Background:

Password bias occurs when users create passwords using personal information, cultural references, dates, or common sequences, leading to predictable and insecure passwords. This bias makes passwords susceptible to brute-force and dictionary attacks, as attackers can leverage these patterns to optimize cracking strategies. To evaluate and quantify password bias, we leveraged machine learning models and graphical modeling techniques to analyze passwords based on key security features. Our research compared BERT-based password classification with Zxcvbn, a widely used password strength estimator. By performing statistical and graphical analysis, we aimed to understand how different approaches classify password strength and identify potential gaps in existing security models

Our Work:

Feature Analysis: Length, Uppercase, Digits, and Symbols (LUDS)

Security researchers describe password strength as a function of four key features, commonly referred to as LUDS:

• Length – Longer passwords generally offer stronger security.
• Uppercase Characters – Using uppercase improves complexity.
• Digits – Including numbers adds variation.
• Symbols – Special characters significantly increase entropy.

Using machine learning models, we analyzed how these features contribute to password strength and compared our results with Zxcvbn’s heuristic-based approach.

Machine Learning Approach: Fine-Tuning BERT for Password Classification

We fine-tuned BERT (Bidirectional Encoder Representations from Transformers) to classify password strength using real-world password datasets. The BERT model was trained to recognize linguistic patterns in passwords, allowing it to dynamically assess strength rather than rely on predefined heuristic rules like Zxcvbn.

• Dataset Preprocessing – Labeled passwords as weak, neutral, or strong based on real-world leak databases.
• Model Training – Used bert-base-cased , fine-tuned with PyTorch & Hugging Face’s Transformers library.
• Optimization – Applied the AdamW optimizer with a learning rate of 2e-5, training for three epochs.
• Evaluation Metrics – Used accuracy, precision, recall, and F1-score to compare BERT’s classifications against Zxcvbn’s.

Our BERT model achieved a higher classification accuracy than Zxcvbn, particularly in detecting strong non-dictionary passwords, which Zxcvbn sometimes incorrectly labeled as weak.

Graphical Analysis & Zxcvbn Comparison:

• Correlation Matrices – Identified relationships between password features and their impact on strength classification.
• KMeans Clustering – Grouped passwords into clusters to highlight common structures and security flaws.
• Data Visualization – Used Matplotlib & Seaborn to analyze differences in strength assessment between BERT and Zxcvbn.

Conclusion:

1. Zxcvbn is effective for detecting dictionary-based weaknesses but fails to adapt to newer password trends
2. BERT demonstrated improved detection of novel password structures, particularly randomly generated secure passwords
3. Symbol usage and length were statistically the most significant factors in strong passwords, aligning with LUDS security principles

Our research demonstrated that machine learning models like BERT offer a more flexible and adaptive approach to password strength classification than heuristic-based tools like Zxcvbn. By combining statistical analysis, clustering techniques, and machine learning, we showed how password bias impacts security and how modern AI can improve password strength estimation. We believe that hybrid models combining rule-based heuristics with AI-driven classifications provide a more reliable security assessment.