Graduate School and Research Center In communication systems

Monte Carlo strength evaluation: Fast and reliable password checking

Dell'Amico, Matteo; Filippone, Maurizio

CCS 2015, 22nd ACM Conference on Computer and Communications Security, October 12-16, 2015, Denver, Colorado, US

Modern password guessing attacks adopt sophisticated probabilistic techniques that allow for orders of magnitude less guesses to succeed compared to brute force. Unfortunately, best practices and password strength evaluators failed to keep up: they are generally based on heuristic rules designed to defend against obsolete brute force attacks. Many passwords can only be guessed with significant effort, and motivated attackers may be willing to invest resources to obtain valuable passwords. However, it is eminently impractical for the defender to simulate expensive attacks against each user to accurately characterize their password strength. This paper proposes a novel method to estimate the number of guesses needed to find a password using modern attacks. The proposed method requires little resources, applies to a wide set of probabilistic models, and is characterised by highly desirable convergence properties. The experiments demonstrate the scalability and generality of the proposal. In particular, the experimental analysis reports evaluations on a wide range of password strengths, and of state-of-the-art attacks on very large datasets, including attacks that would have been prohibitively expensive to handle with existing simulation-based approaches.

Document Doi Bibtex

Title:Monte Carlo strength evaluation: Fast and reliable password checking
Type:Conference
Language:English
City:Denver
Country:UNITED STATES
Date:
Department:Digital Security
Eurecom ref:4711
Copyright: © ACM, 2015. This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in CCS 2015, 22nd ACM Conference on Computer and Communications Security, October 12-16, 2015, Denver, Colorado, US http://dx.doi.org/10.1145/2810103.2813631
Bibtex: @inproceedings{EURECOM+4711, doi = {http://dx.doi.org/10.1145/2810103.2813631}, year = {2015}, title = {{M}onte {C}arlo strength evaluation: {F}ast and reliable password checking}, author = {{D}ell'{A}mico, {M}atteo and {F}ilippone, {M}aurizio}, booktitle = {{CCS} 2015, 22nd {ACM} {C}onference on {C}omputer and {C}ommunications {S}ecurity, {O}ctober 12-16, 2015, {D}enver, {C}olorado, {US}}, address = {{D}enver, {UNITED} {STATES}}, month = {10}, url = {http://www.eurecom.fr/publication/4711} }
See also: