Local Password Validation Using Self-Organizing Maps

  • Diogo Mónica
  • Carlos Ribeiro
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8712)


The commonly used heuristics to promote password strength (e.g. minimum length, forceful use of alphanumeric characters, etc) have been found considerably ineffective and, what is worst, often counterproductive. When coupled with the predominancy of dictionary based attacks and leaks of large password data sets, this situation has led, in later years, to the idea that the most useful criterion on which to classify the strength of a candidate password, is the frequency with which it has appeared in the past.

Maintaining an updated and representative record of past password choices does, however, require the processing and storage of high volumes of data, making the schemes thus far proposed centralized. Unfortunately, requiring that users submit their chosen candidate passwords to a central engine for validation may have security implications and does not allow offline password generation. Another major limitation of the currently proposed systems is the lack of generalisation capability: a password similar to a common password is usually considered safe.

In this article, we propose an algorithm which addresses both limitations. It is designed for local operation, avoiding the need to disclose candidate passwords, and is focused on generalisation, recognizing as dangerous not only frequently occurring passwords, but also candidates similar to them. An implementation of this algorithm is released in the form of a Google Chrome browser extension.


password validation dictionary attacks self-organizing maps 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Clair, L.S., Johansen, L., Enck, W., Pirretti, M., Traynor, P., McDaniel, P., Jaeger, T.: Password exhaustion: Predicting the end of password usefulness. In: Bagchi, A., Atluri, V. (eds.) ICISS 2006. LNCS, vol. 4332, pp. 37–55. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  2. 2.
    Castelluccia, C., Durmuth, M., Perito, D.: Adaptive password-strength meters from markov models. In: NDSS. The Internet Society (2012)Google Scholar
  3. 3.
    Spafford, E.H.: Opus: Preventing weak password choices. Computers & Security (1992)Google Scholar
  4. 4.
    Schechter, S., Herley, C., Mitzenmacher, M.: Popularity is everything: A new approach to protecting passwords from statistical-guessing attacks. In: Proceedings of the 5th USENIX Conference on Hot Topics in Security, HotSec 2010. USENIX Association, Berkeley (2010)Google Scholar
  5. 5.
    Hashcat password recovery tool (2013),
  6. 6.
    Haykin, S.: Neural Networks: A Comprehensive Foundation, 2nd edn. Prentice Hall PTR, Upper Saddle River (1998)Google Scholar
  7. 7.
    Kohonen, T.: Neurocomputing: Foundations of research. MIT Press, Cambridge (1988)Google Scholar
  8. 8.
    Boriah, S., Chandola, V., Kumar, V.: Similarity measures for categorical data: A comparative evaluation. In: Proceedings of the Eighth SIAM International Conference on Data MiningGoogle Scholar
  9. 9.
    Huang, Z.: Extensions to the k-means algorithm for clustering large data sets with categorical values (1998)Google Scholar
  10. 10.
    Indyk, P., Motwani, R.: Approximate nearest neighbors: Towards removing the curse of dimensionality. In: Proceedings of the Thirtieth Annual ACM Symposium on Theory of Computing, STOC 1998. ACM, New York (1998)Google Scholar
  11. 11.
    He, K., Wen, F., Sun, J.: K-means hashing: An affinity-preserving quantization method for learning binary compact codes. In: Proceedings of the 2013 IEEE Conference on Computer Vision and Pattern Recognition. IEEE Computer Society, Washington, DC (2013)Google Scholar
  12. 12.
    Boufounos, P., Rane, S.: Secure binary embeddings for privacy preserving nearest neighbors. In: Proceedings of the 2011 IEEE International Workshop on Information Forensics and Security, WIFS 2011. IEEE Computer Society, Washington, DC (2011)Google Scholar
  13. 13.
    Datar, M., Immorlica, N., Indyk, P., Mirrokni, V.S.: Locality-sensitive hashing scheme based on p-stable distributions. In: Proceedings of the Twentieth Annual Symposium on Computational Geometry, SCG 2004. ACM, New York (2004)Google Scholar
  14. 14.
    Rockyou list of leaked passwords (2013),
  15. 15.
    Cormode, G., Muthukrishnan, S.: An improved data stream summary: The count-min sketch and its applications. J. Algorithms (April 2005)Google Scholar
  16. 16.
    Kohonen, T.: Fast evolutionary learning with batch-type self-organizing maps. Neural Process (April 1999)Google Scholar
  17. 17.
    Fort, J.C., Letremy, P., Cottrell, M.: Advantages and drawbacks of the batch kohonen algorithm. In: Verleysen, M. (ed.) ESANN (2002)Google Scholar
  18. 18.
    John the ripper password cracking tool,
  19. 19.
    Openwall wordlist collection,

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Diogo Mónica
    • 1
  • Carlos Ribeiro
    • 1
  1. 1.INESC-ID, Instituto Superior TécnicoUniversidade de LisboaLisboaPortugal

Personalised recommendations