Explore a groundbreaking approach to password strength estimation in this 32-minute USENIX Security '16 conference talk. Delve into the limitations of traditional LUDS-based password requirements and discover zxcvbn, a more effective and user-friendly alternative. Learn how this small, fast, and easily adoptable estimator accurately predicts password strength using leaked password data and modern guessing attacks. Understand the technical aspects of zxcvbn's implementation, including its compressed storage capabilities, cross-platform compatibility, and millisecond-level performance. Gain insights into the estimator's effectiveness in mitigating online attacks and its potential to revolutionize password security practices across various platforms.
Overview
Syllabus
Intro
Verizon Wireless: Password Requirements
Password Policy: Frozen in 1979
Inconsistent Requirements
Inconsistent Feedback Input: correcthorsebatterystaple
Threat Model
Core estimator: minimum rank over top lists Input wheeler
Word transformations
Keyboard patterns
Sequence Patterns
Outline for today
Gold standard: PGS
Training data
Test data
Estimator size?
Minimum rank only?
Runtime Performance
Conclusion
Give it a try!
Proposal: keep UI simple
Taught by
USENIX
