Low-Budget Password Strength Estimation Dan Lowe Wheeler Dropbox
Low-Budget Password Strength Estimation Dan Lowe Wheeler Dropbox
Twitter: Password Feedback Twitter: Password Feedback Verizon Wireless: Password Requirements Password Guessing: 35+ years of development
Ferocious algorithms Recurrent Neural Networks PCFGs Markov Models Mangled Dictionary Attacks
Massive datasets 100M+ leaked passwords Google n-gram corpus Password Policy: Frozen in 1979 Inconsistent Requirements
Bonneau and Preibusch, 2010: 150 sites, 142 distinct policies �
Wang and Wang, 2015: 50 sites, 50 distinct policies � Inconsistent Feedback
Input: correcthorsebatterystaple Inconsistent Feedback
Input: correcthorsebatterystaple Inconsistent Feedback
Input: correcthorsebatterystaple
See also: A large-scale evaluation of high-impact password strength meters, TISSEC ‘15 Proposal: adopt zxcvbn
# small client-side estimator, # runs in 3 milliseconds, # accurate within an online attack range > npm install zxcvbn var meets_policy = function(password) { return zxcvbn(password).guesses > 500; }; Proposal: keep UI simple
Feedback @ Dropbox
Requirements @ Uber Outline for today
Motivation
How zxcvbn works
Accuracy experiments Threat Model
Online guessing attack
• Assume any of today’s best guessing algorithms
6 • Upper bound: 10 guesses
What about offline?
• Policy-level enforcement: a questionable usability burden
• Better mitigations that don’t impact usability
See also:
An Administrator’s Guide to Internet Password Research, USENIX LISA ‘14 Core estimator: minimum rank over top lists
Input: wheeler Core estimator: minimum rank over top lists
Input: wheeler
top passwords top surnames call-specific list 1. password 1. li 1. dan 2. 123456 2. khan 2. wheeler 3. 12345678 3. smith 3. dropbox 4. qwerty 4. johnson 4. drop 5. 123456789 5. jones 5. box 6. 111111 6. garcia 6. sync 7. dragon 7. brown 7. share 8. 123123 8. davis 8. collaborate 9. baseball 9. wheeler 9. rainbows 10. abc123 10. rodriguez 10. wow Core estimator: minimum rank over top lists
Input: wheeler
top passwords top surnames call-specific list 1. password 1. li 1. dan 2. 123456 2. khan 2. wheeler 3. 12345678 3. smith 3. dropbox 4. qwerty 4. johnson 4. drop 5. 123456789 5. jones 5. box 6. 111111 6. garcia 6. sync 7. dragon 7. brown 7. share 8. 123123 8. davis 8. collaborate 9. baseball 9. wheeler 9. rainbows 10. abc123 10. rodriguez 10. wow Core estimator: minimum rank over top lists
Input: wheeler
top passwords top surnames call-specific list 1. password 1. li 1. dan 2. 123456 2. khan 2. wheeler 3. 12345678 3. smith 3. dropbox 4. qwerty 4. johnson 4. drop 5. 123456789 5. jones 5. box 6. 111111 6. garcia 6. sync 7. dragon 7. brown 7. share 8. 123123 8. davis 8. collaborate 9. baseball 9. wheeler 9. rainbows 10. abc123 10. rodriguez 10. wow
Output: 2 guesses Word transformations
l33t: @ba1one ⟶ abalone
caps: abALOne ⟶ abalone
reversed: enolaba ⟶ abalone Keyboard patterns
Input: zxcftyuio Keyboard patterns
Input: zxcftyuio Keyboard patterns
Input: zxcftyuio
layout=QWERTY, length=9, turns=3 Keyboard patterns
Input: zxcftyuio
layout=QWERTY, length=9, turns=3
Output: ≈106 guesses Sequence Patterns
Input: бгезйлн Sequence Patterns
Input: бгезйлн Sequence Patterns
Input: бгезйлн
type=alphabet, length=7, codepoint_delta=2 Sequence Patterns
Input: бгезйлн
type=alphabet, length=7, codepoint_delta=2
Output: ≈102 guesses
Match ⟶ Estimate ⟶ Search
Input: lenovo2222 Match ⟶ Estimate ⟶ Search
Input: lenovo2222
lenovo (password)
eno (surname)
no (english)
no (reversed)
2222 (2/2/2022)
2222 (repeat) Match ⟶ Estimate ⟶ Search
Input: lenovo2222
lenovo (password) 11007 guesses
eno (surname) 3284 guesses
no (english) 11 guesses
no (reversed) 18 guesses
2222 (2/2/2022) 2190 guesses
2222 (repeat) 48 guesses Match ⟶ Estimate ⟶ Search
Input: lenovo2222
lenovo (password) 11007 guesses
eno (surname) 3284 guesses
no (english) 11 guesses
no (reversed) 18 guesses
2222 (2/2/2022) 2190 guesses
2222 (repeat) 48 guesses Match ⟶ Estimate ⟶ Search
Input: lenovo2222
lenovo (password) 11007 guesses
eno (surname) 3284 guesses
no (english) 11 guesses
no (reversed) 18 guesses
2222 (2/2/2022) 2190 guesses
2222 (repeat) 48 guesses
Output: ≈106 guesses Outline for today
Motivation
How zxcvbn works
Accuracy experiments Outline for today
Motivation
How zxcvbn works
Accuracy experiments
gold standard: real attacks trained on leaks
estimators studied: zxcvbn, KeePass, NIST entropy Gold standard: PGS
Minimum guess attempts over four attacks:
• Order-5 Markov Model (Ma et al. 2014) • Probabalistic Context-Free Grammar (Komanduri 2015) • Mangled Dictionary (Hashcat) • Mangled Dictionary (John the Ripper) Training data
Gold Standard Estimators: top 100k lists
RockYou ’09 leak RockYou ’09 leak
Yahoo ’12 leak Yahoo ’12 leak
MySpace ’06 leak Xato ’15 password corpus
Google Web Corpus English Wikipedia top 1-grams Top words: US TV + film Web2 dictionary (2006 Wiktionary study) Inflection dictionary Top names: 1990 US Census
≈20.5M unique tokens ≈340k unique tokens Test data
• 15k random sample, RockYou ’09
• Not included in PGS / estimator training data
Estimator size?
Truncate lists at: gzipped size
top 100k: ~1.5 MB
top 10k: ~245 kB
top 1k: ~29 kB
Minimum rank only?
Runtime Performance Conclusion
Just Say No! (to inconsistently arbitrary password strength estimation)
Estimating online attacks: minimum rank goes a long ways
Matching other patterns is helpful and cheap
Accuracy: highly sensitive to training data Give it a try!
MIT License, cross-platform, widely ported: https://github.com/dropbox/zxcvbn
Partial adopter list: