Go to OpenReview Archive homepageFast, Lean, and Accurate: Modeling Password Guessability Using Neural Networks
Abstract: Human-chosen text passwords, today’s dominant form of authentication, are vulnerable to guessing attacks. Un- fortunately, existing approaches for evaluating password strength by modeling adversarial password guessing are either inaccurate or orders of magnitude too large and too slow for real-time, client-side password checking. We propose using artificial neural networks to model text passwords’ resistance to guessing attacks and ex- plore how different architectures and training methods impact neural networks’ guessing effectiveness. We show that neural networks can often guess passwords more effectively than state-of-the-art approaches, such as probabilistic context-free grammars and Markov mod- els. We also show that our neural networks can be highly compressed—to as little as hundreds of kilobytes— without substantially worsening guessing effectiveness. Building on these results, we implement in JavaScript the first principled client-side model of password guess- ing, which analyzes a password’s resistance to a guessing attack of arbitrary duration with sub-second latency. To- gether, our contributions enable more accurate and prac- tical password checking than was previously possible.
0 Replies
Loading