Statistical metrics for individual password strength

Joseph Bonneau

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

We propose several possible metrics for measuring the strength of an individual password or any other secret drawn from a known, skewed distribution. In contrast to previous ad hoc approaches which rely on textual properties of passwords, we consider the problem without any knowledge of password structure. This enables rating the strength of a password given a large sample distribution without assuming anything about password semantics. We compare the results of our generic metrics against those of the NIST metrics and other previous "entropy-based" metrics for a large password dataset, which suggest over-fitting in previous metrics.

Original languageEnglish (US)
Title of host publicationSecurity Protocols XX - 20th International Workshop, Revised Selected Papers
Pages76-86
Number of pages11
Volume7622 LNCS
DOIs
StatePublished - 2012
Event20th International Security Protocols Workshop - Cambridge, United Kingdom
Duration: Apr 12 2012Apr 13 2012

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume7622 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Other

Other20th International Security Protocols Workshop
CountryUnited Kingdom
CityCambridge
Period4/12/124/13/12

Fingerprint

Password
Entropy
Semantics
Metric
Skewed Distribution
Overfitting

ASJC Scopus subject areas

  • Theoretical Computer Science
  • Computer Science(all)

Cite this

Bonneau, J. (2012). Statistical metrics for individual password strength. In Security Protocols XX - 20th International Workshop, Revised Selected Papers (Vol. 7622 LNCS, pp. 76-86). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 7622 LNCS). https://doi.org/10.1007/978-3-642-35694-0_10

Statistical metrics for individual password strength. / Bonneau, Joseph.

Security Protocols XX - 20th International Workshop, Revised Selected Papers. Vol. 7622 LNCS 2012. p. 76-86 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 7622 LNCS).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Bonneau, J 2012, Statistical metrics for individual password strength. in Security Protocols XX - 20th International Workshop, Revised Selected Papers. vol. 7622 LNCS, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 7622 LNCS, pp. 76-86, 20th International Security Protocols Workshop, Cambridge, United Kingdom, 4/12/12. https://doi.org/10.1007/978-3-642-35694-0_10
Bonneau J. Statistical metrics for individual password strength. In Security Protocols XX - 20th International Workshop, Revised Selected Papers. Vol. 7622 LNCS. 2012. p. 76-86. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-642-35694-0_10
Bonneau, Joseph. / Statistical metrics for individual password strength. Security Protocols XX - 20th International Workshop, Revised Selected Papers. Vol. 7622 LNCS 2012. pp. 76-86 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{46380ead7ccb4f8b995310e6c5d08e5d,
title = "Statistical metrics for individual password strength",
abstract = "We propose several possible metrics for measuring the strength of an individual password or any other secret drawn from a known, skewed distribution. In contrast to previous ad hoc approaches which rely on textual properties of passwords, we consider the problem without any knowledge of password structure. This enables rating the strength of a password given a large sample distribution without assuming anything about password semantics. We compare the results of our generic metrics against those of the NIST metrics and other previous {"}entropy-based{"} metrics for a large password dataset, which suggest over-fitting in previous metrics.",
author = "Joseph Bonneau",
year = "2012",
doi = "10.1007/978-3-642-35694-0_10",
language = "English (US)",
isbn = "9783642356933",
volume = "7622 LNCS",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
pages = "76--86",
booktitle = "Security Protocols XX - 20th International Workshop, Revised Selected Papers",

}

TY - GEN

T1 - Statistical metrics for individual password strength

AU - Bonneau, Joseph

PY - 2012

Y1 - 2012

N2 - We propose several possible metrics for measuring the strength of an individual password or any other secret drawn from a known, skewed distribution. In contrast to previous ad hoc approaches which rely on textual properties of passwords, we consider the problem without any knowledge of password structure. This enables rating the strength of a password given a large sample distribution without assuming anything about password semantics. We compare the results of our generic metrics against those of the NIST metrics and other previous "entropy-based" metrics for a large password dataset, which suggest over-fitting in previous metrics.

AB - We propose several possible metrics for measuring the strength of an individual password or any other secret drawn from a known, skewed distribution. In contrast to previous ad hoc approaches which rely on textual properties of passwords, we consider the problem without any knowledge of password structure. This enables rating the strength of a password given a large sample distribution without assuming anything about password semantics. We compare the results of our generic metrics against those of the NIST metrics and other previous "entropy-based" metrics for a large password dataset, which suggest over-fitting in previous metrics.

UR - http://www.scopus.com/inward/record.url?scp=84870778932&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84870778932&partnerID=8YFLogxK

U2 - 10.1007/978-3-642-35694-0_10

DO - 10.1007/978-3-642-35694-0_10

M3 - Conference contribution

SN - 9783642356933

VL - 7622 LNCS

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 76

EP - 86

BT - Security Protocols XX - 20th International Workshop, Revised Selected Papers

ER -