Neural networks trained to learn attackers' approaches to brute-force password guessing can be used as a way to enforce minimal password security without resorting to large blocklists and cumbersome combinations of letters, numbers, and special symbols, a research team at Carnegie Mellon University conclude in a new paper.
Using a neural network model built into a password-strength meter and recruiting users through Amazon's Mechanical Turk, the researchers at CMU's CyLab Security and Privacy Institute evaluated a series of different password recommendations, from eight-character passwords using a single class (letters, for example) to 16-character passwords using four classes — lowercase letter, uppercase letter, numbers, and symbols — as well as different blocklists. The researchers found that just requiring 12 characters of a single class and meeting the neural network's recommendations resulted in hard-to-crack passwords that should be sufficient for most uses.
Interestingly, requiring that users combine different cases, numbers, and symbols is not necessary, says Lujo Bauer, professor of electrical and computer engineering at CMU's Institute for Software Research. Attackers' current tools have become pretty good at guessing passwords that consist of the four classes of characters, making any benefit marginal, he says.
"In part, because previously there were many fewer three- and four-class passwords that had been leaked and were available to attackers, [it had been] harder for attackers to develop ways of guessing those passwords effectively," Bauer says. "Now that there have been many such passwords leaked, it's much easier to train an algorithm to guess them."
The research is about finding the best balance between usability and security for passwords. The re ..
Support the originator by clicking the read the rest link below.
