Post on 25-Dec-2019
Low-Budget Password Strength EstimationDan Lowe Wheeler
Dropbox
Twitter: Password Feedback
Twitter: Password Feedback
Verizon Wireless: Password Requirements
Password Guessing: 35+ years of development
Ferocious algorithmsRecurrent Neural Networks PCFGs Markov Models Mangled Dictionary Attacks
Massive datasets100M+ leaked passwords Google n-gram corpus
Password Policy: Frozen in 1979
Inconsistent Requirements
Bonneau and Preibusch, 2010: 150 sites, 142 distinct policies 😫 Wang and Wang, 2015: 50 sites, 50 distinct policies 😱
Inconsistent FeedbackInput: correcthorsebatterystaple
Inconsistent FeedbackInput: correcthorsebatterystaple
Inconsistent FeedbackInput: correcthorsebatterystaple
See also: A large-scale evaluation of high-impact password strength meters, TISSEC ‘15
Proposal: adopt zxcvbn
# small client-side estimator,# runs in 3 milliseconds,# accurate within an online attack range> npm install zxcvbn
var meets_policy = function(password) { return zxcvbn(password).guesses > 500; };
Feedback @ Dropbox
Requirements @ Uber
Proposal: keep UI simple
Outline for todayMotivation
How zxcvbn works
Accuracy experiments
Threat ModelOnline guessing attack
• Assume any of today’s best guessing algorithms
• Upper bound: 106 guesses
What about offline?
• Policy-level enforcement: a questionable usability burden
• Better mitigations that don’t impact usability
See also:
An Administrator’s Guide to Internet Password Research, USENIX LISA ‘14
Core estimator: minimum rank over top lists
Input: wheeler
Core estimator: minimum rank over top lists
Input: wheeler
1. password 2. 123456 3. 12345678 4. qwerty 5. 123456789 6. 111111 7. dragon 8. 123123 9. baseball 10. abc123
1. li 2. khan 3. smith 4. johnson 5. jones 6. garcia 7. brown 8. davis 9. wheeler 10. rodriguez
1. dan 2. wheeler 3. dropbox 4. drop 5. box 6. sync 7. share 8. collaborate 9. rainbows 10. wow
top passwords top surnames call-specific list
Core estimator: minimum rank over top lists
1. password 2. 123456 3. 12345678 4. qwerty 5. 123456789 6. 111111 7. dragon 8. 123123 9. baseball 10. abc123
Input: wheeler
1. li 2. khan 3. smith 4. johnson 5. jones 6. garcia 7. brown 8. davis 9. wheeler10. rodriguez
1. dan 2. wheeler3. dropbox 4. drop 5. box 6. sync 7. share 8. collaborate 9. rainbows 10. wow
top passwords top surnames call-specific list
Core estimator: minimum rank over top lists
1. password 2. 123456 3. 12345678 4. qwerty 5. 123456789 6. 111111 7. dragon 8. 123123 9. baseball 10. abc123
Input: wheeler
1. li 2. khan 3. smith 4. johnson 5. jones 6. garcia 7. brown 8. davis 9. wheeler10. rodriguez
1. dan 2. wheeler3. dropbox 4. drop 5. box 6. sync 7. share 8. collaborate 9. rainbows 10. wow
Output: 2 guesses
top passwords top surnames call-specific list
Word transformations
l33t: @ba1one ⟶ abalone
caps: abALOne ⟶ abalone
reversed: enolaba ⟶ abalone
Keyboard patternsInput: zxcftyuio
Keyboard patternsInput: zxcftyuio
Keyboard patternsInput: zxcftyuio
layout=QWERTY, length=9, turns=3
Keyboard patternsInput: zxcftyuio
Output: ≈106 guesses
layout=QWERTY, length=9, turns=3
Sequence PatternsInput: бгезйлн
Sequence PatternsInput: бгезйлн
Sequence PatternsInput: бгезйлн
type=alphabet, length=7, codepoint_delta=2
Sequence PatternsInput: бгезйлн
Output: ≈102 guesses
type=alphabet, length=7, codepoint_delta=2
Match ⟶ Estimate ⟶ SearchInput: lenovo2222
Match ⟶ Estimate ⟶ SearchInput: lenovo2222
lenovo (password)
eno (surname)
no (english)
no (reversed)
2222 (2/2/2022)
2222 (repeat)
Match ⟶ Estimate ⟶ SearchInput: lenovo2222
lenovo (password) 11007 guesses
eno (surname) 3284 guesses
no (english) 11 guesses
no (reversed) 18 guesses
2222 (2/2/2022) 2190 guesses
2222 (repeat) 48 guesses
Match ⟶ Estimate ⟶ SearchInput: lenovo2222
lenovo (password) 11007 guesses
eno (surname) 3284 guesses
no (english) 11 guesses
no (reversed) 18 guesses
2222 (2/2/2022) 2190 guesses
2222 (repeat) 48 guesses
Match ⟶ Estimate ⟶ SearchInput: lenovo2222
lenovo (password) 11007 guesses
eno (surname) 3284 guesses
no (english) 11 guesses
no (reversed) 18 guesses
2222 (2/2/2022) 2190 guesses
2222 (repeat) 48 guesses
Output: ≈106 guesses
Outline for todayMotivation
How zxcvbn works
Accuracy experiments
Outline for todayMotivation
How zxcvbn works
Accuracy experiments
gold standard: real attacks trained on leaks
estimators studied: zxcvbn, KeePass, NIST entropy
Gold standard: PGSMinimum guess attempts over four attacks: • Order-5 Markov Model (Ma et al. 2014) • Probabalistic Context-Free Grammar (Komanduri 2015) • Mangled Dictionary (Hashcat) • Mangled Dictionary (John the Ripper)
Training dataGold Standard Estimators: top 100k lists
RockYou ’09 leak RockYou ’09 leak
Yahoo ’12 leak Yahoo ’12 leak
MySpace ’06 leak Xato ’15 password corpus
Google Web Corpus English Wikipedia top 1-grams
Web2 dictionary Top words: US TV + film (2006 Wiktionary study)
Inflection dictionary Top names: 1990 US Census
≈20.5M unique tokens ≈340k unique tokens
Test data• 15k random sample, RockYou ’09
• Not included in PGS / estimator training data
Estimator size?
Truncate lists at: gzipped size
top 100k: ~1.5 MB
top 10k: ~245 kB
top 1k: ~29 kB
Minimum rank only?
Runtime Performance
ConclusionJust Say No!(to inconsistently arbitrary password strength estimation)
Estimating online attacks: minimum rank goes a long ways
Matching other patterns is helpful and cheap
Accuracy: highly sensitive to training data
Give it a try!MIT License, cross-platform, widely ported:https://github.com/dropbox/zxcvbn
Partial adopter list: