Password Strength Measurement without Password Disclosure

As a mechanism for promoting improvement in the strength of the user password, there is a mechanism that measures the password strength and gives feedback to the user. There are a wide variety of current strength measurement methods, and there are also methods that transmit a password during input to the remote server to perform strength measurement. However, the threat of sending passwords externally during input has not been sufficiently discussed. In this paper, we first survey the current password strength measurement method, and clarify how much remote side strength measurement exists. Then, the threat of remote strength measurement is organized, and the need for its protection is indicated. The necessity of the method of measuring the password strength without disclosure as the protection method is described, and three approaches are shown. Furthermore, the feasibility of each approach is discussed, and the prototype with the highest feasibility was developed. Moreover, we evaluate the performance and usability of the prototype system. As a result, although basic performance changes depending on system configuration, the result of the user study shows that the usability is not low, and the proposed method is sufficiently practical while reducing the threat.