Low-Budget Password Strength Estimation Dan Lowe Wheeler Dropbox Twitter: Password Feedback Twitter: Password Feedback Verizon Wireless: Password Requirements Password Guessing: 35+ years of development Ferocious algorithms Recurrent Neural Networks PCFGs Markov Models Mangled Dictionary Attacks Massive datasets 100M+ leaked passwords Google n-gram corpus Password Policy: Frozen in 1979 Inconsistent Requirements Bonneau and Preibusch, 2010: 150 sites, 142 distinct policies � Wang and Wang, 2015: 50 sites, 50 distinct policies � Inconsistent Feedback Input: correcthorsebatterystaple Inconsistent Feedback Input: correcthorsebatterystaple Inconsistent Feedback Input: correcthorsebatterystaple See also: A large-scale evaluation of high-impact password strength meters, TISSEC ‘15 Proposal: adopt zxcvbn # small client-side estimator, # runs in 3 milliseconds, # accurate within an online attack range > npm install zxcvbn var meets_policy = function(password) { return zxcvbn(password).guesses > 500; }; Proposal: keep UI simple Feedback @ Dropbox Requirements @ Uber Outline for today Motivation How zxcvbn works Accuracy experiments Threat Model Online guessing attack • Assume any of today’s best guessing algorithms 6 • Upper bound: 10 guesses What about offline? • Policy-level enforcement: a questionable usability burden • Better mitigations that don’t impact usability See also: An Administrator’s Guide to Internet Password Research, USENIX LISA ‘14 Core estimator: minimum rank over top lists Input: wheeler Core estimator: minimum rank over top lists Input: wheeler top passwords top surnames call-specific list 1. password 1. li 1. dan 2. 123456 2. khan 2. wheeler 3. 12345678 3. smith 3. dropbox 4. qwerty 4. johnson 4. drop 5. 123456789 5. jones 5. box 6. 111111 6. garcia 6. sync 7. dragon 7. brown 7. share 8. 123123 8. davis 8. collaborate 9. baseball 9. wheeler 9. rainbows 10. abc123 10. rodriguez 10. wow Core estimator: minimum rank over top lists Input: wheeler top passwords top surnames call-specific list 1. password 1. li 1. dan 2. 123456 2. khan 2. wheeler 3. 12345678 3. smith 3. dropbox 4. qwerty 4. johnson 4. drop 5. 123456789 5. jones 5. box 6. 111111 6. garcia 6. sync 7. dragon 7. brown 7. share 8. 123123 8. davis 8. collaborate 9. baseball 9. wheeler 9. rainbows 10. abc123 10. rodriguez 10. wow Core estimator: minimum rank over top lists Input: wheeler top passwords top surnames call-specific list 1. password 1. li 1. dan 2. 123456 2. khan 2. wheeler 3. 12345678 3. smith 3. dropbox 4. qwerty 4. johnson 4. drop 5. 123456789 5. jones 5. box 6. 111111 6. garcia 6. sync 7. dragon 7. brown 7. share 8. 123123 8. davis 8. collaborate 9. baseball 9. wheeler 9. rainbows 10. abc123 10. rodriguez 10. wow Output: 2 guesses Word transformations l33t: @ba1one ⟶ abalone caps: abALOne ⟶ abalone reversed: enolaba ⟶ abalone Keyboard patterns Input: zxcftyuio Keyboard patterns Input: zxcftyuio Keyboard patterns Input: zxcftyuio layout=QWERTY, length=9, turns=3 Keyboard patterns Input: zxcftyuio layout=QWERTY, length=9, turns=3 Output: ≈106 guesses Sequence Patterns Input: бгезйлн Sequence Patterns Input: бгезйлн Sequence Patterns Input: бгезйлн type=alphabet, length=7, codepoint_delta=2 Sequence Patterns Input: бгезйлн type=alphabet, length=7, codepoint_delta=2 Output: ≈102 guesses Match ⟶ Estimate ⟶ Search Input: lenovo2222 Match ⟶ Estimate ⟶ Search Input: lenovo2222 lenovo (password) eno (surname) no (english) no (reversed) 2222 (2/2/2022) 2222 (repeat) Match ⟶ Estimate ⟶ Search Input: lenovo2222 lenovo (password) 11007 guesses eno (surname) 3284 guesses no (english) 11 guesses no (reversed) 18 guesses 2222 (2/2/2022) 2190 guesses 2222 (repeat) 48 guesses Match ⟶ Estimate ⟶ Search Input: lenovo2222 lenovo (password) 11007 guesses eno (surname) 3284 guesses no (english) 11 guesses no (reversed) 18 guesses 2222 (2/2/2022) 2190 guesses 2222 (repeat) 48 guesses Match ⟶ Estimate ⟶ Search Input: lenovo2222 lenovo (password) 11007 guesses eno (surname) 3284 guesses no (english) 11 guesses no (reversed) 18 guesses 2222 (2/2/2022) 2190 guesses 2222 (repeat) 48 guesses Output: ≈106 guesses Outline for today Motivation How zxcvbn works Accuracy experiments Outline for today Motivation How zxcvbn works Accuracy experiments gold standard: real attacks trained on leaks estimators studied: zxcvbn, KeePass, NIST entropy Gold standard: PGS Minimum guess attempts over four attacks: • Order-5 Markov Model (Ma et al. 2014) • Probabalistic Context-Free Grammar (Komanduri 2015) • Mangled Dictionary (Hashcat) • Mangled Dictionary (John the Ripper) Training data Gold Standard Estimators: top 100k lists RockYou ’09 leak RockYou ’09 leak Yahoo ’12 leak Yahoo ’12 leak MySpace ’06 leak Xato ’15 password corpus Google Web Corpus English Wikipedia top 1-grams Top words: US TV + film Web2 dictionary (2006 Wiktionary study) Inflection dictionary Top names: 1990 US Census ≈20.5M unique tokens ≈340k unique tokens Test data • 15k random sample, RockYou ’09 • Not included in PGS / estimator training data Estimator size? Truncate lists at: gzipped size top 100k: ~1.5 MB top 10k: ~245 kB top 1k: ~29 kB Minimum rank only? Runtime Performance Conclusion Just Say No! (to inconsistently arbitrary password strength estimation) Estimating online attacks: minimum rank goes a long ways Matching other patterns is helpful and cheap Accuracy: highly sensitive to training data Give it a try! MIT License, cross-platform, widely ported: https://github.com/dropbox/zxcvbn Partial adopter list:.