Entropy, Vol. 22, Pages 378: Convergence of Password Guessing to Optimal Success Rates (Entropy)

Password guessing is one of the most common methods an attacker will use forcompromising end users. We often hear that passwords belonging to website users have beenleaked and revealed to the public. These leaks compromise the users involved but also feed thewealth of knowledge attackers have about users’ passwords. The more informed attackers are aboutpassword creation, the better their password guessing becomes. In this paper, we demonstrate usingproofs of convergence and real-world password data that the vulnerability of users increases as aresult of password leaks. We show that a leak that reveals the passwords of just 1% of the usersprovides an attacker with enough information to potentially have a success rate of over 84% whiteming to compromise other users of the same website. For researchers, it is often difficult to quantifythe effectiveness of guessing strategies, particularly when guessing different datasets. We construct amodel of password guessing that can be used to offer visual comparisons and formulate theoremscorresponding to guessing success.