Password Strength Estimators Trained on the Leaked Password Lists

  • Cameron R. Schafer
  • Lei PanEmail author
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 1116)


Passwords currently are and will be used as the main authentication mechanism across online applications for the foreseeable future. Estimating the strength of a user’s password gives the user a valuable insight into the strength or weakness of their chosen passwords. Current password strength estimators, when giving an estimate on a password’s strength, often fail to consider the plethora of leaked lists at an attacker’s disposal. This research investigates the effect of training a password strength estimator on a leaked list of 14.3 million passwords, all of which are commonly used in the password cracking world and then observing the effect that it has on the estimation of a password’s strength. Through modifying the trained dictionary lists that the zxcvbn classifier is fed, an estimate that accounts for the leaked list was achieved. Our empirical results show that there is a clear need to include leaked passwords in the password strength estimation process and that the accuracy of the estimator should not be sacrificed in order to provide a faster service.


Password strength estimation Leaked passwords Password dictionary Multi-factor authentication 


  1. 1.
    Aloul, F., Zahidi, S., El-Hajj, W.: Two factor authentication using mobile phones. In: 2009 IEEE/ACS International Conference on Computer Systems and Applications, AICCSA 2009, pp. 641–644. IEEE (2009)Google Scholar
  2. 2.
    Burr, W., et al.: Nist special publication 800–63-2: Electronic authentication guideline. Technical report, National Institute of Standards and Technology (2013)Google Scholar
  3. 3.
    Password guessability service. Accessed 06 July 2019
  4. 4.
    Dropbox landing. Accessed 06 July 2019
  5. 5.
    Florencio, D., Herley, C.: A large-scale study of web password habits. In: Proceedings of the 16th international Conference on World Wide Web, pp. 657–666. ACM (2007)Google Scholar
  6. 6.
    Florêncio, D., Herley, C., Coskun, B.: Do strong web passwords accomplish anything? HotSec 7(6), 159 (2007) Google Scholar
  7. 7.
  8. 8.
    Grassi, P.A., et al.: NIST specification 800-63B. In: Digital Identity Guidelines (2017). Accessed 06 July 2019Google Scholar
  9. 9.
    Hashcat. Accessed 06 July 2019
  10. 10.
    Herley, C., Van Oorschot, P.: A research agenda acknowledging the persistence of passwords. IEEE Secur. Priv. 10(1), 28–36 (2012)CrossRefGoogle Scholar
  11. 11.
    Huang, C.Y., Ma, S.P., Chen, K.T.: Using one-time passwords to prevent password phishing attacks. J. Netw. Comput. Appl. 34(4), 1292–1301 (2011)CrossRefGoogle Scholar
  12. 12.
    John the ripper (JtR). Accessed 06 July 2019
  13. 13.
    Two factor auth (2FA). Accessed 06 July 2019
  14. 14.
    Li, Z., He, W., Akhawe, D., Song, D.: The emperor’s new password manager: security analysis of web-based password managers. In: USENIX Security Symposium, pp. 465–479 (2014)Google Scholar
  15. 15.
    WPA2 krack. Accessed 06 July 2019
  16. 16.
    Melicher, W., et al.: Fast, lean, and accurate: modeling password guessability using neural networks. In: USENIX Security Symposium, pp. 175–191 (2016)Google Scholar
  17. 17.
    Radhappa, H., Pan, L., Zheng, J.X., Wen, S.: Practical overview of security issues in wireless sensor network applications. Int. J. Comput. Appl. 40(4), 202–213 (2018). Scholar
  18. 18.
    Ross, B., Jackson, C., Miyake, N., Boneh, D., Mitchell, J.C.: Stronger password authentication using browser extensions. In: USENIX Security Symposium, pp. 17–32, Baltimore, MD, USA (2005)Google Scholar
  19. 19.
    Rubin, A.D.: Independent one-time passwords. Comput. Syst. 9(1), 15–27 (1996)MathSciNetGoogle Scholar
  20. 20.
    Schaub, F., Deyhle, R., Weber, M.: Password entry usability and shoulder surfing susceptibility on different smartphone platforms. In: Proceedings of the 11th International Conference on Mobile and Ubiquitous Multimedia, p. 13. ACM (2012)Google Scholar
  21. 21.
    Rockyou leak. Accessed 06 July 2019
  22. 22.
    Ur, B., et al.: Measuring real-world accuracies and biases in modeling password guessability. In: USENIX Security Symposium, pp. 463–481 (2015)Google Scholar
  23. 23.
    Weir, M., Aggarwal, S., Collins, M., Stern, H.: Testing metrics for password creation policies by attacking large sets of revealed passwords. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, pp. 162–175. ACM (2010)Google Scholar
  24. 24.
    Weir, M., Aggarwal, S., De Medeiros, B., Glodek, B.: Password cracking using probabilistic context-free grammars. In: 2009 30th IEEE Symposium on Security and Privacy, pp. 391–405. IEEE (2009)Google Scholar
  25. 25.
    Wheeler, D.L.: zxcvbn: low-budget password strength estimation. In: USENIX Security Symposium, pp. 157–173 (2016)Google Scholar
  26. 26.
    XKCD comic - password memorability. Accessed 06 July 2019
  27. 27.
    zxcvbn github: Low-budget password strength estimation. Accessed 06 July 2019

Copyright information

© Springer Nature Singapore Pte Ltd. 2019

Authors and Affiliations

  1. 1.InfoSysDocklandsAustralia
  2. 2.School of ITDeakin UniversityGeelongAustralia

Personalised recommendations