Investigating the Distribution of Password Choices
David Malone, Kevin Maher
TL;DR
This study examines whether Zipf's Law accurately models password choice distributions across multiple sources and explores how understanding these distributions can improve password security and user practices.
Contribution
It evaluates the applicability of Zipf's Law to password distributions and demonstrates how this understanding can enhance password security measures.
Findings
Zipf's Law fits password frequency data well.
Password distributions are similar across different sources.
Understanding distributions aids in password security and cracking.
Abstract
In this paper we will look at the distribution with which passwords are chosen. Zipf's Law is commonly observed in lists of chosen words. Using password lists from four different on-line sources, we will investigate if Zipf's law is a good candidate for describing the frequency with which passwords are chosen. We look at a number of standard statistics, used to measure the security of password distributions, and see if modelling the data using Zipf's Law produces good estimates of these statistics. We then look at the the similarity of the password distributions from each of our sources, using guessing as a metric. This shows that these distributions provide effective tools for cracking passwords. Finally, we will show how to shape the distribution of passwords in use, by occasionally asking users to choose a different password.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.