Submission + - An Algorithm For Better Password Checking
della writes: Password checkers — those things that tell you whether your password is strong or not — are good: various studies have found that they make users choose better passwords. Unfortunately, nowadays attackers use probabilistic strategies based on natural language processing to guess passwords earlier, and most checkers consist of heuristic rules that don't reflect well probabilistic attacks. To do better you could in theory simulate the attack, but if your password is not that bad, that would be very expensive or just unfeasible.
In a paper I wrote with Maurizio Filippone and presented at ACM's CCS conference, we show how you can take an attack model and a password, and through a simple formula come up quickly with a reliable estimation of how many guesses that attack would need to guess the password. You can use this to roll a better password checker, or — as we've also done in the paper — to compare different attacks. The MIT Technology Review also covers our work.
In a paper I wrote with Maurizio Filippone and presented at ACM's CCS conference, we show how you can take an attack model and a password, and through a simple formula come up quickly with a reliable estimation of how many guesses that attack would need to guess the password. You can use this to roll a better password checker, or — as we've also done in the paper — to compare different attacks. The MIT Technology Review also covers our work.
