Published January 11, 2024 | Version v1
Publication Open

Analyzing Password Strength: A Combinatorial Entropy Approach

Authors/Creators

  • 1. ROR icon Chongqing University of Posts and Telecommunications

Description

Passwords have long served as a primary means for user authentication, facilitating access to restricted resources. The critical concern surrounding passwords lies in their quality or strength—determining how susceptible they are to being "guessed" by unauthorized entities attempting to gain entry by impersonating the legitimate user. In this research, we systematically examine diverse metrics assessing password quality, including a metric proposed within this study. Our investigation involves a comprehensive comparison of the strengths and weaknesses of these metrics, along with an exploration of the interrelationships among them. Furthermore, we present the outcomes of experiments designed to crack a set of passwords with varying quality levels. The results of these experiments demonstrate a notable positive correlation between the difficulty of guessing passwords and their overall quality. To provide a nuanced understanding, we employ a clustering analysis on the set of passwords, considering their quality measures as variables. This analysis reveals distinct groups based on password quality. Moreover, to bolster the strength of our passwords, we introduce the integration of a Combinatorial Entropy Calculation algorithm. This algorithm is designed to enhance password resilience by leveraging combinatorial methods. Through this combined approach, we aim to contribute to the broader discourse on password security and provide insights into developing more robust authentication practices.

Files

Analyzing Password StrengthACombinatorialEntropyApproach.pdf

Files (788.9 kB)

Additional details

References

  • Bonneau, J.: The science of guessing: analyzing an anonymized corpus of 70 million pass- words. In: 2012 IEEE Symposium on Security and Privacy, pp. 538- 552. IEEE (2012)
  • Bonneau,J.,Herley ,C.,vanOorschot,P .C.,Stajano,F .:Pas swordsandtheevolutionofimper- fect authentication. Commun. ACM 58(7), 78-87 (2015)
  • Burr,W.E.,Dodson,D.F.,Newton,E.M.,Perlner,R.A.,Pol k,W.T.,Gupta,S.,Nabbus,E.A.: Draft NIST special publication 800-63-2: electronic authentication guideline. US Department of Commerce, National Institute of Standards and Technology (2013)
  • deCarneÃÅdeCarnavalet,X.,Mannan,M.:Fromverywea ktoverystrong:analyzingpassword- strength meters. In: Network and Distributed System Security Symposium (NDSS 2014). Inter- net Society (2014)
  • DefuseSecurity:Crackstation:Freepasswordhashcracke r. https://crackstation.net/
  • Dell'Amico,M.,Michiardi,P .,Roudier,Y .:Passwordstren gth:anempiricalanalysis.In:29th IEEE International Conference on Computer Communications, pp. 983- 991 (2010)
  • Florencio, D., Herley, C.: A large-scale study of web password habits. In: Proceedings of the 16th International Conference on World Wide Web, pp. 657- 666. ACM (2007)
  • FloreÃÇncio,D.,Herley,C.,Coskun,B.:Dostrongwebpas swordsaccomplishanything?In:2nd USENIX Workshop on hot Topics in Security (2007)
  • Kelley ,P .G.,Komanduri,S.,Mazurek,M.L.,Shay ,R.,V id as,T.,Bauer,L.,Christin,N.,Cra-nor, L.F., Lopez, J.: Guess again (and again and again): measuring password strength by simu- lating password-cracking algorithms. In: 2012 IEEE Symposium on Security and Privacy (SP), pp. 523-537. IEEE (2012)