CERIAS Security Seminar: Password Strength Signaling: A Counter-Intuitive Defense Against Password Cracking

The Center for Education and Research in Information Assurance and Security
October 27, 2021
4:30 PM - 5:30 PM


Jeremiah Blocki
Purdue University

Abstract: We introduce password strength information signaling as a novel, yet counter-intuitive, defense mechanism against password cracking attacks. Recent breaches have exposed billions of user passwords to the dangerous threat of offline password cracking attacks. An offline attacker can quickly check millions (or sometimes billions/trillions) of password guesses by comparing their hash value with the stolen hash from a breached authentication server. The attacker is limited only by the resources he is willing to invest. Our key idea is to have the authentication server store a (noisy) signal about the strength of each user password for an offline attacker to find. Surprisingly, we show that the noise distribution for the signal can often be tuned so that a rational (profit-maximizing) attacker will crack fewer passwords. The signaling scheme exploits the fact that password cracking is not a zero-sum game i.e., the attacker's profit is given by the value of the cracked passwords minus the total guessing cost. Thus, a well-defined signaling strategy will encourage the attacker to reduce his guessing costs by cracking fewer passwords. We use an evolutionary algorithm to compute the optimal signaling scheme for the defender. As a proof-of-concept, we evaluate our mechanism on several password datasets and show that it can reduce the total number of cracked passwords by up to 12% (resp. 5%) of all users in defending against offline (resp. online) attacks. Joint work with Wenjie Bai and Ben Harsha

About: I am an Assistant Professor in Computer Science at Purdue University. Broadly, my research interests include cryptography, data privacy and security. I like to describe myself as a theoretical computer scientist who is interested in applying fundamental ideas from computer science to address practical problems in usable privacy and security. I am especially interested in developing usable and secure authentication protocols for humans. Are there easy ways for humans to create and remember multiple strong passwords? Can we design secure cryptographic protocols that are so simple that can be run by a human? Prior to joining Purdue I completed my PhD on Usable Human Authentication at Carnegie Mellon University where I was fortunate to be advised by Manuel Blum and Anupam Datta. I also spent a year at Microsoft Research New England as a postdoc.

The weekly security seminar has been held every semester since spring of 1992. We invite personnel at Purdue and visitors from outside to present on topics of particular interest to them in the areas of computer and network security, computer crime investigation, information warfare, information ethics, public policy for computing and security, the computing "underground," and other related topics. More info

Contact Details

Event Website


Add to calendar