A Novel Metric for Password Security Risk Against Dictionary Attacks

Abstract

Passwords are still the most used method of user authentication in the usage of information systems, and they have an important role in practical security. Despite the fact that researchers have discovered various vulnerabilities in the usage of passwords, this authentication method is still frequently used. The main issue with passwords is their quality or strength, i.e., how hard they can be guessed by an attacker, and there are various password strength metrics have been proposed so far. In this paper, we propose a new metric for password strength that takes into account the risk of dictionary attacks. We create datasets from leaked password lists and regard them as Markov information sources. Then we calculate the password self-information and compare it to the threshold value we specified to determine the password strength. With this numerical value, we can know how risky a password has against dictionary attacks, and can easily compare the strength of several passwords. Through experimental results, we show that our method is very effective, does not require huge computational resources, and can effectively help users create stronger passwords.