Monte Carlo Strength Evaluation
- 12 October 2015
- conference paper
- conference paper
- Published by Association for Computing Machinery (ACM)
- p. 158-169
- https://doi.org/10.1145/2810103.2813631
Abstract
Modern password guessing attacks adopt sophisticated probabilistic techniques that allow for orders of magnitude less guesses to succeed compared to brute force. Unfortunately, best practices and password strength evaluators failed to keep up: they are generally based on heuristic rules designed to defend against obsolete brute force attacks. Many passwords can only be guessed with significant effort, and motivated attackers may be willing to invest resources to obtain valuable passwords. However, it is eminently impractical for the defender to simulate expensive attacks against each user to accurately characterize their password strength. This paper proposes a novel method to estimate the number of guesses needed to find a password using modern attacks. The proposed method requires little resources, applies to a wide set of probabilistic models, and is characterised by highly desirable convergence properties. The experiments demonstrate the scalability and generality of the proposal. In particular, the experimental analysis reports evaluations on a wide range of password strengths, and of state-of-the-art attacks on very large datasets, including attacks that would have been prohibitively expensive to handle with existing simulation-based approaches.Keywords
This publication has 18 references indexed in Scilit:
- OMEN: Faster Password Guessing Using an Ordered Markov EnumeratorLecture Notes in Computer Science, 2015
- From Very Weak to Very Strong: Analyzing Password-Strength MetersPublished by Internet Society ,2014
- Does my password go up to eleven?Published by Association for Computing Machinery (ACM) ,2013
- The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million PasswordsPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2012
- Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking AlgorithmsPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2012
- A Research Agenda Acknowledging the Persistence of PasswordsIEEE Security & Privacy, 2011
- Password Strength: An Empirical AnalysisPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2010
- Electronic authentication guidelinePublished by National Institute of Standards and Technology (NIST) ,2006
- Estimation of probabilities from sparse data for the language model component of a speech recognizerIEEE Transactions on Acoustics, Speech, and Signal Processing, 1987
- A Generalization of Sampling Without Replacement from a Finite UniverseJournal of the American Statistical Association, 1952