A Canonical Password Strength Measure

  • Posted on: 24 June 2015
  • By: silly_sad
Track: 
Desktop
Day: 
Saturday
Author: 
Eugene Panferov
Room: 
Track 2 (main)
AttachmentSize
PDF icon password.pdf85.38 KB
English
Paper: 

We notice that the “password security” discourse is missing a fundamental notion of the “password strength”.
We propose a canonical measure of password’s strength. We give formal definition of the “guessing attack”, and
the “attacker’s strategy”. The measure is based on the assessment of the efficiency of the best possible guessing
attack. Unlike naive password strength assessments our measure takes into account the attacker’s strategy. We
argue strongly against widespread informal assumptions about “strong” and “weak” passwords, and advise to
adopt formal metrics such as proposed one. This paper does NOT advise you to include “at least three capital
letters”, seven underscores, and a number thirteen in your password.

Full text of the paper is on arXiv: http://arxiv.org/abs/1505.05090
available as PDF and TeX.

Time: 
15:00 - 16:00 hrs
field_vote: 
0
No votes yet