Password Guessers Under a Microscope: An In-Depth Analysis to Inform Deployments

Abstract

Password guessers are instrumental for assessing the strength of passwords. Despite their diversity and abundance, little is known about how different guessers compare to each other. We perform in-depth analyses and comparisons of the guessing abilities and behavior of password guessers. To extend analyses beyond number of passwords cracked, we devise an analytical framework to compare the types of passwords that guessers generate under various conditions (e.g., limited training data, limited number of guesses, and dissimilar training and target data). Our results show that guessers often produce dissimilar guesses, even when trained on the same data. We leverage this result to show that combinations of computationally-cheap guessers are as effective as computationally intensive guessers, but more efficient. Our insights allow us to provide a concrete set of recommendations for system administrators when performing password checking.

Publication
In International Journal of Information Security (2021).