Link Search Menu Expand Document

Machine Learning Helps Pick Better Passwords

We set passwords all the time – chances are you chose and created a new password today as well. But the truth is that we are especially bad at choosing good passwords.

  1. What is better?
  2. The research
  3. How is it evaluated?

What is better?

The main characteristic of a ‘good’ password is that it should not be guessable. You are always reminded that you should not use your phone number, birthday, or driving license number as the password.

Furthermore, it should be what we call leak resistant. Say, an adversary was able to retrieve a part of the password. So the password should be designed in such a way that the adversary is unable to ‘guess’ the other part of the password.

Most of the websites use what is known as a ‘blocklist’. It is a collection of ‘bad passwords’ that people usually like to use – for example, consecutive zeros or some other number. They usually do a decent job of preventing people from picking excessively guessable patterns. But can we do better?

The research

Neural networks can do a good job of enumerating the strength of a password and detecting the lousy ones, according to a group of researchers from Carnegie Mellon University. The paper suggests neural networks could be used for learning the attackers’ approaches and enforcing good password strength.

Their work is based on a previous study done by a group of researchers from the same university. The earlier researchers created a password strength meter that was trained on a set of passwords.

The biggest advantage of such an approach is that you do not need to maintain a big, bulky blocklist containing hundreds of thousands of complicated sequences of letters, numbers, and symbols.

How is it evaluated?

The researchers performed a series of tests to evaluate the strength of the passwords generated by different strategies. They discovered that barely requiring 12 characters and meeting the neural network’s recommendation resulted in good passwords with sufficient strength.

One interesting finding was that it did not require the user to mix different cases, numbers, and symbols which is a very common trend. Attackers have come a long way in inferring the password even when it is a mixture of different classes of characters (like alphabets, numbers, and symbols). So there is no meaning in making the password more complicated.

Previously, not many 3 or 4-class passwords were available to the threat actors. But recently a lot of personal data has been leaked and so hackers have access to large datasets of such complex passwords. They can use these passwords for developing their very own models that can effectively guess new passwords.

The aim of the research was to find the sweet spot between ease of use and security. This project gives an indication of what is 'easily' guessable and what is not. They concluded that most of the websites and online services could loosen some of the password restrictions and simplify the whole process without losing much security.

The numerical results suggest that having more classes of character in the password does not necessarily make it more secure. They showed the success rate remains more or less the same even if we increase the number of classes.

Other useful articles:

Back to top

© , AI Security Now — All Rights Reserved - Terms of Use - Privacy Policy