A Canonical Password Strength Measure
Eugene Panferov
TL;DR
This paper introduces a formal, attack-strategy-aware measure of password strength, addressing the lack of a proper definition in the security discourse and emphasizing the importance of considering attacker tactics.
Contribution
It proposes a canonical definition of password strength based on attack efficiency, incorporating attacker strategies, which was missing in prior assessments.
Findings
The new metric accounts for attacker strategies in password strength evaluation.
It demonstrates the necessity of considering attack tactics for accurate strength assessment.
Provides a formal framework for evaluating password security.
Abstract
We notice that the "password security" discourse is missing the most fundamental notion of the "password strength" -- it was never properly defined. We propose a canonical definition of the "password strength", based on the assessment of the efficiency of a set of possible guessing attack. Unlike naive password strength assessments our metric takes into account the attacker's strategy, and we demonstrate the necessity of that feature. This paper does NOT advise you to include "at least three capital letters", seven underscores, and a number thirteen in your password.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsUser Authentication and Security Systems · Advanced Malware Detection Techniques · Advanced Authentication Protocols Security