Password strength estimators trained on the leaked password lists
Version 2 2024-06-04, 14:26Version 2 2024-06-04, 14:26
Version 1 2019-11-27, 15:17Version 1 2019-11-27, 15:17
conference contribution
posted on 2024-06-04, 14:26authored byCR Schaffer, Lei PanLei Pan
Passwords currently are and will be used as the main authentication mechanism across online applications for the foreseeable future. Estimating the strength of a user’s password gives the user a valuable insight into the strength or weakness of their chosen passwords. Current password strength estimators, when giving an estimate on a password’s strength, often fail to consider the plethora of leaked lists at an attacker’s disposal. This research investigates the effect of training a password strength estimator on a leaked list of 14.3 million passwords, all of which are commonly used in the password cracking world and then observing the effect that it has on the estimation of a password’s strength. Through modifying the trained dictionary lists that the zxcvbn classifier is fed, an estimate that accounts for the leaked list was achieved. Our empirical results show that there is a clear need to include leaked passwords in the password strength estimation process and that the accuracy of the estimator should not be sacrificed in order to provide a faster service.