On the first day of USENIX, there was one talk particularly catching my attention. Daniel Lowe Wheeler from Dropbox talked about a password strength estimation, and he started with the USENIX online account registration, which rates “password” as a fair password, “Password” as good, and “Password1” as strong, while “zjwca” is rated as weak. He argued that, while password guessing has improved over the last 35 years, password policy has not evolved much since 1979. Moreover, there are inconsistent and not always helpful password policies. Two previous studies have found 142 distinct policies on 150 sites and 50 distinct policies on 50 sites, respectively.
To evaluate the estimates, the authors used a large data set consisting of leaked passwords as well as other sources. On this data set, other password strength estimators perform quite badly, overestimating the number of attempts for a lot of passwords that would be found in less than 10^5 tries. A particular offender is NIST entropy, which is completely oblivious to real-world choices such as “password”. In comparison, overestimating happens for very few passwords with zxcvbn.
The software is available on https://github.com/dropbox/zxcvbn, and it is already used by a number of companies, most notably WordPress.