Password strength verification based on machine learning algorithms and LSTM recurrent neural networks
https://doi.org/10.32362/2500-316X-2023-11-4-7-15
Abstract
Objectives. One of the most commonly used authentication methods in computer systems, password authentication is susceptible to various attacks including brute-force and dictionary attacks. This susceptibility requires not only the strict protection of user credentials, but also the definition of criteria for increasing a password’s strength to minimize the possibility of its exploitation by an attacker. Thus, an important task is the development of a verifier for checking passwords for strength and prohibiting the user from setting passwords that are susceptible to cracking. The use of machine learning methods to construct a verifier involves algorithms for formulating requirements for password complexity based on lists of known passwords available for each strength category.
Methods. The proposed supervised machine learning algorithms comprise support vector machines, random forest, boosting, and long short-term memory (LSTM) recurrent neural network types. Embedding and term frequency–inverse document frequency (TF-IDF) methods are used for data preprocessing, while cross-validation is used for selecting hyperparameters.
Results. Password strength recommendations and requirements from international and Russian standards are described. The existing methods of password strength verification in various operating systems are analyzed. The experimental results based on existing datasets comprising passwords having an associated level of strength are presented.
Conclusions. A LSTM recurrent neural network is highlighted as one of the most promising areas for building a password strength verifier.
About the Authors
V. V. Belikov
MIREA – Russian Technological University
Russian Federation
Competing Interests:
Russian Federation
Vladimir V. Belikov, Cand. Sci. (Military), Assistant Professor, Department of Information Security, Institute of Artificial Intelligence
78, Vernadskogo pr., Moscow, 119454
Scopus Author ID 57983605100
Competing Interests:
None
I. A. Prokuronov
SFB Laboratory
Russian Federation
Competing Interests:
Russian Federation
Ivan A. Prokuronov, Cryptographic Analysis Specialist
56/2, Mishina ul., Moscow, 127083
Competing Interests:
None
References
1. Conklin A., Dietrich G., Walz D. Password-based authentication: a system perspective. In: Proceedings of the 37th Annual Hawaii International Conference on System Sciences. 2004; IEEE. https://doi.org/10.1109/HICSS.2004.1265412
2. Dell’Amico M., Michiardi P., Roudier Y. Password strength: An empirical analysis. In: 2010 Proceedings IEEE INFOCOM. 2010; IEEE. https://doi.org/10.1109/INFCOM.2010.5461951
3. Chakrabarti S., Singhal M. Password-based authentication: Preventing dictionary attacks. Computer. 2007;40(6): 68–74. https://doi.org/10.1109/MC.2007.216
4. Shay R., Komanduri S., Kelley P.G., Leon P.G., Mazurek M.L., Bauer L., Christin N., Cranor L.F. Encountering stronger password requirements: user attitudes and behaviors. In: Proceedings of the Sixth Symposium on Usable Privacy and Security. 2010; Article 2. https://doi.org/10.1145/1837110.1837113
5. Селифанов В.В. Оценка эффективности системы защиты информации государственных информационных систем от несанкционированного доступа. Интеграция науки, общества, производства и промышленности: сборник статей Международной научно-практической конференции. 2016. С. 109–113. [Selifanov V.V. Evaluation of the efficiency of the information protection system of state information systems from unauthorized access. In: Integration of Science, Society, production and Industry: Collection of Articles of the International Scientific and Practical Conference. 2016. P. 109–113 (in Russ.).]
6. Ferreira J.F., Johnson S.A., Mendes A., Brooke P.J. Certified password quality: a case study using Coq and Linux pluggable authentication modules. In: Integrated Formal Methods. IFM 2017. Lecture Notes in Computer Science. V. 10510. Springer International Publishing; 2017. P. 407–421. https://doi.org/10.1007/978-3-319-66845-1_27
7. Alshare K.A., Lane P.L., Lane M.R. Information security policy compliance: a higher education case study. Information & Computer Security. 2018;26(1):91–108. https://doi.org/10.1108/ICS-09-2016-0073
8. AlSabah M., Oligeri G., Riley R. Your culture is in your password: An analysis of a demographically-diverse password dataset. Computers & Security. 2018;77: 427–441. https://doi.org/10.1016/j.cose.2018.03.014
9. Ji S., Yang S., Wang T., Liu C., Lee W.H., Beyah R. Pars: Auniform and open-source password analysis and research system. In: ACSAC’ 15: Proceedings of the 31st Annual Computer Security Applications Conference. 2015. P. 321–330. https://doi.org/10.1145/2818000.2818018
10. Aizawa A. An information-theoretic perspective of TF–IDF measures. Information Processing & Management. 2003;39(1):45–65. https://doi.org/10.1016/S0306-4573(02)00021-3
11. Bishop C.M. Pattern Recognition and Machine Learning. New York: Springer; 2006. 738 p.
12. Lever J., Krzywinski M., Altman N. Classification evaluation: It is important to understand both what a classification metric expresses and what it hides. Nat. Methods. 2016;13(8):603–604. https://doi.org/10.1038/nmeth.3945
13. Medsker L.R., Jain L.C. (Eds.). Recurrent Neural Networks. Design and Applications. CRC Press; 2001. P. 64–67.
14. Imambi S., Prakash K.B., Kanagachidambaresan G.R. PyTorch. In: Prakash K.B., Kanagachidambaresan G.R. (Eds.). Programming with TensorFlow. EAI/Springer Innovations in Communication and Computing (book series). Springer; 2021. P. 87–104. https://doi.org/10.1007/978-3-030-57077-4_10
15. Yu Y., Si X., Hu C., Zhang J. A review of recurrent neural networks: LSTM cells and network architectures. Neural Comput. 2019;31(7):1235–1270. https://doi.org/10.1162/neco_a_01199
16. Jartelius M. The 2020 Data Breach Investigations Report–a CSO’s perspective. Network Security. 2020;2020(7): 9–12. https://doi.org/10.1016/S1353-4858(20)30079-9
17. Sarkar S., Nandan M. Password Strength Analysis and its Classification by Applying Machine Learning Based Techniques. In: 2022 Second International Conference on Computer Science, Engineering and Applications (ICCSEA). IEEE, 2022. P. 1–5. https://doi.org/10.1109/ICCSEA54677.2022.9936117
18. Sakya S.S., Mauparna M.N. Building a Multi-class Password Strength Generator and Classifier Model by Augmenting Supervised Machine Learning Techniques. Preprint. 2022. https://doi.org/10.21203/rs.3.rs-1820885/v1
19. Murmu S., Kasyap H., Tripathy S. PassMon: A Technique for Password Generation and Strength Estimation. J. Network Syst. Manage. 2022;30(1):13. https://doi.org/10.1007/s10922-021-09620-w
20. Tran L., Nguyen T., Seo C., Kim H., Choi D. A Survey on Password Guessing. arXiv preprint arXiv:2212.08796. 2022. https://doi.org/10.48550/arXiv.2212.08796
21. Xiao Y., Zeng J. Dynamically generate password policy via Zipf distribution. IEEE Transactions on Information Forensics and Security. 2022;17:835–848. https://doi.org/10.1109/TIFS.2022.3152357
Supplementary files
|
|
1. Configuration file pwquality.conf | |
| Subject | ||
| Type | Исследовательские инструменты | |
View
(37KB)
|
Indexing metadata ▾ | |
- Password strength recommendations and requirements from international and Russian standards are described. The existing methods of password strength verification in various operating systems are analyzed. The experimental results based on existing datasets comprising passwords having an associated level of strength are presented.
- A LSTM recurrent neural network is highlighted as one of the most promising areas for building a password strength verifier.
Review
For citations:
Belikov V.V., Prokuronov I.A. Password strength verification based on machine learning algorithms and LSTM recurrent neural networks. Russian Technological Journal. 2023;11(4):7-15. https://doi.org/10.32362/2500-316X-2023-11-4-7-15
Views:
932
Email this article 