A Canonical Password Strength Measure
This addresses a foundational gap in password security for users and systems, though it appears incremental as it builds on existing attack models.
The paper tackles the lack of a proper definition for password strength by proposing a canonical measure based on guessing attack efficiency, demonstrating the necessity of considering attacker strategies.
We notice that the "password security" discourse is missing the most fundamental notion of the "password strength" -- it was never properly defined. We propose a canonical definition of the "password strength", based on the assessment of the efficiency of a set of possible guessing attack. Unlike naive password strength assessments our metric takes into account the attacker's strategy, and we demonstrate the necessity of that feature. This paper does NOT advise you to include "at least three capital letters", seven underscores, and a number thirteen in your password.