Statistical metrics for individual password strength

Joseph Bonneau

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

We propose several possible metrics for measuring the strength of an individual password or any other secret drawn from a known, skewed distribution. In contrast to previous ad hoc approaches which rely on textual properties of passwords, we consider the problem without any knowledge of password structure. This enables rating the strength of a password given a large sample distribution without assuming anything about password semantics. We compare the results of our generic metrics against those of the NIST metrics and other previous "entropy-based" metrics for a large password dataset, which suggest over-fitting in previous metrics.

Original languageEnglish (US)
Title of host publicationSecurity Protocols XX - 20th International Workshop, Revised Selected Papers
Pages76-86
Number of pages11
DOIs
StatePublished - Dec 14 2012
Event20th International Security Protocols Workshop - Cambridge, United Kingdom
Duration: Apr 12 2012Apr 13 2012

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume7622 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Other

Other20th International Security Protocols Workshop
CountryUnited Kingdom
CityCambridge
Period4/12/124/13/12

    Fingerprint

ASJC Scopus subject areas

  • Theoretical Computer Science
  • Computer Science(all)

Cite this

Bonneau, J. (2012). Statistical metrics for individual password strength. In Security Protocols XX - 20th International Workshop, Revised Selected Papers (pp. 76-86). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 7622 LNCS). https://doi.org/10.1007/978-3-642-35694-0_10