Real Time Password Strength Analysis on a Web Application Using Multiple Machine Learning Approaches
Umar Farooq
Abstract
Passwords, being the most common mechanism for authentication for its easy implementation, pave a way for attackers to break into accounts by guessing passwords. This happens due to predictable patterns that humans usually set these passwords to like dictionary words, known phrases, names of people and places, keyboard patterns, etc. Many password cracking tools have been made to guess passwords either online or offline that mostly results in cracking such accounts with weak passwords or common password patterns. The proposed model provides a common and efficient way to defend against these online and offline attacks by forcing the users to choose a strong password by implementing multiple machine learning algorithms such as Decision Tree (DT), Naïve Bayes (NB), Linear Regression (LR), Random Forest (RF), and Neural Network (NN) on a web application over real time. This results in logging in into user's account only if the password strength from all algorithms happens to be strong. However, while testing the models over the test set the best results were evaluated by Decision Tree with an accuracy of 99% and the lowest by Naïve Bayes with an accuracy of 87%. Using Burp Suite software we performed three types of password cracking attacks like Brute Force Attack, Dictionary Attack, and Reverse Brute Force Attack on our web application. We made 250 accounts wherein 150 accounts contain strong passwords and other left 100 accounts contain weak passwords. The strong passwords that were set for 150 accounts were not cracked with any of these three types of attacks whereas 86 passwords out of all 100 weak passwords were cracked.