Statistical Metrics for Individual Password Strength

  • Joseph Bonneau
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7622)


We propose several possible metrics for measuring the strength of an individual password or any other secret drawn from a known, skewed distribution. In contrast to previous ad hoc approaches which rely on textual properties of passwords, we consider the problem without any knowledge of password structure. This enables rating the strength of a password given a large sample distribution without assuming anything about password semantics. We compare the results of our generic metrics against those of the NIST metrics and other previous “entropy-based” metrics for a large password dataset, which suggest over-fitting in previous metrics.


Statistical Metrics Zipf Distribution Strength Estimate Semantic Evaluation Strength Metrics 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bishop, M., Klein, D.V.: Improving System Security via Proactive Password Checking. Computers & Security 14(3), 233–249 (1995)CrossRefGoogle Scholar
  2. 2.
    Bonneau, J.: The science of guessing: analyzing an anonymized corpus of 70 million passwords. In: SP 2012: Proceedings of the 2012 IEEE Symposium on Security and Privacy (2012)Google Scholar
  3. 3.
    Burr, W.E., Dodson, D.F., Timothy Polk, W.: Electronic Authentication Guideline. NIST Special Publication 800-63 (2006)Google Scholar
  4. 4.
    Castelluccia, C., Dürmuth, M., Perito, D.: Adaptive Password-Strength Meters from Markov Models. In: NDSS 2012: Proceedings of the Network and Distributed System Security Symposium (2012)Google Scholar
  5. 5.
    Clauset, A., Shalizi, C.R., Newman, M.E.J.: Power-Law Distributions in Empirical Data. SIAM Review 51, 661–703 (2009)MathSciNetzbMATHCrossRefGoogle Scholar
  6. 6.
    Davies, C., Ganesan, C.: BApasswd: A New Proactive Password Checker. In: Proceedings of the 16th National Computer Security Conference (1993)Google Scholar
  7. 7.
    Dell’Amico, M., Michiardi, P., Roudier, Y.: Password Strength: An Empirical Analysis. In: INFOCOM 2010: Proceedings of the 29th Conference on Information Communications, pp. 983–991. IEEE (2010)Google Scholar
  8. 8.
    Gale, W.A., Sampson, G.: Good-Turing Frequency Estimation Without Tears. Journal of Quantitative Linguistics 2(3), 217–237 (1995)CrossRefGoogle Scholar
  9. 9.
    Just, M., Aspinall, D.: Personal Choice and Challenge Questions: A Security and Usability Assessment. In: SOUPS 2009: Proceedings of the 5th Symposium on Usable Privacy and Security (2009)Google Scholar
  10. 10.
    Kelley, P.G., Komanduri, S., Mazurek, M.L., Shay, R., Vidas, T., Bauer, L., Christin, N., Cranor, L.F., Lopez, J.: Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms. Technical Report CMU-CyLab-11-008, Carnegie Mellon University (2011)Google Scholar
  11. 11.
    Kelley, P.G., Mazurek, M.L., Shay, R., Bauer, L., Christin, N., Cranor, L.F., Komanduri, S., Egelman, S.: Of Passwords and People: Measuring the Effect of Password-Composition Policies. In: CHI 2011: Proceedings of the 29th ACM SIGCHI Conference on Human Factors in Computing Systems (2011)Google Scholar
  12. 12.
    Narayanan, A., Shmatikov, V.: Fast Dictionary Attacks on Passwords Using Time-Space Tradeoff. In: CCS 2005: Proceedings of the 12th ACM Conference on Computer and Communications Security, pp. 364–372. ACM (2005)Google Scholar
  13. 13.
    Shannon, C.E.: A Mathematical Theory of Communication. Bell System Technical Journal 7, 379–423 (1948)MathSciNetGoogle Scholar
  14. 14.
    Shay, R., Komanduri, S., Kelley, P.G., Leon, P.G., Mazurek, M.L., Bauer, L., Christin, N., Cranor, L.F.: Encountering Stronger Password Requirements: User Attitudes and Behaviors. In: SOUPS 2010: Proceedings of the 6th Symposium on Usable Privacy and Security. ACM (2010)Google Scholar
  15. 15.
    Weir, M., Aggarwal, S., Collins, M., Stern, H.: Testing Metrics for Password Creation Policies by Attacking Large Sets of Revealed Passwords. In: CCS 2010: Proceedings of the 17th ACM Conference on Computer and Communications Security, pp. 162–175. ACM (2010)Google Scholar
  16. 16.
    Weir, M., Aggarwal, S., de Medeiros, B., Glodek, B.: Password Cracking Using Probabilistic Context-Free Grammars. In: SP 2009: Proceedings of the 2009 IEEE Symposium on Security and Privacy, pp. 391–405. IEEE (2009)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Joseph Bonneau
    • 1
  1. 1.University of CambridgeUK

Personalised recommendations