Liron David,Avishai Wool

DOI: https://doi.org/10.48550/arXiv.1912.02551

2020-05-05

Abstract:Human-chosen passwords are the a dominant form of authentication systems. Passwords strength estimators are used to help users avoid picking weak passwords by predicting how many attempts a password cracker would need until it finds a given password. In this paper we propose a novel password strength estimator, called PESrank, which accurately models the behavior of a powerful password cracker. PESrank calculates the rank of a given password in an optimal descending order of likelihood. PESrank estimates a given password's rank in fractions of a second---without actually enumerating the passwords---so it is practical for online use. It also has a training time that is drastically shorter than previous methods. Moreover, PESrank is efficiently tweakable to allow model personalization in fractions of a second, without the need to retrain the model; and it is explainable: it is able to provide information on why the password has its calculated rank, and gives the user insight on how to pick a better password. Our idea is to cast the question of password rank estimation in a probabilistic framework used in side-channel cryptanalysis. We view each password as a point in a $d$-dimensional search space, and learn the probability distribution of each dimension separately. The dimensions represent the base word, plus a dimension for each possible transformation such as adding a suffix or using a capitalization pattern. Using this model, password strength estimation is analogous to side-channel rank estimation. We implemented PERrank in Python and conducted an extensive evaluation study of it. We also integrated it into the registration page of a course at our university. Even with a model based on 905 million passwords, the response time was well under 1 second, with up to a 1-bit accuracy margin between the upper bound and the lower bound on the rank.

Cryptography and Security

Bo Zhou,Hiroyuki Okamura,Tadashi Dohi

DOI: https://doi.org/10.1109/tc.2011.208

2013-01-01

Abstract:In this paper, we propose a probabilistic approach to finding failure-causing inputs based on Bayesian estimation. According to our probabilistic insights of software testing, the test case generation algorithms are developed by Markov chain Monte Carlo (MCMC) methods. Dissimilar to existing random testing schemes such as adaptive random testing, our approach can also utilize the prior knowledge on software testing. In experiments, we compare effectiveness of our MCMC-based random testing with both ordinary random testing and adaptive random testing in real program sources. These results indicate the possibility that MCMC-based random testing can drastically improve the effectiveness of software testing.

Shunbin Li,Zhiyu Wang,Ruyun Zhang,Chunming Wu,Hanguang Luo

DOI: https://doi.org/10.1109/tdsc.2022.3217002

2023-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Rule-based password generation is one of the most effective and often employed techniques in the highly compute-intensive password recovery process. However, it is challenging to design and maintain a practical password mangling ruleset, which is a time-consuming task requiring specialized expertise. This paper therefore introduced MDBSCAN (Modified Density-Based Spatial Clustering of Applications with Noise), a novel density-based cluster approach in machine learning, to build an automatic password mangling rule generator. To evaluate the proposed method, cross-checks across 4 different real-world password datasets leaked from popular Internet services and applications are adopted. The results indicate that the proposed generator could produce high-quality mangling rules with a better hit rate and enhance current mangling rules by identifying hidden or omitted rules. The proposed approach also shows strong interpretability and computational efficiency. When examining the RockYou password dataset with the top 77 rules, the hit rate may rise by 11% to 104% proportionally to other well-known solutions. Furthermore, by combining the top 77 rules generated by MDBSCAN with those from other rulesets, 3–12.67% more real-world passwords can be retrieved.

Eugene Panferov

DOI: https://doi.org/10.48550/arXiv.1505.05090

2015-05-19

Cryptography and Security

Abstract:We notice that the "password security" discourse is missing the most fundamental notion of the "password strength" -- it was never properly defined. We propose a canonical definition of the "password strength", based on the assessment of the efficiency of a set of possible guessing attack. Unlike naive password strength assessments our metric takes into account the attacker's strategy, and we demonstrate the necessity of that feature. This paper does NOT advise you to include "at least three capital letters", seven underscores, and a number thirteen in your password.

Binh Le Thanh Thai,Hidema Tanaka

DOI: https://doi.org/10.1109/access.2024.3401195

IF: 3.9

2024-05-22

IEEE Access

Abstract:Nowadays, passwords play an important role in ensuring practical security. Password strength meters (PSMs) are typical and well-known tools developed to help users estimate password strength. Among existing PSMs, Markov-based PSMs offer high accuracy and reliability. However, these PSMs are often compared with other types of PSMs, and no study has compared their accuracy in detail. Two types of Markov models introduced in previous studies are the Simple Markov Model (SMM) and the Layered Markov Model (LMM). When calculating the probability of a password, these models consider two factors: character position and password length. However, these two models do not cover all possible cases of these two factors. In this paper, we introduce the application of two new Markov models, which can be seen as "hybrid models" of SMM and LMM, into PSMs, called Simple Markov Model with password length consideration (SMMl) and unique Layered Markov Model (uLMM), to cover all the missing cases. Then, we present two specific scenarios and compare the effectiveness of four types of Markov models in evaluating passwords based on these two scenarios. The experimental results indicate that the SMMl model, one of the two models proposed in this paper, yields the best effectiveness. This result also suggests that the number of samples of sub-string sequences obtained during the training process affects the effectiveness of password evaluation. Therefore, we conduct a detailed analysis related to this issue. These results will support us in developing new PSMs in the future.

computer science, information systems,telecommunications,engineering, electrical & electronic

Cem S. Sahin,Robert Lychev,Neal Wagner

DOI: https://doi.org/10.48550/arXiv.1512.05814

2015-12-18

Abstract:Although it is common for users to select bad passwords that can be easily cracked by attackers, password-based authentication remains the most widely-used method. To encourage users to select good passwords, enterprises often enforce policies. Such policies have been proven to be ineffectual in practice. Accurate assessment of a password's resistance to cracking attacks is still an unsolved problem, and our work addresses this challenge. Although the best way to determine how difficult it may be to crack a user-selected password is to check its resistance to cracking attacks employed by attackers in the wild, implementing such a strategy at an enterprise would be infeasible in practice. We first formalize the concepts of password complexity and strength with concrete definitions emphasizing their differences. Our framework captures human biases and many known techniques attackers use to recover stolen credentials in real life, such as brute-force attacks. Building on our definitions, we develop a general framework for calculating password complexity and strength that could be used in practice. Our approach is based on the key insight that an attacker's success at cracking a password must be defined by its available computational resources, time, function used to store that password, as well as the topology that bounds that attacker's search space based on that attacker's available inputs, transformations it can use to tweak and explore its inputs, and the path of exploration which can be based on the attacker's perceived probability of success. We also provide a general framework for assessing the accuracy of password complexity and strength estimators that can be used to compare other tools available in the wild.

Cryptography and Security

Sanam Ghorbani Lyastani,Michael Schilling,Sascha Fahl,Sven Bugiel,Michael Backes

DOI: https://doi.org/10.48550/arXiv.1712.08940

2017-12-24

Abstract:Despite their well-known security problems, passwords are still the incumbent authentication method for virtually all online services. To remedy the situation, end-users are very often referred to password managers as a solution to the password reuse and password weakness problems. However, to date the actual impact of password managers on password security and reuse has not been studied systematically. In this paper, we provide the first large-scale study of the password managers' influence on users' real-life passwords. From 476 participants of an online survey on users' password creation and management strategies, we recruit 170 participants that allowed us to monitor their passwords in-situ through a browser plugin. In contrast to prior work, we collect the passwords' entry methods (e.g., human or password manager) in addition to the passwords and their metrics. Based on our collected data and our survey, we gain a more complete picture of the factors that influence our participants' passwords' strength and reuse. We quantify for the first time that password managers indeed benefit the password strength and uniqueness, however, also our results also suggest that those benefits depend on the users' strategies and that managers without password generators rather aggravate the existing problems.

Cryptography and Security

Khan Reaz,Gerhard Wunder

DOI: https://doi.org/10.1109/CNS56114.2022.9947259

2024-03-18

Abstract:The classical combinatorics-based password strength formula provides a result in tens of bits, whereas the NIST Entropy Estimation Suite give a result between 0 and 1 for Min-entropy. In this work, we present a newly developed metric -- Expectation entropy that can be applied to estimate the strength of any random or random-like password. Expectation entropy provides the strength of a password on the same scale as an entropy estimation tool. Having an 'Expectation entropy' of a certain value, for example, 0.4 means that an attacker has to exhaustively search at least 40\% of the total number of guesses to find the password.

Cryptography and Security

Shouling Ji,Shukun Yang,Anupam Das,Xin Hu,Raheem Beyah

DOI: https://doi.org/10.1109/infocom.2017.8057067

2017-01-01

Abstract:In this paper, we study the correlation between passwords across different datasets which quantitatively explains the success of existing training-based password cracking techniques. We also study the correlation between a user's password and his/her social profile. This enabled us to develop the first social profile-aware password strength meter, namely SocialShield. Our quantification techniques and SocialShield have meaningful implications to system administrators, users, and researchers, e.g., helping them quantitatively understand the threats posed by a password leakage incident, defending against emerging profile-based password attacks, and facilitating the research of countermeasures against existing and newly developed training-based password attacks. We validate our proposed quantification techniques and SocialShield through extensive experiments by leveraging real-world leaked passwords. Experimental results demonstrate that our quantification techniques are accurate in measuring correlation among different leaked datasets and that although SocialShield is light-weight, it is effective in defending against profile-based password attacks.

Dario Pasquini,Marco Cianfriglia,Giuseppe Ateniese,Massimo Bernaschi

DOI: https://doi.org/10.48550/arXiv.2010.12269

2021-02-26

Abstract:Password security hinges on an in-depth understanding of the techniques adopted by attackers. Unfortunately, real-world adversaries resort to pragmatic guessing strategies such as dictionary attacks that are inherently difficult to model in password security studies. In order to be representative of the actual threat, dictionary attacks must be thoughtfully configured and tuned. However, this process requires a domain-knowledge and expertise that cannot be easily replicated. The consequence of inaccurately calibrating dictionary attacks is the unreliability of password security analyses, impaired by a severe measurement bias. In the present work, we introduce a new generation of dictionary attacks that is consistently more resilient to inadequate configurations. Requiring no supervision or domain-knowledge, this technique automatically approximates the advanced guessing strategies adopted by real-world attackers. To achieve this: (1) We use deep neural networks to model the proficiency of adversaries in building attack configurations. (2) Then, we introduce dynamic guessing strategies within dictionary attacks. These mimic experts' ability to adapt their guessing strategies on the fly by incorporating knowledge on their targets. Our techniques enable more robust and sound password strength estimates within dictionary attacks, eventually reducing overestimation in modeling real-world threats in password security. Code available: <a class="link-external link-https" href="https://github.com/TheAdamProject/adams" rel="external noopener nofollow">this https URL</a>

Cryptography and Security,Machine Learning

Sean Oesch,Scott Ruoti

DOI: https://doi.org/10.48550/arXiv.1908.03296

2019-08-09

Cryptography and Security

Abstract:Password managers have the potential to help users more effectively manage their passwords and address many of the concerns surrounding password-based authentication, however prior research has identified significant vulnerabilities in existing password managers. Since that time, five years has passed, leaving it unclear whether password managers remain vulnerable or whether they are now ready for broad adoption. To answer this question, we evaluate thirteen popular password managers and consider all three stages of the password manager lifecycle--password generation, storage, and autofill. Our evaluation is the first analysis of password generation in password managers, finding several non-random character distributions and identifying instances where generated passwords were vulnerable to online and offline guessing attacks. For password storage and autofill, we replicate past evaluations, demonstrating that while password managers have improved in the half-decade since those prior evaluations, there are still significant issues, particularly with browser-based password managers; these problems include unencrypted metadata, unsafe defaults, and vulnerabilities to clickjacking attacks. Based on our results, we identify password managers to avoid, provide recommendations on how to improve existing password managers, and identify areas of future research.

Zhixiong Zheng,Haibo Cheng,Zijian Zhang,Yiming Zhao,Ping Wang

DOI: https://doi.org/10.1155/2018/6160125

IF: 1.968

2018-01-01

Security and Communication Networks

Abstract:We present in this paper an alternative method for understanding user-chosen passwords. In password research, much attention has been given to increasing the security and usability of individual passwords for common users. Few of them focus on the relationships between passwords; therefore we explore the relationships between passwords: modification-based, similarity-based, and probability-based. By regarding passwords as vertices, we shed light on how to transforma dataset of passwords into a password graph. Subsequently, we introduce some novel notions from graph theory and report on a number of inner properties of passwords from the perspective of graph. With the assistance of Python Graph-tool, we are able to visualize our password graph to deliver an intuitive grasp of user-chosen passwords. Five real-world password datasets are used in our experiments to fulfill our thorough experiments. We discover that (1) some passwords in a dataset are tightly connected with each other; (2) they have the tendency to gather together as a cluster like they are in a social network; (3) password graph has logarithmic distribution for its degrees. Top clusters in password graph could be exploited to obtain the effective mangling rules for cracking passwords. Also, password graph can be utilized for a new kind of password strength meter.

Jiahong Xie,Haibo Cheng,Rong Zhu,Ping Wang,Kaitai Liang

DOI: https://doi.org/10.1109/icassp43922.2022.9746203

2022-01-01

Abstract:To date there are few researches on the semantic information of passwords, which leaves a gap preventing us from fully understanding the passwords characteristic and security. We propose a new password probability model for semantic information based on Markov Chain with both generalization and accuracy, called WordMarkov, that can capture the semantic essence of password samples. Further, we evaluate our design via password guessing attacks, on six real-world datasets, and we show that WordMarkov obtains 24.29%–67.37% improvement over the state-of-the-art password probability models. Even more surprising is that WordMarkov achieves 75.35%–96.34% attack improvement on "long" passwords, indicating the importance of semantic parts in long passwords.

Ming Xu,Chuanwang Wang,Jitao Yu,Junjie Zhang,Kai Zhang,Weili Han

DOI: https://doi.org/10.1145/3460120.3484743

2021-01-01

Abstract:ABSTRACTTextual password security hinges on the guessing models adopted by attackers, in which a suitable password composition representation is an influential factor. Unfortunately, the conventional models roughly regard a password as a sequence of characters, or natural-language-based words, which are password-irrelevant. Experience shows that passwords exhibit internal and refined patterns, e.g., "4ever, ing or 2015", varying significantly among periods and regions. However, the refined representations and their security impacts could not be automatically understood by state-of-the-art guessing models (e.g., Markov). In this paper, we regard a password as a composition of several chunks, where a chunk is a sequence of related characters that appear together frequently, to model passwords. Based on the concept, we propose a password-specific segmentation method that can automatically split passwords into several chunks, and then build three chunk-level guessing models, adopted from Markov, Probabilistic Context-free Grammar (PCFG) and neural-network-based models. Based on the extensive evaluation with over 250 million passwords, these chunk-level models can improve their guessing efficiency by an average of 5.7%, 51.2% and 41.9%, respectively, in an offline guessing scenario, showcasing the power of a suitable password representation during attacks. By analysing these efficient attacks, we find that the presence of common chunks in a password is a stronger indicator for password vulnerability than the character class complexity. To protect users against such attacks, we develop a client-side and real-time password strength meter to estimate the passwords' resistance based on chunk-level guessing models.

Ruixin Shi,Yongbin Zhou,Yong Li,Weili Han

DOI: https://doi.org/10.1155/2021/5563884

IF: 1.968

2021-01-01

Security and Communication Networks

Abstract:Researchers proposed several data-driven methods to efficiently guess user-chosen passwords for password strength metering or password recovery in the past decades. However, these methods are usually evaluated under ad hoc scenarios with limited data sets. Thus, this motivates us to conduct a systematic and comparative investigation with a very large-scale data corpus for such state-of-the-art cracking methods. In this paper, we present the large-scale empirical study on password-cracking methods proposed by the academic community since 2005, leveraging about 220 million plaintext passwords leaked from 12 popular websites during the past decade. Specifically, we conduct our empirical evaluation in two cracking scenarios, i.e., cracking under extensive-knowledge and limited-knowledge. The evaluation concludes that no cracking method may outperform others from all aspects in these offline scenarios. The actual cracking performance is determined by multiple factors, including the underlying model principle along with dataset attributes such as length and structure characteristics. Then, we perform further evaluation by analyzing the set of cracked passwords in each targeting dataset. We get some interesting observations that make sense of many cracking behaviors and come up with some suggestions on how to choose a more effective password-cracking method under these two offline cracking scenarios.

T.V. Laptyeva,S. Flach,K. Kladko

DOI: https://doi.org/10.1209/0295-5075/95/50007

2011-07-01

Abstract:Vulnerabilities related to weak passwords are a pressing global economic and security issue. We report a novel, simple, and effective approach to address the weak password problem. Building upon chaotic dynamics, criticality at phase transitions, CAPTCHA recognition, and computational round-off errors we design an algorithm that strengthens security of passwords. The core idea of our method is to split a long and secure password into two components. The first component is memorized by the user. The second component is transformed into a CAPTCHA image and then protected using evolution of a two-dimensional dynamical system close to a phase transition, in such a way that standard brute-force attacks become ineffective. We expect our approach to have wide applications for authentication and encryption technologies.

Cryptography and Security,Other Condensed Matter,Chaotic Dynamics

Assaf Morag,Liron David,Eran Toch,Avishai Wool

2024-06-06

Abstract:Passwords are the primary authentication method online, but even with password policies and meters, users still find it hard to create strong and memorable passwords. In this paper, we propose DPAR: a Data-driven PAssword Recommendation system based on a dataset of 905 million leaked passwords. DPAR generates password recommendations by analyzing the user's given password and suggesting specific tweaks that would make it stronger while still keeping it memorable and similar to the original password. We conducted two studies to evaluate our approach: verifying the memorability of generated passwords (n=317), and evaluating the strength and recall of DPAR recommendations against password meters (n=441). In a randomized experiment, we show that DPAR increased password strength by 34.8 bits on average and did not significantly affect the ability to recall their password. Furthermore, 36.6% of users accepted DPAR's recommendations verbatim. We discuss our findings and their implications for enhancing password management with recommendation systems.

Cryptography and Security,Human-Computer Interaction

Moritz Horsch,Johannes Braun,Dominique Metz,Johannes Buchmann

DOI: https://doi.org/10.48550/arXiv.1704.02883

2017-04-26

Abstract:It is practically impossible for users to memorize a large portfolio of strong and individual passwords for their online accounts. A solution is to generate passwords randomly and store them. Yet, storing passwords instead of memorizing them bears the risk of loss, e.g., in situations where the device on which the passwords are stored is damaged, lost, or stolen. This makes the creation of backups of the passwords indispensable. However, placing such backups at secure locations to protect them as well from loss and unauthorized access and keeping them up-to-date at the same time is an unsolved problem in practice. We present PASCO, a backup solution for passwords that solves this challenge. PASCO backups need not to be updated, even when the user's password portfolio is changed. PASCO backups can be revoked without having physical access to them. This prevents password leakage, even when a user loses control over a backup. Additionally, we show how to extend PASCO to enable a fully controllable emergency access. It allows a user to give someone else access to his passwords in urgent situations. We also present a security evaluation and an implementation of PASCO.

Cryptography and Security

Shivam K. Shinde

DOI: https://doi.org/10.22214/ijraset.2022.39970

2022-01-31

International Journal for Research in Applied Science and Engineering Technology

Abstract:Abstract: The growing number of online services needs users to have control over their password management system (generation, storage, recall). But the demand for total randomness and exclusivity of passwords is impractical in day-to-day life. Each component of a password management system comes with its cognitive burden on a user. There are many password management solutions available for users but every one of them has some drawbacks. Password managers have the ability to help users manage their passwords more successfully while also addressing many of the problems about password-based authentication. In this study, We're analyzing various previous studies regarding the effectiveness, usability, and security of password managers of all categories. Also, we're trying to come up with an ideal set of parameters to build the best possible password management system in 2022. This study will help to understand the key parameters and algorithms that we can use while building the ideal password generation, storage, and recall system for the user.

English Else

Meng Li,Liangzhen Lai,Vikas Chandra,David Z. Pan

DOI: https://doi.org/10.1145/3061639.3062220

2017-01-01

Abstract:Fault attack becomes a serious threat to system security and requires to be evaluated in the design stage. Existing methods usually ignore the intrinsic uncertainty in attack process and suffer from low scalability. In this paper, we develop a general framework to evaluate system vulnerability against fault attack. A holistic model for fault injection is incorporated to capture the probabilistic nature of attack process. Based on the probabilistic model, a security metric named as System Security Factor (SSF) is defined to measure the system vulnerability. In the framework, a Monte Carlo method is leveraged to enable a feasible evaluation of SSF for different systems, security policies, and attack techniques. We enhance the framework with a novel system pre-characterization procedure, based on which an importance sampling strategy is proposed. Experimental results on a commercial processor demonstrate that compared to random sampling, a 2500X speedup is achieved with the proposed sampling strategy. Meanwhile, 3% registers are identified to contribute to more than 95% SSF. By hardening these registers, a 6.5X security improvement can be achieved with less than 2% area overhead.