Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Revisiting Monte Carlo Strength Evaluation

Martin Stanek

TL;DR

The paper tackles efficient password strength evaluation by ranking passwords under a probabilistic model using the Monte Carlo estimator. It adds three concrete improvements—probability-interval interpolation, reduced probability overlap via sampling, and precomputation-based speedups—and shows that sampling improves precision while interpolation offers mixed benefits; bin-based precomputation yields notable speedups at modest memory costs. The experimental results using a PCFG model trained on RockYou demonstrate meaningful reductions in estimation error with sampling and substantial runtime savings with binning, though gains depend on model characteristics and configuration. Collectively, the work advances practical, scalable strength estimation for password models, enabling faster model comparisons and user feedback in security workflows.

Abstract

The Monte Carlo method, proposed by Dell'Amico and Filippone, estimates a password's rank within a probabilistic model for password generation, i.e., it determines the password's strength according to this model. We propose several ideas to improve the precision or speed of the estimation. Through experimental tests, we demonstrate that improved sampling can yield slightly better precision. Moreover, additional precomputation results in faster estimations with a modest increase in memory usage.

Revisiting Monte Carlo Strength Evaluation

TL;DR

The paper tackles efficient password strength evaluation by ranking passwords under a probabilistic model using the Monte Carlo estimator. It adds three concrete improvements—probability-interval interpolation, reduced probability overlap via sampling, and precomputation-based speedups—and shows that sampling improves precision while interpolation offers mixed benefits; bin-based precomputation yields notable speedups at modest memory costs. The experimental results using a PCFG model trained on RockYou demonstrate meaningful reductions in estimation error with sampling and substantial runtime savings with binning, though gains depend on model characteristics and configuration. Collectively, the work advances practical, scalable strength estimation for password models, enabling faster model comparisons and user feedback in security workflows.

Abstract

The Monte Carlo method, proposed by Dell'Amico and Filippone, estimates a password's rank within a probabilistic model for password generation, i.e., it determines the password's strength according to this model. We propose several ideas to improve the precision or speed of the estimation. Through experimental tests, we demonstrate that improved sampling can yield slightly better precision. Moreover, additional precomputation results in faster estimations with a modest increase in memory usage.
Paper Structure (13 sections, 5 equations, 4 figures, 4 tables)

This paper contains 13 sections, 5 equations, 4 figures, 4 tables.

Table of Contents

  1. Introduction
  2. Our contribution.
  3. How the Monte Carlo Estimator works
  4. Precomputation.
  5. Estimation.
  6. Areas for improvement
  7. Memory requirement
  8. Precision
  9. Estimation speed
  10. Experiments
  11. Precision
  12. Estimation speed
  13. Additional observation and conclusion

Figures (4)

  • Figure 1: Size of the model reflecting the number of passwords in a training dataset. The graph on the right excludes the Backoff model to show other three models more clearly.
  • Figure 2: Password ranks corresponding to the position in the sample
  • Figure 3: The simple difference error (on the left) and the relative error (on the right) of the original and the "all" strategy. Both graphs display results for 50,000 of the most probable passwords from the PCFG model. The numbers are the average values from 100 experiments.
  • Figure 4: Comparison of original password's rank estimate and estimate according the position in sampled passwords (denoted as fixed).

Theorems & Definitions (2)

  • Remark
  • Remark