Password strength verification based on machine learning algorithms and LSTM recurrent neural networks

Objectives. One of the most commonly used authentication methods in computer systems, password authentication is susceptible to various attacks including brute-force and dictionary attacks. This susceptibility requires not only the strict protection of user credentials, but also the definition of criteria for increasing a password’s strength to minimize the possibility of its exploitation by an attacker. Thus, an important task is the development of a verifier for checking passwords for strength and prohibiting the user from setting passwords that are susceptible to cracking. The use of machine learning methods to construct a verifier involves algorithms for formulating requirements for password complexity based on lists of known passwords available for each strength category.

Methods. The proposed supervised machine learning algorithms comprise support vector machines, random forest, boosting, and long short-term memory (LSTM) recurrent neural network types. Embedding and term frequency–inverse document frequency (TF-IDF) methods are used for data preprocessing, while cross-validation is used for selecting hyperparameters.

Results. Password strength recommendations and requirements from international and Russian standards are described. The existing methods of password strength verification in various operating systems are analyzed. The experimental results based on existing datasets comprising passwords having an associated level of strength are presented.

Conclusions. A LSTM recurrent neural network is highlighted as one of the most promising areas for building a password strength verifier.

1. Conklin A., Dietrich G., Walz D. Password-based authentication: a system perspective. In: Proceedings of the 37th Annual Hawaii International Conference on System Sciences. 2004; IEEE. https://doi.org/10.1109/HICSS.2004.1265412

2. Dell’Amico M., Michiardi P., Roudier Y. Password strength: An empirical analysis. In: 2010 Proceedings IEEE INFOCOM. 2010; IEEE. https://doi.org/10.1109/INFCOM.2010.5461951

3. Chakrabarti S., Singhal M. Password-based authentication: Preventing dictionary attacks. Computer. 2007;40(6): 68-74. https://doi.org/10.1109/MC.2007.216

4. Shay R., Komanduri S., Kelley P.G., Leon P.G., Mazurek M.L., Bauer L., Christin N., Cranor L.F. Encountering stronger password requirements: user attitudes and behaviors. In: Proceedings of the Sixth Symposium on Usable Privacy and Security. 2010; Article 2. https://doi.org/10.1145/1837110.1837113

5. Selifanov V.V. Otsenka effektivnosti sistemy zashchity informatsii gosudarstvennykh informatsionnykh sistem ot nesanktsionirovannogo dostupa. Integratsiya nauki, obshchestva, proizvodstva i promyshlennosti: sbornik statei Mezhdunarodnoi nauchno-prakticheskoi konferentsii. 2016. S. 109-113. [Selifanov V.V. Evaluation of the efficiency of the information protection system of state information systems from unauthorized access. In: Integration of Science, Society, production and Industry: Collection of Articles of the International Scientific and Practical Conference. 2016. P. 109-113 (in Russ.).]

6. Ferreira J.F., Johnson S.A., Mendes A., Brooke P.J. Certified password quality: a case study using Coq and Linux pluggable authentication modules. In: Integrated Formal Methods. IFM 2017. Lecture Notes in Computer Science. V. 10510. Springer International Publishing; 2017. P. 407-421. https://doi.org/10.1007/978-3-319-66845-1_27

7. Alshare K.A., Lane P.L., Lane M.R. Information security policy compliance: a higher education case study. Information & Computer Security. 2018;26(1):91-108. https://doi.org/10.1108/ICS-09-2016-0073

8. AlSabah M., Oligeri G., Riley R. Your culture is in your password: An analysis of a demographically-diverse password dataset. Computers & Security. 2018;77: 427-441. https://doi.org/10.1016/j.cose.2018.03.014

9. Ji S., Yang S., Wang T., Liu C., Lee W.H., Beyah R. Pars: Auniform and open-source password analysis and research system. In: ACSAC’ 15: Proceedings of the 31st Annual Computer Security Applications Conference. 2015. P. 321-330. https://doi.org/10.1145/2818000.2818018

10. Aizawa A. An information-theoretic perspective of TF-IDF measures. Information Processing & Management. 2003;39(1):45-65. https://doi.org/10.1016/S0306-4573(02)00021-3

11. Bishop C.M. Pattern Recognition and Machine Learning. New York: Springer; 2006. 738 p.

12. Lever J., Krzywinski M., Altman N. Classification evaluation: It is important to understand both what a classification metric expresses and what it hides. Nat. Methods. 2016;13(8):603-604. https://doi.org/10.1038/nmeth.3945

13. Medsker L.R., Jain L.C. (Eds.). Recurrent Neural Networks. Design and Applications. CRC Press; 2001. P. 64-67.

14. Imambi S., Prakash K.B., Kanagachidambaresan G.R. PyTorch. In: Prakash K.B., Kanagachidambaresan G.R. (Eds.). Programming with TensorFlow. EAI/Springer Innovations in Communication and Computing (book series). Springer; 2021. P. 87-104. https://doi.org/10.1007/978-3-030-57077-4_10

15. Yu Y., Si X., Hu C., Zhang J. A review of recurrent neural networks: LSTM cells and network architectures. Neural Comput. 2019;31(7):1235-1270. https://doi.org/10.1162/neco_a_01199

16. Jartelius M. The 2020 Data Breach Investigations Report-a CSO’s perspective. Network Security. 2020;2020(7): 9-12. https://doi.org/10.1016/S1353-4858(20)30079-9

17. Sarkar S., Nandan M. Password Strength Analysis and its Classification by Applying Machine Learning Based Techniques. In: 2022 Second International Conference on Computer Science, Engineering and Applications (ICCSEA). IEEE, 2022. P. 1-5. https://doi.org/10.1109/ICCSEA54677.2022.9936117

18. Sakya S.S., Mauparna M.N. Building a Multi-class Password Strength Generator and Classifier Model by Augmenting Supervised Machine Learning Techniques. Preprint. 2022. https://doi.org/10.21203/rs.3.rs-1820885/v1

19. Murmu S., Kasyap H., Tripathy S. PassMon: A Technique for Password Generation and Strength Estimation. J. Network Syst. Manage. 2022;30(1):13. https://doi.org/10.1007/s10922-021-09620-w

20. Tran L., Nguyen T., Seo C., Kim H., Choi D. A Survey on Password Guessing. arXiv preprint arXiv:2212.08796. 2022. https://doi.org/10.48550/arXiv.2212.08796

21. Xiao Y., Zeng J. Dynamically generate password policy via Zipf distribution. IEEE Transactions on Information Forensics and Security. 2022;17:835-848. https://doi.org/10.1109/TIFS.2022.3152357