A question for strength estimation

[thomas-li-sjtu]

Hello, I wonder if the result of password strength estimation can be considered as the probability of the password?
For instance, in "1.1231321e-11 123456", the probability of password "123456" is "1.1231321e-11"?
Looking forward to your reply!

[m33x]

No, it's not that simple, I guess Section 3.1 will explain it for you:
https://arxiv.org/pdf/2004.07179.pdf

If you are interested in the overall topic, I suggest to read:

https://www.ieee-security.org/TC/SP2014/papers/AStudyofProbabilisticPasswordModels.pdf

https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_melicher.pdf

https://www.mobsec.ruhr-uni-bochum.de/media/mobsec/veroeffentlichungen/2019/05/03/sp19-pwcracking.pdf

[thomas-li-sjtu]

Thanks, I'll read the paper soon.
I hope to apply Monta Carlo strength evaluation : https://dl.acm.org/doi/pdf/10.1145/2810103.2813631 on markov models and that's why I asked the question above. Would you please give some advice on how to generate the probability of a password from your repo?

I just read Section 3.1 and from its description, P(x) can be defined as a joint probability distribution which used to be employed as a good representative for password strength, an atomic interpretation of course. So does "1.1231321e-11" mean P(123456) = 1.1231321e-11 ? Does it work like this in your repo?

[m33x]

This really depends on your settings. See Line 67 and below in meter.py

Simplified it's IP(1) * CP(2) * CP(3) * CP(4) * CP(5) * EP(6).

Why not use their code?

https://github.com/matteodellamico/montecarlopwd

[thomas-li-sjtu]

Oh I see. I'll check whether it is the solution I am looking for. Your guidance is really helpful for new guys in password security like me. Thank you once again and wish you a great day!