On the Accuracy of Password Strength Meters
Authors: Maximilian Golla, Markus Dürmuth

Date: October 2018
Publication: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (CCS '18)
Page(s): 1567 - 1582
Publisher: ACM
Source 1: https://password-meter-comparison.org/files/ccsf285-finalv3.pdf
Source 2: https://www.ei.ruhr-uni-bochum.de/media/mobsec/veroeffentlichungen/2018/09/10/ccsf285-finalv2.pdf
Source 3: https://doi.org/10.1145/3243734.3243769 - Subscription or payment required

Abstract or Summary:
Password strength meters are an important tool to help users choose secure passwords. Strength meters can only then provide reasonable guidance when they are accurate, i.e., their score correctly reflect password strength. A strength meter with low accuracy may do more harm than good and guide the user to choose passwords with a high score but low actual security. While a substantial number of different strength meters is proposed in the literature and deployed in practice, we are lacking a clear picture of which strength meters provide high accuracy, and thus are most helpful for guiding users. Furthermore, we lack a clear understanding of how to compare accuracies of strength meters. In this work, (i) we propose a set of properties that a strength meter needs to fulfill to be considered to have high accuracy, (ii) we use these properties to select a suitable measure that can determine the accuracy of strength meters, and (iii) we use the selected measure to compare a wide range of strength meters proposed in the academic literature, provided by password managers, operating systems, and those used on websites. We expect our work to be helpful in the selection of good password strength meters by service operators, and to aid the further development of improved strength meters.

PasswordResearch.com Note: Project page: https://password-meter-comparison.org/static/index.php Video of presentation: https://www.youtube.com/watch?v=rx-_RTYSz1g

Do you have additional information to contribute regarding this research paper? If so, please email siteupdates@passwordresearch.com with the details.

<-- Back to Authentication Research Paper Index

[Home] [About Us] [News] [Research]

Copyright © 2019 PasswordResearch.com