Hybritus:a password strength checker by ensemble learning from the query feedbacks of websites  被引量：1

作　　者：Yongzhong HE Endalew Elsabeth ALEM Wei WANG 

机构地区：[1]Beijing Key Laboratory of Security and Privacy in Intelligent Transportation,Beijing Jiaotong University,Beijing 100044,China

出　　处：《Frontiers of Computer Science》2020年第3期189-202,共14页中国计算机科学前沿（英文版）

基　　金：supported in part by National Key R&D Program of China(2017YFC0820100.2017YFB0802805);in part by the National Natural Science Foundation of China(Grant No.U1736114).

摘　　要：Password authentication is vulnerable to dictionary attacks.Password strength measurement helps users to choose hard-to-guess passwords and enhance the security of systems based on password authentication.Although there are many password strength metrics and tools,none of them produces an objective measurement with inconsistent policies and different dictionaries.In this work,we analyzed the password policies and checkers of top 100 popular websites that are selected from Alexa rankings.The checkers are inconsistent and thus they may label the same password as different strength labels,because each checker is sensitive to its configuration,e.g.,the algorithm used and the training data.Attackers are empowered to exploit the above vulnerabilities to crack the protected systems more easily.As such,single metrics or local training data are not enough to build a robust and secure password checker.Based on these observations,we proposed Hybritus that integrates different websites'strategies and views into a global and robust model of the attackers with multiple layer perceptron(MLP)neural networks.Our data set is comprised of more than 3.3 million passwords taken from the leaked,transformed and randomly generated dictionaries.The data set were sent to 10 website checkers to get the feedbacks on the strength of passwords labeled as strong,medium and weak.Then we used the features of passwords generated by term frequency-inverse document frequency to train and test Hybritus.The experimental results show that the accuracy of passwords strength checking can be as high as 97.7%and over 94%even if it was trained with only ten thousand passwords.User study shows that Hybritus is usable as well as secure.

关 键 词：PASSWORD password strength password checker neural networks 

分 类 号：TP309[自动化与计算机技术—计算机系统结构] TP181[自动化与计算机技术—计算机科学与技术]