Password Strength Signaling: A Counter-Intuitive Defense Against Password Cracking

Bai, Wenjie; Blocki, Jeremiah; Harsha, Benjamin

doi:10.1007/978-3-030-90370-1_18

Cited by 3 publications

(1 citation statement)

References 37 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…However, because Ψ u and K u are stored on the authentication server, this would signal information about the strength of pw u to an offline attacker. While this seems undesirable, a recent counter-intuitive result showed that noisy strength signals can actually help deter a rational utility maximizing password cracker [1] if the signaling scheme is tuned appropriately. Thus, it is possible that a noisy (randomized) mechanism to tune Ψ u based on the strength of the user's password could help deter offline attackers.…”

Section: Extending the K-strikes Mechanismmentioning

confidence: 99%

DALock: Password Distribution-Aware Throttling

Blocki

Zhang

2022

PoPETs

Self Cite

View full text Add to dashboard Cite

Large-scale online password guessing attacks are widespread and pose a persistant privacy and security threat to users. The common method for mitigating the risk of online cracking is to lock out the user after a fixed number (K) of consecutive incorrect login attempts. Selecting the value of K induces a classic security-usability trade-off. When K is too large, a hacker can (quickly) break into a significant fraction of user accounts, but when K is too low, we will start to annoy honest users by locking them out after a few mistakes. Motivated by the observation that honest user mistakes typically look quite different from an online attacker’s password guesses, we introduce DALock, a distribution-aware password lockout mechanism to reduce user annoyance while minimizing user risk. As the name suggests, DALock is designed to be aware of the frequency and popularity of the password used for login attacks. At the same time, standard throttling mechanisms (e.g., K-strikes) are oblivious to the password distribution. In particular, DALock maintains an extra “hit count" in addition to “strike count" for each user, which is based on (estimates of) the cumulative probability of all login attempts for that particular account. We empirically evaluate DALock with an extensive battery of simulations using real-world password datasets. In comparison with the traditional K-strikes mechanism, our simulations indicate that DALock offers a superior simulated security/usability trade-off. For example, in one of our simulations, we are able to reduce the success rate of an attacker to 0.05% (compared to 1% for the 3strikes mechanism) whilst simultaneously reducing the unwanted lockout rate for accounts that are not under attack to just 0.08% (compared to 4% for the 3-strikes mechanism).

show abstract

Section: Extending the K-strikes Mechanismmentioning

confidence: 99%

DALock: Password Distribution-Aware Throttling

Blocki

Zhang

2022

PoPETs

Self Cite

View full text Add to dashboard Cite

show abstract

Password Strength Signaling: A Counter-Intuitive Defense Against Password Cracking

Bai

Blocki

Harsha

2021

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Combining Learning Algorithms with Explainable AI to Assess the Strength of Steganography Passwords

Balaji,

Selvaraj

2024

Steganography - The Art of Hiding Information

View full text Add to dashboard Cite

The concept of passwords predates computers by a significant amount. They served as a way to verify the authenticity or identify a person. Passwords, such as email addresses, social media login credentials, and Internet banking information, are commonly used to secure private information in the modern world. Brute-forcing is one of these methods, which uses a powerful computer system to search through all possible combinations of alphanumeric characters to crack the password. Steganography and cryptography are regarded as a robust Privacy protection solution. On the other hand, steganography typically deals with text concealment in passwords. If the steganography password is robust, brute force may not work since the strong password may be discovered over several months or years. However, consumers create weak passwords due to inappropriate password policy rules set up by password strength meters. In this work, we use deep learning and machine learning methods, such as decision trees and logistic regression, Xgboost, Multilayer Perceptron (MLP), and Keras model, to categorize the steganography password in any one of the three categories (weakest, average, and most robust). This allows us to calculate the steganography password strength. Additionally, we have used explainable AI to interpret the models’ strengths and weaknesses. The algorithm with the highest accuracy, precision, recall, and f-measure scores has been the best. These were the model performance results: 81.9% for Logistic Regression, 81.2% for Decision Tree, 99.7% for Xgboost, 98.2% for MLP, and 99.7% for Keras. Compared to the other models, Xgboost and Keras performed better.

show abstract

Password Strength Signaling: A Counter-Intuitive Defense Against Password Cracking

Cited by 3 publications

References 37 publications

DALock: Password Distribution-Aware Throttling

DALock: Password Distribution-Aware Throttling

Password Strength Signaling: A Counter-Intuitive Defense Against Password Cracking

Combining Learning Algorithms with Explainable AI to Assess the Strength of Steganography Passwords

Contact Info

Product

Resources

About