Shouling Ji,Shukun Yang,Xin Hu,Weili Han,Zhigong Li,Raheem Beyah

DOI: https://doi.org/10.1109/tdsc.2015.2481884

2017-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:In this paper, we conduct a large-scale study on the crackability, correlation, and security of ${\sim}145$ million real world passwords, which were leaked from several popular Internet services and applications. To the best of our knowledge, this is the largest empirical study that has been conducted. Specifically, we first evaluate the crackability of ${\sim}145$ million real world passwords against 6+ state-of-the-art password cracking algorithms in multiple scenarios. Second, we examine the effectiveness and soundness of popular commercial password strength meters (e.g., Google, QQ) and the security impacts of username/email leakage on passwords. Finally, we discuss the implications of our results, analysis, and findings, which are expected to help both password users and system administrators to gain a deeper understanding of the vulnerability of real passwords against state-of-the-art password cracking algorithms, as well as to shed light on future password security research topics.

Ping Wang,Ding Wang,Xinyi Huang

DOI: https://doi.org/10.7544/issn1000-1239.2016.20160483

2016-01-01

Abstract:Identity authentication is the first line of defense for information systems ,and passwords are the most widely used authentication method .Though there are a number of issues in passwords regarding security and usability , and various alternative authentication methods have also been successively proposed , password‐based authentication will remain the dominant method in the foreseeable future due to its simplicity ,low cost and easiness to change .T hus ,this topic has attracted extensive interests from worldwide researchers ,and many important results have been revealed .This work begins with the introduction of users’ vulnerable behaviors and details the password characteristics ,distribution and reuse rate .Next we summarize the primary cracking algorithms that have appeared in the past 30 years , and classify them into groups in terms of the difference in dependence on what information is exploited by the attacker .Then ,we revisit the various statistical‐based evaluation metrics for measuring the strength of password distributions .Further ,we compare the state‐of‐the‐art password strength meters .Finally ,we summarize our results and outline some future research trends .

Ruti Gafni,Tal Pavel,Raz Margolin,Ben Weiss

DOI: https://doi.org/10.36965/ojakm.2017.5(1)27-41

2017-05-04

Online Journal of Applied Knowledge Management

Abstract:Passwords are the standard means of registration and access to Websites, information systems, online services and various social networks. Databases are increasingly breached and social engineering is employed to obtain usernames and passwords for online fraud, therefore, there is a need to secure existing passwords, and to create ones that will be more crack-resistant. This study addresses the issue of personal data, which users enter on social networks, and incorporate in passwords, as well as how tracking and identifying this data assists hackers in cracking these passwords. The study focuses on Facebook, conducting an online anonymous questionnaire among 195 respondents, and an experiment among a voluntary response sample of 72 participants, in which passwords were tried to been deciphered by a custom dictionary attack. The findings confirm a link between the use of accessible online personal data and success rates of password deciphering. The findings underscore the grave threat to users’ information security - not only as a result of their voluntary exposure of personal data on social networks, but also due to the integration of this data into their passwords. The study argues the need to emphasize users' awareness to their password strength, with this vulnerability in mind.

Chao Shen,Tianwen Yu,Haodi Xu,Gengshan Yang,Xiaohong Guan

DOI: https://doi.org/10.1016/j.cose.2016.05.007

IF: 5.105

2016-01-01

Computers & Security

Abstract:Due to increasing security awareness of password from the public and little attention on the characteristics of real-life passwords, it is thus natural to understand the current state of characteristics of real-life passwords, and to explore how password characteristics change over time and how earlier password practice is understood in current context. In this work, we attempt to present an in-depth and comprehensive understanding of user practice in real-life passwords, and to see whether the previous observations can be confirmed or reversed, based on large-scale measurements rather than anecdotal knowledge or user surveys. Specifically, we measure password characteristics on over 6 million passwords, in terms of password length, password composition, and password selection. We then make informed comparisons of the findings between our investigation and previously reported results. Our general findings include: (1) average password length is at least 12% longer than previous results, and 75% of our passwords have the length between 8 and 10 characters; (2) there is a significant increase of using only numbers as passwords, and easy-to-reach symbols are always the first choice when users added symbols into passwords; (3) there observes a remarkable increase (about 40%) of using combo-meaningful data as passwords, and a striking proportion of using the most common passwords or login names as passwords. Our investigation also includes collecting statistics about the use of symbols, letter-case, and meaningful details, which presents a systematic analysis of password usage. The comparative results indicate that the password characteristics and password practice on this massive password data set are somewhat inconsistent with those from anecdotal knowledge and user surveys, and exhibit a substantial change over time in some ways. Further research needs to build upon this understanding for gaining insight into how password security can be improved.

Rahul Dubey,Miguel Vargas Martin

DOI: https://doi.org/10.1109/pst52912.2021.9647823

2021-12-13

Abstract:Passwords have been around for many decades and have tenaciously remained the primary means of identification and authentication. Assuming that the communication channel is not intercepted, the strength of security provided by passwords is largely dependent on two factors: password selection and password storage mechanism. While both areas have been looked into by researchers in the past, there is no consensus to suggest whether or not humanity has moved towards choosing stronger passwords, notwithstanding strong password enforcement policies. One of the key reasons behind this shortcoming is the lack of data about individual credentials in leaked datasets, which usually contain only usernames and passwords. To the best of our knowledge, we are the first researchers to enrich the attribute set of any user credential database, thus allowing deeper insights. We outline the method we devised for adding new attributes (time-stamp and source inference) to a dataset of 1.4 billion user credentials. Subsequently, we use our modified dataset to determine how passwords have evolved overtime with respect to strength and whether humankind as a whole has learned from its past mistakes.

Ruixin Shi,Yongbin Zhou,Yong Li,Weili Han

DOI: https://doi.org/10.1155/2021/5563884

IF: 1.968

2021-01-01

Security and Communication Networks

Abstract:Researchers proposed several data-driven methods to efficiently guess user-chosen passwords for password strength metering or password recovery in the past decades. However, these methods are usually evaluated under ad hoc scenarios with limited data sets. Thus, this motivates us to conduct a systematic and comparative investigation with a very large-scale data corpus for such state-of-the-art cracking methods. In this paper, we present the large-scale empirical study on password-cracking methods proposed by the academic community since 2005, leveraging about 220 million plaintext passwords leaked from 12 popular websites during the past decade. Specifically, we conduct our empirical evaluation in two cracking scenarios, i.e., cracking under extensive-knowledge and limited-knowledge. The evaluation concludes that no cracking method may outperform others from all aspects in these offline scenarios. The actual cracking performance is determined by multiple factors, including the underlying model principle along with dataset attributes such as length and structure characteristics. Then, we perform further evaluation by analyzing the set of cracked passwords in each targeting dataset. We get some interesting observations that make sense of many cracking behaviors and come up with some suggestions on how to choose a more effective password-cracking method under these two offline cracking scenarios.

Prof. Saritha Murali,

DOI: https://doi.org/10.55041/ijsrem17298

2022-12-25

INTERANTIONAL JOURNAL OF SCIENTIFIC RESEARCH IN ENGINEERING AND MANAGEMENT

Abstract:This paper outlines research based on password strength measurement analysis using various machine learning approaches. In the current world, a password is the most indispensable authentication mechanism concerning any system security. Although there are multiple authentication methods available nowadays which provide improved security such as biometrics and smart cards still the password authentication mechanism is auspicious to everyone for enhanced system security. Generally, humans prefer to set a password related to their birthplace, date of birth, keyboard patterns, dictionary words, phone number, etc. Online or offline attackers and intruders can guess these passwords easily and intrude the system security. Privacy and data protection have become a need today. Cyber security is growing in its importance in literally every domain in recent years. Every person must safeguard their data and have a basic understanding of the technical developments taking place in many businesses. Key Words: Machine learning, password, Multi-Layer Perceptron

English Else

Zhixiong Zheng,Haibo Cheng,Zijian Zhang,Yiming Zhao,Ping Wang

DOI: https://doi.org/10.1155/2018/6160125

IF: 1.968

2018-01-01

Security and Communication Networks

Abstract:We present in this paper an alternative method for understanding user-chosen passwords. In password research, much attention has been given to increasing the security and usability of individual passwords for common users. Few of them focus on the relationships between passwords; therefore we explore the relationships between passwords: modification-based, similarity-based, and probability-based. By regarding passwords as vertices, we shed light on how to transforma dataset of passwords into a password graph. Subsequently, we introduce some novel notions from graph theory and report on a number of inner properties of passwords from the perspective of graph. With the assistance of Python Graph-tool, we are able to visualize our password graph to deliver an intuitive grasp of user-chosen passwords. Five real-world password datasets are used in our experiments to fulfill our thorough experiments. We discover that (1) some passwords in a dataset are tightly connected with each other; (2) they have the tendency to gather together as a cluster like they are in a social network; (3) password graph has logarithmic distribution for its degrees. Top clusters in password graph could be exploited to obtain the effective mangling rules for cracking passwords. Also, password graph can be utilized for a new kind of password strength meter.

Ding Wang,Gaopeng Jian,Ping Wang

2014-01-01

Abstract:Despite more than thirty years of intensive research efforts, textual passwords are still enveloped in mysterious veils. In this work, we make a substantial step forward in understanding the underlying distributions of passwords. By conducting linear regressions on a corpus of 97.2 million passwords (a mass of chaotic data), we for the first time show that Zipf’s law perfectly exists in user-generated passwords, figure out the corresponding exact distribution functions, and investigate some fundamental implications of our observations for password policies and password-based cryptographic protocols (e.g., authentication, encryption and signature). As one specific application of this law of nature, we propose the number of unique passwords used in regression and the absolute value of slope of the regression line together as a metric for assessing the strength of password datasets, and prove its correctness in a mathematically rigorous manner. In addition, extensive experiments (including optimal attacks, simulated optimal attacks and state-of-the-art cracking sessions) are performed to demonstrate the practical effectiveness of our metric. In two of four cases, our metric outperforms Bonneau’s α-guesswork in simplicity and to the best of knowledge, it is the first one that is both easy to approximate and accurate to facilitate comparisons, providing a useful tool for the security administrators to gain a precise grasp of the strength of their password datasets and to adjust the password policies more reasonably.

Weili Han,Zhigong Li,Minyue Ni,Guofei Gu,Wenyuan Xu

DOI: https://doi.org/10.1109/tdsc.2016.2568187

2018-01-01

Abstract:With the proliferation of websites, the security level of password-protected accounts is no longer purely determined by individual ones. Users may register multiple accounts on the same site or across multiple sites, and these passwords from the same users are likely to be the same or similar. As a result, an adversary can compromise the account of a user on a web forum, then guess the accounts of the same user in sensitive accounts, e.g. , online banking services, whose accounts could have the same or even stronger passwords. We name this attack as the shadow attack on passwords. To understand the situation, we examined the state-of-the-art Intra-Site Password Reuses (ISPR) and Cross-Site Password Reuses (CSPR) based on the leaked passwords from the biggest Internet user group (i.e., 668 million members in China). With a collection of about 70 million real-world web passwords across four large websites in China, we obtained around 4.6 million distinct users who have multiple accounts on the same site or across different sites. We found that for the users with multiple accounts in a single website, $59.72$ percent reused their passwords and for the users with multiple accounts on multiple websites, $33.16 \pm 8.91$ percent reused their passwords across websites. For the users that have multiple accounts but different passwords, the set of passwords of the same user exhibits patterns that can help password guessing: a leaked weak password reveals partial information of a strong one, which degrades the strength of the strong one. Given the aforementioned findings, we conducted an experiment and achieved a 39.38 percent improvement of guessing success rate with John the Ripper guessing tool. To the best of our knowledge, we are the first to provide a large-scale, empirical, and quantitative measurement of web password reuses, especially ISPR, and shed light on the severity of such threat in the real world.

Saul Johnson,João Ferreira,Alexandra Mendes,Julien Cordry

DOI: https://doi.org/10.1109/ISSREW.2019.00082

2024-03-15

Abstract:Large-scale password data breaches are becoming increasingly commonplace, which has enabled researchers to produce a substantial body of password security research utilising real-world password datasets, which often contain numbers of records in the tens or even hundreds of millions. While much study has been conducted on how password composition policies (sets of rules that a user must abide by when creating a password) influence the distribution of user-chosen passwords on a system, much less research has been done on inferring the password composition policy that a given set of user-chosen passwords was created under. In this paper, we state the problem with the naive approach to this challenge, and suggest a simple approach that produces more reliable results. We also present pol-infer, a tool that implements this approach, and demonstrates its use in inferring password composition policies.

Cryptography and Security

Yubing Bao,Jianping Zeng,Jirui Yang,Ruining Yang,Zhihui Lu

DOI: https://doi.org/10.1145/3703350

IF: 2.717

2024-01-01

ACM Transactions on Privacy and Security

Abstract:The predominant authentication method still relies on usernames and passwords. To enhance memorability, domain terms may have been opted to include as part of passwords. However, there is little analysis of the extent to which such practice affects password security, so there is a lack of guidance on how users use domain terms on websites with different domain characteristics. To address the problem, we propose a novel approach to analyze the security effect of using domain terms in passwords. The methodology primarily consists of three stages. Firstly, we utilize Web crawlers to harvest domain vocabularies, subsequently leveraging the TextRank algorithm to rank their importance. Afterward, we propose an algorithm for constructing a simulated domain-specific password dataset by replacing password elements with domain terms. Finally, password guessing experiments are done on the dataset using PCFG and Markov model to evaluate the impact of domain terms on password security. The experimental results indicate that, for systems without clear domain, 20% domain terms replacement in the test set can reduce the cracking rate by up to 5.45%. In contrast, for domain-specific systems, 20% domain terms replacement in the training set can increase the cracking rate by 6.45%. These findings provide practical guidance on the application of domain knowledge in password creation for different types of systems. In summary, this study offers a novel perspective for exploring the security implications of passwords influenced by specific domains.

Cem S. Sahin,Robert Lychev,Neal Wagner

DOI: https://doi.org/10.48550/arXiv.1512.05814

2015-12-18

Abstract:Although it is common for users to select bad passwords that can be easily cracked by attackers, password-based authentication remains the most widely-used method. To encourage users to select good passwords, enterprises often enforce policies. Such policies have been proven to be ineffectual in practice. Accurate assessment of a password's resistance to cracking attacks is still an unsolved problem, and our work addresses this challenge. Although the best way to determine how difficult it may be to crack a user-selected password is to check its resistance to cracking attacks employed by attackers in the wild, implementing such a strategy at an enterprise would be infeasible in practice. We first formalize the concepts of password complexity and strength with concrete definitions emphasizing their differences. Our framework captures human biases and many known techniques attackers use to recover stolen credentials in real life, such as brute-force attacks. Building on our definitions, we develop a general framework for calculating password complexity and strength that could be used in practice. Our approach is based on the key insight that an attacker's success at cracking a password must be defined by its available computational resources, time, function used to store that password, as well as the topology that bounds that attacker's search space based on that attacker's available inputs, transformations it can use to tweak and explore its inputs, and the path of exploration which can be based on the attacker's perceived probability of success. We also provide a general framework for assessing the accuracy of password complexity and strength estimators that can be used to compare other tools available in the wild.

Cryptography and Security

M Atif Qureshi,Arjumand Younus,Arslan Ahmed Khan

DOI: https://doi.org/10.48550/arXiv.0909.2367

2009-09-13

Abstract:Over the years security experts in the field of Information Technology have had a tough time in making passwords secure. This paper studies and takes a careful look at this issue from the angle of philosophy and cognitive science. We have studied the process of passwords to rank its strengths and weaknesses in order to establish a quality metric for passwords. Finally we related the process to human senses which enables us to propose a constitutional scheme for the process of password. The basic proposition is to exploit relationship between human senses and password to ensure improvement in authentication while keeping it an enjoyable activity.

Cryptography and Security

Zach Parish,Connor Cushing,Shourya Aggarwal,Amirali Salehi-Abari,Julie Thorpe

DOI: https://doi.org/10.1007/s10207-021-00560-9

2021-08-23

International Journal of Information Security

Abstract:Password guessers are instrumental for assessing the strength of passwords. Despite their diversity and abundance, comparisons between password guessers are limited to simple success rates. Thus, little is known on how password guessers can best be combined with or complement each other. To extend analyses beyond success rates, we devise an analytical framework to compare the types of passwords that guessers generate. Using our framework, we show that different guessers often produce dissimilar passwords, even when trained on the same data. We leverage this result to show that combinations of computationally cheap guessers are as effective in guessing passwords as computationally intensive guessers, but more efficient. Our framework can be used to identify combinations of guessers that will best complement each other. To improve the success rate of any guesser, we also show how an effective training dataset can be identified for a given target password dataset, even when the target dataset is hashed. Our insights allow us to provide a concrete set of practical recommendations for password checking to effectively and efficiently measure password strength.

computer science, information systems, theory & methods, software engineering

Ming Xu,Chuanwang Wang,Jitao Yu,Junjie Zhang,Kai Zhang,Weili Han

DOI: https://doi.org/10.1145/3460120.3484743

2021-01-01

Abstract:ABSTRACTTextual password security hinges on the guessing models adopted by attackers, in which a suitable password composition representation is an influential factor. Unfortunately, the conventional models roughly regard a password as a sequence of characters, or natural-language-based words, which are password-irrelevant. Experience shows that passwords exhibit internal and refined patterns, e.g., "4ever, ing or 2015", varying significantly among periods and regions. However, the refined representations and their security impacts could not be automatically understood by state-of-the-art guessing models (e.g., Markov). In this paper, we regard a password as a composition of several chunks, where a chunk is a sequence of related characters that appear together frequently, to model passwords. Based on the concept, we propose a password-specific segmentation method that can automatically split passwords into several chunks, and then build three chunk-level guessing models, adopted from Markov, Probabilistic Context-free Grammar (PCFG) and neural-network-based models. Based on the extensive evaluation with over 250 million passwords, these chunk-level models can improve their guessing efficiency by an average of 5.7%, 51.2% and 41.9%, respectively, in an offline guessing scenario, showcasing the power of a suitable password representation during attacks. By analysing these efficient attacks, we find that the presence of common chunks in a password is a stronger indicator for password vulnerability than the character class complexity. To protect users against such attacks, we develop a client-side and real-time password strength meter to estimate the passwords' resistance based on chunk-level guessing models.

Liron David,Avishai Wool

DOI: https://doi.org/10.48550/arXiv.1912.02551

2020-05-05

Abstract:Human-chosen passwords are the a dominant form of authentication systems. Passwords strength estimators are used to help users avoid picking weak passwords by predicting how many attempts a password cracker would need until it finds a given password. In this paper we propose a novel password strength estimator, called PESrank, which accurately models the behavior of a powerful password cracker. PESrank calculates the rank of a given password in an optimal descending order of likelihood. PESrank estimates a given password's rank in fractions of a second---without actually enumerating the passwords---so it is practical for online use. It also has a training time that is drastically shorter than previous methods. Moreover, PESrank is efficiently tweakable to allow model personalization in fractions of a second, without the need to retrain the model; and it is explainable: it is able to provide information on why the password has its calculated rank, and gives the user insight on how to pick a better password. Our idea is to cast the question of password rank estimation in a probabilistic framework used in side-channel cryptanalysis. We view each password as a point in a $d$-dimensional search space, and learn the probability distribution of each dimension separately. The dimensions represent the base word, plus a dimension for each possible transformation such as adding a suffix or using a capitalization pattern. Using this model, password strength estimation is analogous to side-channel rank estimation. We implemented PERrank in Python and conducted an extensive evaluation study of it. We also integrated it into the registration page of a course at our university. Even with a model based on 905 million passwords, the response time was well under 1 second, with up to a 1-bit accuracy margin between the upper bound and the lower bound on the rank.

Cryptography and Security

Ding Wang,Gaopeng Jian,Ping Wang

2015-01-01

Abstract:Despite more than thirty years of intensive research efforts, textual passwords are still enveloped in mysterious veils. In this work, we make a substantial step forward in understanding the underlying distributions of passwords. By conducting linear regressions on a corpus of 97.2 million passwords (a mass of chaotic data), we for the first time show that Zipf ’s law perfectly exists in user-generated passwords, figure out the corresponding exact distribution functions, and investigate some fundamental implications of our observations for password policies and password-based cryptographic protocols (e.g., authentication, encryption and signature). As one specific application of this law of nature, we propose the number of unique passwords used in regression and the absolute value of slope of the regression line together as a metric for assessing the strength of password datasets, and prove its correctness in a mathematically rigorous manner. In addition, extensive experiments (including optimal attacks, simulated optimal attacks and state-of-the-art cracking sessions) are performed to demonstrate the practical effectiveness of our metric. In two of four cases, our metric outperforms Bonneau’s α-guesswork in simplicity and to the best of knowledge, it is the first one that is both easy to approximate and accurate to facilitate comparisons, providing a useful tool for the security administrators to gain a precise grasp of the strength of their password datasets and to adjust the password policies more reasonably.

Yangde Wang,Weidong Qiu,Weicheng Zhang,Hao Tian,Shujun Li

DOI: https://doi.org/10.48550/arXiv.2306.06824

2023-06-12

Cryptography and Security

Abstract:Much research has been done on user-generated textual passwords. Surprisingly, semantic information in such passwords remain underinvestigated, with passwords created by English- and/or Chinese-speaking users being more studied with limited semantics. This paper fills this gap by proposing a general framework based on semantically enhanced PCFG (probabilistic context-free grammars) named SE#PCFG. It allowed us to consider 43 types of semantic information, the richest set considered so far, for semantic password analysis. Applying SE#PCFG to 17 large leaked password databases of user speaking four languages (English, Chinese, German and French), we demonstrate its usefulness and report a wide range of new insights about password semantics at different levels such as cross-website password correlations. Furthermore, based on SE#PCFG and a new systematic smoothing method, we proposed the Semantically Enhanced Password Cracking Architecture (SEPCA). To compare the performance of SEPCA against three state-of-the-art (SOTA) benchmarks in terms of the password coverage rate: two other PCFG variants and FLA. Our experimental results showed that SEPCA outperformed all the three benchmarks consistently and significantly across 52 test cases, by up to 21.53%, 52.55% and 7.86%, respectively, at the user level (with duplicate passwords). At the level of unique passwords, SEPCA also beats the three benchmarks by up to 33.32%, 86.19% and 10.46%, respectively. The results demonstrated the power of SEPCA as a new password cracking framework.

Eryn Ma,Summer Hasama,Eshaan Lumba,Eleanor Birrell

DOI: https://doi.org/10.48550/arXiv.2201.01350

2022-01-04

Cryptography and Security

Abstract:User-chosen passwords remain essential to online security, and yet people continue to choose weak, insecure passwords. In this work, we investigate whether prospect theory, a behavioral model of how people evaluate risk, can provide insights into how users choose passwords and whether it can motivate new designs for password selection mechanisms that will nudge users to select stronger passwords. We ran a user study with 762 participants, and we found that an intervention guided by prospect theory -- which leverages the reference-dependence effect by framing selecting weak passwords as a loss relative to choosing a stronger password -- causes approximately 25% of users to improve the strength of their password (significantly more than alternative interventions) and reduced the final number of weak passwords by approximately 25%. We also evaluate the relation between user behavior and users' mental models of hacking and password attacks. These results provide guidance for designing and implementing account registration mechanisms that will significantly improve the strength of user-selected passwords, thereby leveraging insights from prospect theory to improve the security of systems that use password-based authentication.