If users are allowed to choose their own passwords, they often choose ones that hackers can find in a dictionary of common passwords. As a countermeasure, a computer system can check a password when the user chooses it, to force a non-dictionary choice. Rather than store a large dictionary, the authors suggest using a decision tree representation that may reject some non-dictionary passwords (one or two percent) but which is much faster to use and requires only three percent as much space. The approach applies artificial intelligence classification techniques. The approach is evaluated and compared with others in experiments with a large dictionary.
The paper begins with a good review of password-related vulnerabilities and previous dictionary-compression approaches. However, it does not discuss system-chosen pronounceable passwords, which are both safe and easy to remember, but might be difficult to distinguish from natural-language dictionary words and might therefore be uniformly rejected. The paper reads well in the first half but becomes quite dry in the latter part, where the experiments are reported.