Table of Contents
Fetching ...

On the Account Security Risks Posed by Password Strength Meters

Ming Xu, Weili Han, Jitao Yu, Jing Liu, Xinyi Zhang, Yun Lin, Jin Song Dong

TL;DR

The paper investigates privacy risks in password strength meters (PSMs), revealing that data-driven meters leak between $10^4$ and $10^5$ trained passwords and that certain rule-based meters expose blocked passwords on the client. It introduces a privacy leakage evaluation framework and demonstrates meter-specific membership inference and password-stealing attacks, notably showing that GAN-based generation can meaningfully increase stolen passwords and that PCFG-based meters are particularly vulnerable due to over-learning. A novel meter-aware attack demonstrates how attackers can exploit leaked used passwords to accelerate compromises on sites using the meter, with concrete gains such as an additional $5.84\%$ compromise for Zxcvbn-using sites within 10 attempts. The work also offers countermeasures, including server-side defenses, privacy-preserving training (e.g., differential privacy, synthetic passwords), and adjustments like temperature scaling to mitigate MIAs, highlighting the need for privacy-preserving meters in real-world deployments.

Abstract

Password strength meters (PSMs) have been widely used by websites to gauge password strength, encouraging users to create stronger passwords. Popular data-driven PSMs, e.g., based on Markov, Probabilistic Context-free Grammar (PCFG) and neural networks, alarm strength based on a model learned from real passwords. Despite their proven effectiveness, the secure utility that arises from the leakage of trained passwords remains largely overlooked. To address this gap, we analyze 11 PSMs and find that 5 data-driven meters are vulnerable to membership inference attacks that expose their trained passwords, and seriously, 3 rule-based meters openly disclose their blocked passwords. We specifically design a PSM privacy leakage evaluation approach, and uncover that a series of general data-driven meters are vulnerable to leaking between 10^4 to 10^5 trained passwords, with the PCFG-based models being more vulnerable than other counterparts; furthermore, we aid in deriving insights that the inherent utility-privacy tradeoff is not as severe as previously thought. To further exploit the risks, we develop novel meter-aware attacks when a clever attacker can filter the used passwords during compromising accounts on websites using the meter, and experimentally show that attackers targeting websites that deployed the popular Zxcvbn meter can compromise an additional 5.84% user accounts within 10 attempts, demonstrating the urgent need for privacy-preserving PSMs that protect the confidentiality of the meter's used passwords. Finally, we sketch some counter-measures to mitigate these threats.

On the Account Security Risks Posed by Password Strength Meters

TL;DR

The paper investigates privacy risks in password strength meters (PSMs), revealing that data-driven meters leak between and trained passwords and that certain rule-based meters expose blocked passwords on the client. It introduces a privacy leakage evaluation framework and demonstrates meter-specific membership inference and password-stealing attacks, notably showing that GAN-based generation can meaningfully increase stolen passwords and that PCFG-based meters are particularly vulnerable due to over-learning. A novel meter-aware attack demonstrates how attackers can exploit leaked used passwords to accelerate compromises on sites using the meter, with concrete gains such as an additional compromise for Zxcvbn-using sites within 10 attempts. The work also offers countermeasures, including server-side defenses, privacy-preserving training (e.g., differential privacy, synthetic passwords), and adjustments like temperature scaling to mitigate MIAs, highlighting the need for privacy-preserving meters in real-world deployments.

Abstract

Password strength meters (PSMs) have been widely used by websites to gauge password strength, encouraging users to create stronger passwords. Popular data-driven PSMs, e.g., based on Markov, Probabilistic Context-free Grammar (PCFG) and neural networks, alarm strength based on a model learned from real passwords. Despite their proven effectiveness, the secure utility that arises from the leakage of trained passwords remains largely overlooked. To address this gap, we analyze 11 PSMs and find that 5 data-driven meters are vulnerable to membership inference attacks that expose their trained passwords, and seriously, 3 rule-based meters openly disclose their blocked passwords. We specifically design a PSM privacy leakage evaluation approach, and uncover that a series of general data-driven meters are vulnerable to leaking between 10^4 to 10^5 trained passwords, with the PCFG-based models being more vulnerable than other counterparts; furthermore, we aid in deriving insights that the inherent utility-privacy tradeoff is not as severe as previously thought. To further exploit the risks, we develop novel meter-aware attacks when a clever attacker can filter the used passwords during compromising accounts on websites using the meter, and experimentally show that attackers targeting websites that deployed the popular Zxcvbn meter can compromise an additional 5.84% user accounts within 10 attempts, demonstrating the urgent need for privacy-preserving PSMs that protect the confidentiality of the meter's used passwords. Finally, we sketch some counter-measures to mitigate these threats.
Paper Structure (26 sections, 4 equations, 11 figures, 12 tables)

This paper contains 26 sections, 4 equations, 11 figures, 12 tables.

Figures (11)

  • Figure 1: Examples of rule-based and probabilistic meters.
  • Figure 2: Over-learning manifestation across data-driven models, where areas with more red dots indicate severe over-learning phenomenon. We show more types of data-driven models on in Figure \ref{['fig:motivations:appendix']} in Appendix \ref{['app:overlearning']}.
  • Figure 3: Overview of the probability-threshold-selection MIA method.
  • Figure 4: F1 scores of membership inference attacks under various expected member ratios.
  • Figure 5: Radar chart of LLM-based evaluator for the characteristics of the inferred passwords.
  • ...and 6 more figures

Theorems & Definitions (1)

  • Definition 1