Password guessers are instrumental for assessing the strength of passwords.
Despite their diversity and abundance, little is known about how different
guessers compare to each other. We perform in-depth analyses and comparisons of
the guessing abilities and behavior of password guessers. To extend analyses
beyond number of passwords cracked, we devise an analytical framework to
compare the types of passwords that guessers generate under various conditions
(e.g., limited training data, limited number of guesses, and dissimilar
training and target data). Our results show that guessers often produce
dissimilar guesses, even when trained on the same data. We leverage this result
to show that combinations of computationally-cheap guessers are as effective as
computationally intensive guessers, but more efficient. Our insights allow us
to provide a concrete set of recommendations for system administrators when
performing password checking.

By admin