Password Guessers Under a Microscope: An In-Depth Analysis to Inform Deployments
This work addresses the need for system administrators to make informed decisions when deploying password checking tools, though it is incremental in nature.
The paper tackled the problem of comparing password guessers by analyzing their guessing abilities and behaviors under various conditions, and found that combinations of computationally-cheap guessers are as effective as intensive ones, with improved efficiency.
Password guessers are instrumental for assessing the strength of passwords. Despite their diversity and abundance, little is known about how different guessers compare to each other. We perform in-depth analyses and comparisons of the guessing abilities and behavior of password guessers. To extend analyses beyond number of passwords cracked, we devise an analytical framework to compare the types of passwords that guessers generate under various conditions (e.g., limited training data, limited number of guesses, and dissimilar training and target data). Our results show that guessers often produce dissimilar guesses, even when trained on the same data. We leverage this result to show that combinations of computationally-cheap guessers are as effective as computationally intensive guessers, but more efficient. Our insights allow us to provide a concrete set of recommendations for system administrators when performing password checking.