A Large-Scale Evaluation of High-Impact Password Strength Meters

Q Engineering

ACM Transactions on Information and System Security Pub Date : 2015-06-09 DOI:10.1145/2739044

Xavier de Carné de Carnavalet, Mohammad Mannan

{"title":"A Large-Scale Evaluation of High-Impact Password Strength Meters","authors":"Xavier de Carné de Carnavalet, Mohammad Mannan","doi":"10.1145/2739044","DOIUrl":null,"url":null,"abstract":"Passwords are ubiquitous in our daily digital lives. They protect various types of assets ranging from a simple account on an online newspaper website to our health information on government websites. However, due to the inherent value they protect, attackers have developed insights into cracking/guessing passwords both offline and online. In many cases, users are forced to choose stronger passwords to comply with password policies; such policies are known to alienate users and do not significantly improve password quality. Another solution is to put in place proactive password-strength meters/checkers to give feedback to users while they create new passwords. Millions of users are now exposed to these meters on highly popular web services that use user-chosen passwords for authentication. More recently, these meters are also being built into popular password managers, which protect several user secrets including passwords. Recent studies have found evidence that some meters actually guide users to choose better passwords—which is a rare bit of good news in password research. However, these meters are mostly based on ad hoc design. At least, as we found, most vendors do not provide any explanation for their design choices, sometimes making them appear as a black box. We analyze password meters deployed in selected popular websites and password managers. We document obfuscated source-available meters, infer the algorithm behind the closed-source ones, and measure the strength labels assigned to common passwords from several password dictionaries. From this empirical analysis with millions of passwords, we shed light on how the server end of some web service meters functions and provide examples of highly inconsistent strength outcomes for the same password in different meters, along with examples of many weak passwords being labeled as strong or even excellent. These weaknesses and inconsistencies may confuse users in choosing a stronger password, and thus may weaken the purpose of these meters. On the other hand, we believe these findings may help improve existing meters and possibly make them an effective tool in the long run.","PeriodicalId":50912,"journal":{"name":"ACM Transactions on Information and System Security","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2015-06-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"88","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"ACM Transactions on Information and System Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2739044","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q","JCRName":"Engineering","Score":null,"Total":0}

引用次数: 88

Abstract

Passwords are ubiquitous in our daily digital lives. They protect various types of assets ranging from a simple account on an online newspaper website to our health information on government websites. However, due to the inherent value they protect, attackers have developed insights into cracking/guessing passwords both offline and online. In many cases, users are forced to choose stronger passwords to comply with password policies; such policies are known to alienate users and do not significantly improve password quality. Another solution is to put in place proactive password-strength meters/checkers to give feedback to users while they create new passwords. Millions of users are now exposed to these meters on highly popular web services that use user-chosen passwords for authentication. More recently, these meters are also being built into popular password managers, which protect several user secrets including passwords. Recent studies have found evidence that some meters actually guide users to choose better passwords—which is a rare bit of good news in password research. However, these meters are mostly based on ad hoc design. At least, as we found, most vendors do not provide any explanation for their design choices, sometimes making them appear as a black box. We analyze password meters deployed in selected popular websites and password managers. We document obfuscated source-available meters, infer the algorithm behind the closed-source ones, and measure the strength labels assigned to common passwords from several password dictionaries. From this empirical analysis with millions of passwords, we shed light on how the server end of some web service meters functions and provide examples of highly inconsistent strength outcomes for the same password in different meters, along with examples of many weak passwords being labeled as strong or even excellent. These weaknesses and inconsistencies may confuse users in choosing a stronger password, and thus may weaken the purpose of these meters. On the other hand, we believe these findings may help improve existing meters and possibly make them an effective tool in the long run.

查看原文本刊更多论文

高影响密码强度计的大规模评估

密码在我们的日常数字生活中无处不在。它们保护各种类型的资产，从在线报纸网站上的简单账户到政府网站上的健康信息。然而，由于它们保护的固有价值，攻击者已经开发出离线和在线破解/猜测密码的洞察力。在许多情况下，用户被迫选择更强的密码来遵守密码策略;众所周知，这样的策略会疏远用户，并且不会显著提高密码质量。另一个解决方案是设置主动密码强度测量/检查器，以便在用户创建新密码时向用户提供反馈。现在，数百万用户在使用用户选择的密码进行身份验证的非常流行的web服务上暴露于这些仪表。最近，这些仪表也被内置到流行的密码管理器中，可以保护包括密码在内的多个用户秘密。最近的研究发现，有证据表明，一些仪表实际上会引导用户选择更好的密码——这在密码研究中是一个罕见的好消息。然而，这些仪表大多是基于特别设计的。至少，正如我们所发现的，大多数供应商没有为他们的设计选择提供任何解释，有时使它们看起来像一个黑盒子。我们分析了在选定的热门网站和密码管理器中部署的密码仪表。我们记录了源代码可用的模糊度量，推断了闭源度量背后的算法，并测量了从几个密码字典中分配给常用密码的强度标签。从对数百万个密码的实证分析中，我们揭示了一些web服务计量器的服务器端是如何工作的，并提供了相同密码在不同计量器中强度结果高度不一致的示例，以及许多弱密码被标记为强甚至优秀的示例。这些弱点和不一致可能会使用户在选择更强的密码时感到困惑，从而可能削弱这些仪表的目的。另一方面，我们相信这些发现可能有助于改进现有的仪表，并可能使它们成为长期有效的工具。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

ACM Transactions on Information and System Security 工程技术-计算机：信息系统

CiteScore

4.50

自引率

0.00%

发文量

审稿时长

3.3 months

期刊介绍： ISSEC is a scholarly, scientific journal that publishes original research papers in all areas of information and system security, including technologies, systems, applications, and policies.