I’ve written here on several occasions about the problems of passwords as a user authentication mechanism, especially as the sole authentication mechanism. There is ongoing interest in alternative methods; DARPA, for example, is sponsoring research into the use of biometric and other personal characteristics. In an attempt to shore up the basic password technique, many Internet sites now have password strength checkers on their sign-up pages. The idea is to prevent the user from choosing an easily-guessed password; often, the checker works on the basis of a set of rules that are intended to produce “good” passwords.
According to an article at New Scientist, a group of European researchers, from INRIA in France and the Ruhr-University Bochum in Germany, have come up with a new type of password checker that they claim does a better job of detecting weak passwords than conventional approaches. In their paper, “Adaptive Password Strength Meters from Markov Models” [PDF], they propose a strength meter based on Markov processes. Since these models are adaptive, their parameters can be tailored to the language and context of the password. The models also look at the relative likelihood of the substrings of characters within the password, based on the characteristics of passwords seen so far. For example, the character strings ‘qwerty’ and ‘password’ are theoretically no more likely than other alphabetic strings of the same length, and the first is not in the dictionary. In environments where the rule requires that the password contain a number, we will find many instances of passwords like ’123456′ and ‘abc123′.
This is a fairly clever way of getting around some of the limitations of checking based on a static rule set. After all, the Bad Guys don’t use all the words in the dictionary as potential passwords because it provides a good word sample from the viewpoint of information theory; they use them because they think many people will choose one of those words as a password. Any attacker with sense will augment the dictionary’s word list with a list of other strings that people commonly use. So the new approach has the potential to provide a better indication of “real world” password strength in context. The researchers compare their technique to the existing password strength checkers from NIST, Microsoft, and Google, and find that they get better results, testing against large databases of “leaked” passwords/
So the technique has promise, but password strength is just one aspect of security; it has no effect, for example, on the effectiveness of keystroke loggers or social engineering attacks. For overall security, we need to think about the whole set of potential threats, not just the ones that are easiest to analyze.