Statistical metrics for individual password strength

Joseph Bonneau

Research output: Chapter in Book/Report/Conference proceedingConference contribution


We propose several possible metrics for measuring the strength of an individual password or any other secret drawn from a known, skewed distribution. In contrast to previous ad hoc approaches which rely on textual properties of passwords, we consider the problem without any knowledge of password structure. This enables rating the strength of a password given a large sample distribution without assuming anything about password semantics. We compare the results of our generic metrics against those of the NIST metrics and other previous "entropy-based" metrics for a large password dataset, which suggest over-fitting in previous metrics.

Original languageEnglish (US)
Title of host publicationSecurity Protocols XX - 20th International Workshop, Revised Selected Papers
Number of pages11
StatePublished - 2012
Event20th International Security Protocols Workshop - Cambridge, United Kingdom
Duration: Apr 12 2012Apr 13 2012

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume7622 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


Other20th International Security Protocols Workshop
Country/TerritoryUnited Kingdom

ASJC Scopus subject areas

  • Theoretical Computer Science
  • General Computer Science


Dive into the research topics of 'Statistical metrics for individual password strength'. Together they form a unique fingerprint.

Cite this