Password Guessers Under a Microscope: An In-Depth Analysis to Inform Deployments

TL;DR

This paper provides an in-depth analysis of password guessers, comparing their guessing behaviors and effectiveness, and offers practical recommendations for deploying password checking systems based on these insights.

Contribution

It introduces an analytical framework for comparing password guessers and demonstrates that combining cheap guessers can match the effectiveness of expensive ones.

Findings

Guessers produce dissimilar guesses even with same training data.

Combining computationally cheap guessers is as effective as expensive ones.

Provides practical recommendations for password checking deployments.

Abstract

Password guessers are instrumental for assessing the strength of passwords. Despite their diversity and abundance, little is known about how different guessers compare to each other. We perform in-depth analyses and comparisons of the guessing abilities and behavior of password guessers. To extend analyses beyond number of passwords cracked, we devise an analytical framework to compare the types of passwords that guessers generate under various conditions (e.g., limited training data, limited number of guesses, and dissimilar training and target data). Our results show that guessers often produce dissimilar guesses, even when trained on the same data. We leverage this result to show that combinations of computationally-cheap guessers are as effective as computationally intensive guessers, but more efficient. Our insights allow us to provide a concrete set of recommendations for system administrators when performing password checking.