Local Password Validation Using Self-Organizing Maps
The commonly used heuristics to promote password strength (e.g. minimum length, forceful use of alphanumeric characters, etc) have been found considerably ineffective and, what is worst, often counterproductive. When coupled with the predominancy of dictionary based attacks and leaks of large password data sets, this situation has led, in later years, to the idea that the most useful criterion on which to classify the strength of a candidate password, is the frequency with which it has appeared in the past.
Maintaining an updated and representative record of past password choices does, however, require the processing and storage of high volumes of data, making the schemes thus far proposed centralized. Unfortunately, requiring that users submit their chosen candidate passwords to a central engine for validation may have security implications and does not allow offline password generation. Another major limitation of the currently proposed systems is the lack of generalisation capability: a password similar to a common password is usually considered safe.
In this article, we propose an algorithm which addresses both limitations. It is designed for local operation, avoiding the need to disclose candidate passwords, and is focused on generalisation, recognizing as dangerous not only frequently occurring passwords, but also candidates similar to them. An implementation of this algorithm is released in the form of a Google Chrome browser extension.
Keywordspassword validation dictionary attacks self-organizing maps
Unable to display preview. Download preview PDF.
- 2.Castelluccia, C., Durmuth, M., Perito, D.: Adaptive password-strength meters from markov models. In: NDSS. The Internet Society (2012)Google Scholar
- 3.Spafford, E.H.: Opus: Preventing weak password choices. Computers & Security (1992)Google Scholar
- 4.Schechter, S., Herley, C., Mitzenmacher, M.: Popularity is everything: A new approach to protecting passwords from statistical-guessing attacks. In: Proceedings of the 5th USENIX Conference on Hot Topics in Security, HotSec 2010. USENIX Association, Berkeley (2010)Google Scholar
- 5.Hashcat password recovery tool (2013), http://hashcat.net/hashcat/
- 6.Haykin, S.: Neural Networks: A Comprehensive Foundation, 2nd edn. Prentice Hall PTR, Upper Saddle River (1998)Google Scholar
- 7.Kohonen, T.: Neurocomputing: Foundations of research. MIT Press, Cambridge (1988)Google Scholar
- 8.Boriah, S., Chandola, V., Kumar, V.: Similarity measures for categorical data: A comparative evaluation. In: Proceedings of the Eighth SIAM International Conference on Data MiningGoogle Scholar
- 9.Huang, Z.: Extensions to the k-means algorithm for clustering large data sets with categorical values (1998)Google Scholar
- 10.Indyk, P., Motwani, R.: Approximate nearest neighbors: Towards removing the curse of dimensionality. In: Proceedings of the Thirtieth Annual ACM Symposium on Theory of Computing, STOC 1998. ACM, New York (1998)Google Scholar
- 11.He, K., Wen, F., Sun, J.: K-means hashing: An affinity-preserving quantization method for learning binary compact codes. In: Proceedings of the 2013 IEEE Conference on Computer Vision and Pattern Recognition. IEEE Computer Society, Washington, DC (2013)Google Scholar
- 12.Boufounos, P., Rane, S.: Secure binary embeddings for privacy preserving nearest neighbors. In: Proceedings of the 2011 IEEE International Workshop on Information Forensics and Security, WIFS 2011. IEEE Computer Society, Washington, DC (2011)Google Scholar
- 13.Datar, M., Immorlica, N., Indyk, P., Mirrokni, V.S.: Locality-sensitive hashing scheme based on p-stable distributions. In: Proceedings of the Twentieth Annual Symposium on Computational Geometry, SCG 2004. ACM, New York (2004)Google Scholar
- 14.Rockyou list of leaked passwords (2013), https://wiki.skullsecurity.org/Passwords
- 15.Cormode, G., Muthukrishnan, S.: An improved data stream summary: The count-min sketch and its applications. J. Algorithms (April 2005)Google Scholar
- 16.Kohonen, T.: Fast evolutionary learning with batch-type self-organizing maps. Neural Process (April 1999)Google Scholar
- 17.Fort, J.C., Letremy, P., Cottrell, M.: Advantages and drawbacks of the batch kohonen algorithm. In: Verleysen, M. (ed.) ESANN (2002)Google Scholar
- 18.John the ripper password cracking tool, http://www.openwall.com/john/
- 19.Openwall wordlist collection, http://www.openwall.com/wordlists/