Adaptive Password Meters with Unreliable Storage

Open Access
Heysham, Megan Elizabeth
Graduate Program:
Computer Science and Engineering
Master of Science
Document Type:
Master Thesis
Date of Defense:
June 27, 2013
Committee Members:
  • Adam Smith, Thesis Advisor
  • adaptive password meters
  • password meters
  • passwords
  • security
User-chosen passwords continue to be a primary means of authorization on computerized systems. They are a cheap solution that is easy to use and maintain. Unfortunately, when asked to pick a password, most users will choose from the same relatively small pool of all possible strings. Efforts to encourage better selection of passwords include providing guidelines (which are often fulfilled in a predictable manner) and password meters (which are often inaccurate). Password meters should not be seen as a ``one size fits all'' solution, as different systems see different password distributions, and what is secure on one system may be a very popular choice on another. Due to this variability, password meters that base score on the existing set of passwords may perform better. For such an adaptive password meter to function, it must have access to some information about the passwords other than their hashed values. This means that the system must store this additional information. This information, if leaked, may compromise users' passwords. In this thesis, we introduce a security model for adaptive password meters, reveal a vulnerability in previous work, and propose and analyze a new scheme for an adaptive password meter. There is currently little published work on adaptive password meters or on their security concerns.