Security, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 12972 LNCS, Springer Science and Business Media Deutschland GmbH, pp. 285-304, 26th European Symposium on Research in Computer Security, ESORICS 2021, Virtual, Online, 4/10/21. https://doi.org/10.1007/978-3-030-88418-5_14

An Explainable Online Password Strength Estimator. / David, Liron; Wool, Avishai.
Computer Security – ESORICS 2021 - 26th European Symposium on Research in Computer Security, Proceedings. ed. / Elisa Bertino; Haya Shulman; Michael Waidner. Springer Science and Business Media Deutschland GmbH, 2021. p. 285-304 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 12972 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - An Explainable Online Password Strength Estimator

AU - David, Liron

AU - Wool, Avishai

PY - 2021

Y1 - 2021

N2 - Human-chosen passwords are the dominant form of authentication systems. Passwords strength estimators are used to help users avoid picking weak passwords by predicting how many attempts a password cracker would need until it finds a given password. In this paper we propose a novel password strength estimator, called PESrank, which accurately models the behavior of a powerful password cracker. PESrank calculates the rank of a given password in an optimal descending order of likelihood. PESrank estimates a given password’s rank in fractions of a second—without actually enumerating the passwords—so it is practical for online use. It also has a training time that is drastically shorter than previous methods. Moreover, PESrank is efficiently tweakable to allow model personalization in fractions of a second, without the need to retrain the model; and it is explainable: it is able to provide information on why the password has its calculated rank, and gives the user insight on how to pick a better password. We implemented PESrank in Python and conducted an extensive evaluation study of it. We also integrated it into the registration page of a course at our university. Even with a model based on 905 million passwords, the response time was well under 1 s, with up to a 1-bit accuracy margin between the upper bound and the lower bound on the rank.

AB - Human-chosen passwords are the dominant form of authentication systems. Passwords strength estimators are used to help users avoid picking weak passwords by predicting how many attempts a password cracker would need until it finds a given password. In this paper we propose a novel password strength estimator, called PESrank, which accurately models the behavior of a powerful password cracker. PESrank calculates the rank of a given password in an optimal descending order of likelihood. PESrank estimates a given password’s rank in fractions of a second—without actually enumerating the passwords—so it is practical for online use. It also has a training time that is drastically shorter than previous methods. Moreover, PESrank is efficiently tweakable to allow model personalization in fractions of a second, without the need to retrain the model; and it is explainable: it is able to provide information on why the password has its calculated rank, and gives the user insight on how to pick a better password. We implemented PESrank in Python and conducted an extensive evaluation study of it. We also integrated it into the registration page of a course at our university. Even with a model based on 905 million passwords, the response time was well under 1 s, with up to a 1-bit accuracy margin between the upper bound and the lower bound on the rank.

UR - http://www.scopus.com/inward/record.url?scp=85116907554&partnerID=8YFLogxK

U2 - 10.1007/978-3-030-88418-5_14

DO - 10.1007/978-3-030-88418-5_14

M3 - منشور من مؤتمر

SN - 9783030884178

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 285

EP - 304

BT - Computer Security – ESORICS 2021 - 26th European Symposium on Research in Computer Security, Proceedings

A2 - Bertino, Elisa

A2 - Shulman, Haya

A2 - Waidner, Michael

PB - Springer Science and Business Media Deutschland GmbH

T2 - 26th European Symposium on Research in Computer Security, ESORICS 2021

Y2 - 4 October 2021 through 8 October 2021

ER -

David L, Wool A. An Explainable Online Password Strength Estimator. In Bertino E, Shulman H, Waidner M, editors, Computer Security – ESORICS 2021 - 26th European Symposium on Research in Computer Security, Proceedings. Springer Science and Business Media Deutschland GmbH. 2021. p. 285-304. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-030-88418-5_14

An Explainable Online Password Strength Estimator

Abstract

Publication series

Conference

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Fingerprint

Cite this