TY - GEN
T1 - Monte Carlo Strength evaluation
T2 - 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015
AU - Dell'Amico, Matteo
AU - Filippone, Maurizio
N1 - Publisher Copyright:
© 2015 ACM.
PY - 2015/10/12
Y1 - 2015/10/12
N2 - Modern password guessing attacks adopt sophisticated probabilistic techniques that allow for orders of magnitude less guesses to succeed compared to brute force. Unfortunately, best practices and password strength evaluators failed to keep up: they are generally based on heuristic rules designed to defend against obsolete brute force attacks. Many passwords can only be guessed with significant effort, and motivated attackers may be willing to invest resources to obtain valuable passwords. However, it is eminently impractical for the defender to simulate expensive attacks against each user to accurately characterize their password strength. This paper proposes a novel method to estimate the number of guesses needed to find a password using modern attacks. The proposed method requires little resources, applies to a wide set of probabilistic models, and is characterised by highly desirable convergence properties. The experiments demonstrate the scalability and generality of the proposal. In particular, the experimental analysis reports evaluations on a wide range of password strengths, and of state-of-the-art attacks on very large datasets, including attacks that would have been prohibitively expensive to handle with existing simulation-based approaches.
AB - Modern password guessing attacks adopt sophisticated probabilistic techniques that allow for orders of magnitude less guesses to succeed compared to brute force. Unfortunately, best practices and password strength evaluators failed to keep up: they are generally based on heuristic rules designed to defend against obsolete brute force attacks. Many passwords can only be guessed with significant effort, and motivated attackers may be willing to invest resources to obtain valuable passwords. However, it is eminently impractical for the defender to simulate expensive attacks against each user to accurately characterize their password strength. This paper proposes a novel method to estimate the number of guesses needed to find a password using modern attacks. The proposed method requires little resources, applies to a wide set of probabilistic models, and is characterised by highly desirable convergence properties. The experiments demonstrate the scalability and generality of the proposal. In particular, the experimental analysis reports evaluations on a wide range of password strengths, and of state-of-the-art attacks on very large datasets, including attacks that would have been prohibitively expensive to handle with existing simulation-based approaches.
KW - Monte Carlo
KW - Passwords
KW - Strength
UR - http://www.scopus.com/inward/record.url?scp=84954174840&partnerID=8YFLogxK
U2 - 10.1145/2810103.2813631
DO - 10.1145/2810103.2813631
M3 - Conference contribution
AN - SCOPUS:84954174840
T3 - Proceedings of the ACM Conference on Computer and Communications Security
SP - 158
EP - 169
BT - CCS 2015 - Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security
PB - Association for Computing Machinery
Y2 - 12 October 2015 through 16 October 2015
ER -