| Password strength measurement is important to enhance the security of systems based on password authentication.There are many password strength metrics and tools,but none of them can produce an objective measurement because they cannot model the attackers' strategies accurately.Different tools choose different policy and dictionaries,so that the metrics are different.Some tools choose the leaked password dictionaries,however any difficult passwords in the dictionaries can also be classified as weak.Password strength is a game between the defender and the attacker.The defender changes his password policy,the attacker changes accordingly.In the meantime,the defender may change his policy based on the attacker's strategy.Based on the observation that websites have a direct but partial knowledge of attackers,we propose an approach to integrate different websites practice into a global model of the attackers by training a password strength classifier based on the query feedback of password strength from the websites.By using Alexa ranking for site selection we analyzed the password policy and checker of the top 100 popular websites.More than 2.6 million leaked and some Leet transformed passwords were used to analyze the checkers of ten among the 100 selected websites.Our comparison is in line with the previous findings of inconsistent measurement and feedback on the strength of passwords across the industries.Hybritus,which integrated the strategies of the ten top websites,was modeled based on multiple layer perceptron(MLP)neural network.The MLP was trained and tested on leaked and randomly generated passwords and the classification accuracy of passwords into strong,medium and weak label was 99.5. |
PDF Full Text Request