RLS-PSM: A Robust and Accurate Password Strength Meter Based on Reuse, Leet and Separation

You are here

Top Reasons to Join SPS Today!

1. IEEE Signal Processing Magazine
2. Signal Processing Digital Library*
3. Inside Signal Processing Newsletter
4. SPS Resource Center
5. Career advancement & recognition
6. Discounts on conferences and publications
7. Professional networking
8. Communities for students, young professionals, and women
9. Volunteer opportunities
10. Coming soon! PDH/CEU credits
Click here to learn more.

RLS-PSM: A Robust and Accurate Password Strength Meter Based on Reuse, Leet and Separation

Qiying Dong; Chunfu Jia; Fei Duan; Ding Wang

Password strength meters (PSMs) are being widely used, but they often give conflicting, inaccurate and misleading feedback, which defeats their purpose. Except for fuzzyPSM, all PSMs assume passwords are newly constructed, which is not true in reality. FuzzyPSM considers password reuse, six major leet transformations and initial capitalization, and performs the best as evaluated by Golla and Dürmuth at ACM CCS’18. On the basis of fuzzyPSM, we propose a new PSM based on R euse, L eet and S eparation, namely RLS-PSM. First, we classify password reuse behaviors into capitalization and those that use special characters for leet or separation, and calculate the corresponding probabilities. Then, to balance efficiency and precision, we use Long Short-Term Memory to calculate the probabilities of alphanumeric strings. Besides, we propose to use benchmark passwords to show the relative strength of a password. Due to the varied impacts of different service types and diversified economic value of websites, we consider parameter settings of RLS-PSM under six different service types. Finally, we use the Monte Carlo method and weighted Spearman coefficient to measure and compare the robustness and accuracy of RLS-PSM, leading PSMs (including Markov-based PSM, PCFG-based PSM, fuzzyPSM, RNN, and Zxcvbn), and password cracking tools (including JtR and Hashcat). We find that the robustness of RLS-PSM is significantly higher than all counterparts when evaluating attempts > 10 4 (e.g., on average, Fraction of Successfully Evaluated passwords of RLS-PSM is 18.9% higher than fuzzyPSM). The accuracy of RLS-PSM is also better than other mainstream PSMs used for comparison in this paper, except for fuzzyPSM.

SPS on Twitter

  • CALL FOR PAPERS: The IEEE/ACM Transactions on Audio, Speech, and Language Processing is now accepting submissions f… https://t.co/wkoVBKfE5j
  • DEADLINE EXTENDED: The IEEE Journal of Selected Topics in Signal Processing is now accepting submissions for a Spec… https://t.co/qoRbzFeMLL
  • Our Information Forensics and Security Webinar Series continues on Tuesday, 23 August when Dr. Anderson Rocha prese… https://t.co/q48hnIMfan
  • There is still time to submit your proposal to host the 2023 IEEE Workshop on Automatic Speech Recognition and Unde… https://t.co/y1VxOKiEwb
  • DEADLINE EXTENDED: The IEEE Transactions on Multimedia is now accepting submissions for a Special Issue on Perceivi… https://t.co/2PvWLwoclK

SPS Videos

Signal Processing in Home Assistants


Multimedia Forensics

Careers in Signal Processing             


Under the Radar