RLS-PSM: A Robust and Accurate Password Strength Meter Based on Reuse, Leet and Separation

You are here

Top Reasons to Join SPS Today!

1. IEEE Signal Processing Magazine
2. Signal Processing Digital Library*
3. Inside Signal Processing Newsletter
4. SPS Resource Center
5. Career advancement & recognition
6. Discounts on conferences and publications
7. Professional networking
8. Communities for students, young professionals, and women
9. Volunteer opportunities
10. Coming soon! PDH/CEU credits
Click here to learn more.

RLS-PSM: A Robust and Accurate Password Strength Meter Based on Reuse, Leet and Separation

Qiying Dong; Chunfu Jia; Fei Duan; Ding Wang

Password strength meters (PSMs) are being widely used, but they often give conflicting, inaccurate and misleading feedback, which defeats their purpose. Except for fuzzyPSM, all PSMs assume passwords are newly constructed, which is not true in reality. FuzzyPSM considers password reuse, six major leet transformations and initial capitalization, and performs the best as evaluated by Golla and Dürmuth at ACM CCS’18. On the basis of fuzzyPSM, we propose a new PSM based on R euse, L eet and S eparation, namely RLS-PSM. First, we classify password reuse behaviors into capitalization and those that use special characters for leet or separation, and calculate the corresponding probabilities. Then, to balance efficiency and precision, we use Long Short-Term Memory to calculate the probabilities of alphanumeric strings. Besides, we propose to use benchmark passwords to show the relative strength of a password. Due to the varied impacts of different service types and diversified economic value of websites, we consider parameter settings of RLS-PSM under six different service types. Finally, we use the Monte Carlo method and weighted Spearman coefficient to measure and compare the robustness and accuracy of RLS-PSM, leading PSMs (including Markov-based PSM, PCFG-based PSM, fuzzyPSM, RNN, and Zxcvbn), and password cracking tools (including JtR and Hashcat). We find that the robustness of RLS-PSM is significantly higher than all counterparts when evaluating attempts > 10 4 (e.g., on average, Fraction of Successfully Evaluated passwords of RLS-PSM is 18.9% higher than fuzzyPSM). The accuracy of RLS-PSM is also better than other mainstream PSMs used for comparison in this paper, except for fuzzyPSM.

SPS on Twitter

  • Celebrate International Women's Day with SPS! This Tuesday, 8 March, join Dr. Neeli Prasad for "Unlocking the Poten… https://t.co/GDQIgjSpLs
  • Check out the SPS Education Short Courses, new at ! Earn PDH and CEU certificates by attending either in… https://t.co/1uYFNvltg7
  • We're partnering with the IEEE Humanitarian Activities on Wednesday, 2 March to bring you a new webinar, "Increasin… https://t.co/JzhaBl17UY
  • The DEGAS Webinar Series continues this Thursday, 3 March when Dr. Steven Smith present "Causal Inference on Networ… https://t.co/10kppomXdl
  • In the February issue of the Inside Signal Processing Newsletter, we talk to Dr. Oriol Vinyals, who discusses his j… https://t.co/XLQ7tpEq0A

SPS Videos

Signal Processing in Home Assistants


Multimedia Forensics

Careers in Signal Processing             


Under the Radar