HW 3: Password Meter
In this study, you will design your own password meter. You should implement your password meter and feedback tool.
You should upload two seperate files to blackboard. One should be a zip file and one should be a PDF file
[LAST-NAME]-[GWID]-HW3-part-1-2-code.zip
[LAST-NAME]-[GWID]-HW3-part-3.pdf
Where [LAST-NAME]
is replaced with your last name (including replacing the []
), [GWID]
is replaced with your GWID (including replacing the []
). Note that your GWID
should include the G
portion (as a capital letter).
For the zip file, you should start by creating a folder called [LAST-NAME]-[GWID]-HW3-part-1-2
. In that directory, create two subdirectories, part-1
and part-2
. Note that to test each part, we will simply change into the directory and run your program.
All programs should be implemented in python. If you are unfamiliar with python, you should be able to pick it up quickly.
Part 0: Download required files
-
Download the /usr/shar/dict/words
-
Download the phpbb-withcounts and unzip the file. This contains a formatted file with real leaked passwords and how frequently they appeared in the dataset.
Maybe create a vscode environment for them to download and use with python already installed?
Part 1: Class Based Feedback (30pts)
In the part-1
directory, implement a program meter.py
that uses a basic character class password meter. Your program, should prompt the user for a password and provide it a numeric strength between 0-10 (where 10 is strongest) with up to two significant digits after the decimal. For example:
Password: monkey2024!
Strength: 5.21
Note, the strength is made up, you may come up with different strength values.
For this version, you should only use character classes and password length to make a determination, and the formula you use is entirely up to you. The character classes you should consider are:
- Lower Case
- Upper Case
- Numerics
- Special Characters
- Length
In a file called README.md
in your part-1
directory, describe your meter and its calculation. Provide 20 example passwords and their calculation using the meter
Note we should be able to run your program by executing
python3 meter.py
in thepart-1
directory.
Part 2: Accuracy (30 pts)
As noted in class, character class based password meters do not reflect the kind of password strength that is valuable. A more relevant metric is to determine how easily guessable a password is, that is, how many guesses would it take an attacker to guess that password. To determine the quality of your meter, we will compare it to a basic guessing metric.
Start by creating a directory called part-2
and copy in your prior work and the phpbb leaked password set. Note that this data is already organized by frequency of passwords, which provides a very simple metric of strength. The more frequent, the weaker the password. For example, an attacker with this knowledge of passwords frequency would guess the most common password first, thus rendering the most frequent the weakest and most guessable and least frequent the strongest.
To evaluate the performance of your meter, first process all the passwords in the phpbb leaked data set and then sort them from weakest to strongest. For consistency, break ties based on alphabetic ordering of the password. Then do the same for the phpbb leaked data set by its frequency, again breaking ties based on the alphabetic ordering. (Note that phpbb is ordered by frequency, but passwords of the same frequency may not be arranged alphabetically.)
With both lists in hand, you can compute a rank similarity statistics to see how similar the rankings are. It’s been shown that Spearman Rank Coefficient does this best. Fortunately, there’s an implementation in python using scipy. (Note, you may need to install scipy on your computer). The output of the calculation is the similarity metric, the closer to 1 the more similar, and a p-value to indicate the significance of the similarity (values <0.05 are considered significant).
Place your code for computation and a README.md
file in the directory called part-2
. In the README.md
report on the metric and the p-value, as well as provide some description of how accurate you think your meter is with this guessability metric (1-2 paragraphs).
Part 3: Designing a better meter (40 pts)
Fortunately, there exists a very good tool for calculating the guessing metric of a password quickly called zxcvbn
. I’ve taken an implementation of it and hosted it on this page so that you can get a sense of the kind of feedback it provides. There’s also documentation here to describe the metrics in the json object displayed below.
Using this information, create a wire-frame markup (in color!) of how you would design a meter and the kind of feedback you want to give to a user. Be sure to annotate your wireframe so the design is understabale. Note that feedback can really be anything you can think of: images, emojis, you name it. You should provide three wireframes – one for a password that is weak, one that is ok but could be stronger, and one that is sufficient.
Create a document with your wire frames and 2-3 paragraphs describing your design process and reasoning. Export it to a pdf and name it [LAST-NAME]-[GWID]-HW3-part-3.pdf
for submission.