Zhigong Li,Weili Han,Wenyuan Xu

2014-01-01

Abstract:Users speaking different languages may prefer different patterns in creating their passwords, and thus knowledge on English passwords cannot help to guess passwords from other languages well. Research has already shown Chinese passwords are one of the most difficult ones to guess. We believe that the conclusion is biased because, to the best of our knowledge, little empirical study has examined regional differences of passwords on a large scale, especially on Chinese passwords. In this paper, we study the differences between passwords from Chinese and English speaking users, leveraging over 100 million leaked and publicly available passwords from Chinese and international websites in recent years. We found that Chinese prefer digits when composing their passwords while English users prefer letters, especially lowercase letters. However, their strength against password guessing is similar. Second, we observe that both users prefer to use the patterns that they are familiar with, e.g., Chinese Pinyins for Chinese and English words for English users. Third, we observe that both Chinese and English users prefer their conventional format when they use dates to construct passwords. Based on these observations, we improve a PCFG (Probabilistic Context-Free Grammar) based password guessing method by inserting Pinyins (about 2.3% more entries) into the attack dictionary and insert our observed composition rules into the guessing rule set. As a result, our experiments show that the efficiency of password guessing increases by 34%.

Weili Han,Zhigong Li,Lang Yuan,Wenyuan Xu

DOI: https://doi.org/10.1109/TIFS.2015.2490620

2016-01-01

Abstract:Current research on password security pays much attention on users who speak Indo-European languages (English, Spanish, and so on), and thus the countermeasures are heavily influenced by Indo-European speakers’ choices as well. However, languages have a strong impact on passwords. Analysis without considering other languages (e.g., Chinese) might lead to some biased results, such as Chinese passwords are one of the most difficult ones to guess. We believe that such a conclusion could be biased because, to the best of our knowledge, little empirical study has examined the regional differences of passwords at a large scale, especially on Chinese passwords. In this paper, we comprehensively study the differences between passwords from Chinese and English-dominant users, leveraging over 100 million leaked and publicly available passwords from Chinese and international websites in recent years. We find that Chinese prefer digits when composing their passwords, while English-dominant users prefer letters, especially lowercase letters. However, their strength against password guessing is similar. Second, we observe that both groups of users prefer to use the patterns that they are familiar with, e.g., Chinese Pinyins for Chinese and English words for English-dominant users. In particular, since multiple input methods require various sequences of letters to enter the same Chinese characters, we evaluate the impacts of various Chinese input methods, in addition to Pinyin. Third, we observe that both Chinese and English-dominant users prefer their conventional format when they use dates to construct passwords. Based on these observations, we improve two password guessing methods: 1) probabilistic context-free grammar (PCFG)-based password guessing method and 2) Markov model-based password guessing method. For the PCFG-based method, the guessing efficiency increases by up to 48% after inserting Pinyins (about 2.3% more entries) into the attack dictionary - nd inserting the observed composition rules into the guessing rule set. For the Markov-model-based method, the guessing efficiency increases by up to 4.7% after we increase the percentage of Pinyins in the training set. Our research sheds light on understanding the impact of regional patterns on passwords.

Rui Xu,Xiaojun Chen,Yingbing Wang,Jinqiao Shi,Haitao Mi

DOI: https://doi.org/10.1109/MILCOM.2016.7795425

2016-01-01

Abstract:The conventional password cracking methods view the consecutive digits in passwords as a single unit without understanding the internal structures of digits. In this paper, in order to enhance the analysis of numerical passwords, we borrow the idea of chunking in psychology, and segment each numerical password into small chunks to help understand the structures. Empirically, we learn chunks and structures based on their frequencies from the numerical passwords of leaked corpus, and model them with probabilistic context-free grammars to generate password guesses. Experiment results on the leaked Chinese password corpus included 24 million entries show that our approach achieves 46.91% relative gains over word lists approach, and 31.07% relative gains in the first 1 million guesses than John the Ripper (JtR), and 50.76% relative gains for guessing long numerical password than JtR.

Ding Wang,Haibo Cheng,Ping Wang,Xinyi Huang,Chao-Hsien Chu

2016-01-01

Abstract:While the computer security world has changed a lot over the last two decades, textual passwords remain the dominant authentication mechanism over the Internet and are likely to persist in the foreseeable future. Much attention (e.g., user surveys and empirical analysis) has been paid to passwords chosen by English users, yet relatively little is known about how nonEnglish users select passwords. In this work, we conduct so far the first user survey on the password behaviors of Chinese users, revealing a number of users’ basic coping strategies for managing passwords when they are confronted with the demanding tasks of keeping track of many accounts and passwords. We further perform an empirical analysis of 100 million Chinese web passwords in a comparison with 30 million English ones, a corpus among the largest ones ever studied. We identify a number of interesting structural and semantic characteristics in Chinese passwords, and also examine their security by employing two state-of-the-art password cracking techniques (i.e., probabilistic context-free grammars (PCFG) and Markov models). Particularly, our cracking results reveal a “reversal principle”: when the guess number allowed is small, Chinese passwords are much weaker than their English counterparts, yet this relationship will be reversed when the guess number is large. This well reconciles two conflicting claims about the strength of Chinese web passwords made by Bonneau in 2012 and Li et al. in 2014, respectively. At 10 guesses, the success rate of our improved PCFG-based attack against the Chinese datasets is from 33.2% to 49.8%, indicating that our attack can crack 92% to 188% more passwords than the best record reported by Li et al. in 2014. We also discuss the implications of our findings. This work is expected to help facilitate both security administrators and users to gain a better understanding of the vulnerability of Chinese passwords, as well as to shed light on future password research.

Shunbin Li,Zhiyu Wang,Ruyun Zhang,Chunming Wu,Hanguang Luo

DOI: https://doi.org/10.1109/tdsc.2022.3217002

2023-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Rule-based password generation is one of the most effective and often employed techniques in the highly compute-intensive password recovery process. However, it is challenging to design and maintain a practical password mangling ruleset, which is a time-consuming task requiring specialized expertise. This paper therefore introduced MDBSCAN (Modified Density-Based Spatial Clustering of Applications with Noise), a novel density-based cluster approach in machine learning, to build an automatic password mangling rule generator. To evaluate the proposed method, cross-checks across 4 different real-world password datasets leaked from popular Internet services and applications are adopted. The results indicate that the proposed generator could produce high-quality mangling rules with a better hit rate and enhance current mangling rules by identifying hidden or omitted rules. The proposed approach also shows strong interpretability and computational efficiency. When examining the RockYou password dataset with the top 77 rules, the hit rate may rise by 11% to 104% proportionally to other well-known solutions. Furthermore, by combining the top 77 rules generated by MDBSCAN with those from other rulesets, 3–12.67% more real-world passwords can be retrieved.

Ding Wang,Ping Wang,Debiao He,Yuan Tian

2019-01-01

Abstract:Much attention has been paid to passwords chosen by English speaking users, yet only a few studies have examined how non-English speaking users select passwords. In this paper, we perform an extensive, empirical analysis of 73.1 million real-world Chinese web passwords in comparison with 33.2 million English counterparts. We highlight a number of interesting structural and semantic characteristics in Chinese passwords. We further evaluate the security of these passwords by employing two state-of-the-art cracking techniques. In particular, our cracking results reveal the bifacial-security nature of Chinese passwords. They are weaker against online guessing attacks (i.e., when the allowed guess number is small, 1 similar to 10(4)) than English passwords. But out of the remaining Chinese passwords, they are stronger against offline guessing attacks (i.e., when the guess number is large, >10(5)) than their English counterparts. This reconciles two conflicting claims about the strength of Chinese passwords made by Bonneau (IEEE S&P'12) and Li et al. (Usenix Security'14 and IEEE TIFS'16). At 10(7) guesses, the success rate of our improved PCFG-based attack against the Chinese datasets is 33.2%similar to 49.8%, indicating that our attack can crack 92% to 188% more passwords than the state of the art. We also discuss the implications of our findings for password policies, strength meters and cracking.

Chen Su,Yuesheng Zhu

DOI: https://doi.org/10.1109/ICC.2017.7997248

2017-01-01

Abstract:In order to remember easily, human beings may use personal information as part of their passwords. In recent years, incidents of Internet information leakage emerge incessantly, which provides more materials for password guessing, such as password database and personal information database. If we have known part of the users' personal information, how to use these data to guess passwords, the research related is still rare. In this paper, on the basis of more than 200 million leaked password accounts and 20 million personal information records in China, we analyze these data statistically and find out that at least 37.20% of these passwords contain personal information. Based on the latest Probabilistic Context-Free Grammars (PCFG) model, we propose a novel method to import personal information and generate passwords containing personal information. In offline attacks, experiments show that the efficiency of password guessing increases by 12.41% compared to PCFG 3.1 and 8.56% to order-4 Markov model after importing personal information in batches. In online attacks, the cracking probability is also improved significantly after importing personal information one by one.

Haodong Zhang,Chuanwang Wang,Wenqiang Ruan,Junjie Zhang,Ming Xu,Weili Han

DOI: https://doi.org/10.1145/3485832.3488025

2021-01-01

Abstract:Users usually create their passwords with meaningful digits, i.e. digit semantics, which can be partially exploited by probabilistic password guessing models with a data-driven methodology for better efficiency. However, these semantics are largely ignored by current practical password cracking tools, like John the Ripper (JtR) and Hashcat. In this paper, we are motivated to study the digit semantics in passwords and exploit them to improve the guessing efficiency of practical password cracking tools. We first design a practical extraction tool of digit semantics in passwords. Then we conduct a comprehensive empirical analysis of the digit semantics in four large-scale password sets leaked from the real world. Based on the analysis results, we further propose two new operations (the basic unit to construct mangling rules), then generate 1,974 digit semantics rules constructed from them. Moreover, in order to enforce semantics rules in JtR and Hashcat, we optimize their rule engines and running logic with the compatibility of the original built-in operations. The evaluation on the real password sets shows the significant advantage of digit semantics rules to extend current typical rule sets when we crack both Chinese and English (two of the largest user groups) passwords with digit strings.

Ming Xu,Chuanwang Wang,Jitao Yu,Junjie Zhang,Kai Zhang,Weili Han

DOI: https://doi.org/10.1145/3460120.3484743

2021-01-01

Abstract:ABSTRACTTextual password security hinges on the guessing models adopted by attackers, in which a suitable password composition representation is an influential factor. Unfortunately, the conventional models roughly regard a password as a sequence of characters, or natural-language-based words, which are password-irrelevant. Experience shows that passwords exhibit internal and refined patterns, e.g., "4ever, ing or 2015", varying significantly among periods and regions. However, the refined representations and their security impacts could not be automatically understood by state-of-the-art guessing models (e.g., Markov). In this paper, we regard a password as a composition of several chunks, where a chunk is a sequence of related characters that appear together frequently, to model passwords. Based on the concept, we propose a password-specific segmentation method that can automatically split passwords into several chunks, and then build three chunk-level guessing models, adopted from Markov, Probabilistic Context-free Grammar (PCFG) and neural-network-based models. Based on the extensive evaluation with over 250 million passwords, these chunk-level models can improve their guessing efficiency by an average of 5.7%, 51.2% and 41.9%, respectively, in an offline guessing scenario, showcasing the power of a suitable password representation during attacks. By analysing these efficient attacks, we find that the presence of common chunks in a password is a stronger indicator for password vulnerability than the character class complexity. To protect users against such attacks, we develop a client-side and real-time password strength meter to estimate the passwords' resistance based on chunk-level guessing models.

Yong Fang,Kai Liu,Fan Jing,Zheng Zuo

DOI: https://doi.org/10.1007/978-981-13-5913-2_6

2019-01-01

Abstract:Passwords remain the dominant method in data encryption and identity authentication, but they are vulnerable to guessing attack. Most users incline to choose meaningful words to make up passwords. Lots of these words are human-memorable. In this paper, we propose a hierarchical semantic model that combines LSTM with semantic analysis to implement password guessing. With our model, the potential probability relationship between words can be mined. After training the model with 4.5 million passwords from leaked Chinese passwords, we generate lots of passwords guesses ordered by probability. 0.5 million passwords are reserved for model testing. In addition, we also pick up CSDN passwords, the Rockyou passwords, and Facebook passwords as model-testing sets. Each dataset contains 0.5 million passwords. LSTM-based model, PCFG, and Markov-based model are selected for comparison. Experiments show that our model has a higher coverage rate than the other models of the reserved dataset and CSDN dataset. Besides, our model can hit more passwords for the Rockyou dataset and Facebook dataset than PCFG.

Zeng Jianping,Duan Jiangjiao,Wu Chengrong

DOI: https://doi.org/10.1016/j.cose.2018.10.004

IF: 5.105

2019-01-01

Computers & Security

Abstract:Passwords are especially ubiquitous in authentication systems. Although a lot of research has concentrated on the analysis of passwords, statistical characteristics are limited to explicit properties such as string length, the use of numeric characters in passwords. We explore the implicit properties of lexical sentiment in passwords by utilizing Natural Language Processing technology. Firstly, we construct several dictionaries, such as frequently used words, General Inquirer polarities, extended Ekman sentiment words. Then, an algorithm to split passwords into meaningful units is designed. Finally, statistical characteristics in lexical sentiment are discovered from three large-scale password sets leaked from the Internet websites. The results show that the occurrence probability of sentiment words is higher than that of several known patterns, such as [country], [number][female name]. With consideration of sentiment polarity, we find that people tend to use positive words in passwords. The percentage of positive sentiment is greater than that of negative words. Further research reveals that the joy type of sentiment is more popular in passwords than other kinds of sentiments, such as surprise and sadness. The discoveries suggest that the lexical sentiment, especially, positive and joy type can be utilized as a component in password patterns to measure password strength.

Xingxing Wang,Dakui Wang,Xiaojun Chen,Rui Xu,Jinqiao Shi,Li Guo

DOI: https://doi.org/10.1007/978-3-319-69659-1_14

2017-01-01

Abstract:Recent many password guessing algorithms based on the Probabilistic Context-Free Grammars (PCFGs) model brought significant improvements in password cracking. These algorithms analyzed common semantic patterns (letter semantic patterns, date patterns, keyboard patterns etc.) from passwords and modeled the construction process of passwords by using PCFGs. However, there still left a large fraction of integral segments in passwords which seem no semantics. Can those segments be deeply analyzed and help to make further improvements on password cracking? Motivated by this challenge, this paper employs Byte Pair Encoding (BPE) algorithm for password segmentation, extracting those non-semantical patterns which are frequently used in passwords subconsciously by people. Based on the segmentation, we propose a BPE-PCFGs model to generate password guesses. Furthermore, we also utilize the existing common semantic patterns and BPE patterns to construct a new Rich-BPE-PCFGs password generator. Experimental results on large-scale password sets show that our Rich-BPE-PCFGs model can obtain a 2.36%–37.56% improvement over the original PCFGs model, which is a good complement to existing password guessing algorithms.

Zhiyong Li,Tao Li,Fangdong Zhu

DOI: https://doi.org/10.1145/3325773.3325779

2019-01-01

Abstract:Password authentication is the most widely used authentication method in information systems. The traditional proactive password detection method is generally implemented by counting password length, character class number and computing password information entropy to improve password security. However, passwords that pass proactive password detection do not represent that they are secure. In this paper, based on the research of the characteristics of password distribution under big data, we propose an online password guessing method, which collects a dataset of guessing passwords composed of weak passwords, high frequency passwords and personal information related passwords. It is used to guess the 13k password dataset leaked in China's largest ticketing website, China Railways 12306 website. The experimental results show that even if our guess object has passed the strict proactive password detection, we can construct a guessing password dataset contain only 100 passwords, and effectively guess 4.84% of the passwords.

Chuanwang Wang,Junjie Zhang,Ming Xu,Haodong Zhang,Weili Han

DOI: https://doi.org/10.1016/j.cose.2022.102848

IF: 5.105

2022-01-01

Computers & Security

Abstract:Understanding which factors dominate password security is vital for users to create their secure passwords. Prior works generally consider the password length and the number of character classes as the dominant factors. However, creating secure passwords based on the above two factors becomes much more challenging than before due to the emergence of powerful data-driven guessing methods, e.g., the Probabilistic Context-free Grammars (PCFG) and its variations, Markov-based methods, and neural-network-based methods. In this paper, inspired by the segments used in PCFG, where a segment is a continuous string whose characters have a strong correlation, we conduct a comprehensive empirical analysis and find that the number of segments (# Segments for short) is a dominant factor of password security to resist against data-driven guessing. That is, the increase of # Segments generally leads to a significant improvement of password security. The observation helps us explore an optimised identification method for segments, referred to as re-segment, which reduces # Segments as much as possible to obtain accurate # Segments by leveraging five popular patterns (i.e., keyboard, abbreviation, leet, mixture, and component), to evaluate password security more accurately from an adversary’s viewpoint. Then we propose an efficient data-driven guessing method, referred to as ReSeg-PCFG, by leveraging re-segment based on the latest version of PCFG. Our study shows that ReSeg-PCFG outperforms the state-of-the-art data-driven guessing methods in almost all scenarios; e.g., it outperforms the latest version of PCFG by up to 79.34% at 1014 guesses, a commonly used threshold of off-line attacks.

Weili Han,Ming Xu,Junjie Zhang,Chuanwang Wang,Kai Zhang,X. Sean Wang

DOI: https://doi.org/10.1109/tifs.2020.3003696

IF: 7.231

2021-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Long passwords are gaining popularity in password policy recommendations; however, data-driven guessing studies are woefully inadequate in adapting to long passwords, lacking in both guessing efficiency and their composition guidelines. For state-of-the-art data-driven password guessing methods such as PCFGs (Probabilistic Context-free Grammars), their guessing efficiency is limited by the presence of a large scale training data, or the lack thereof. Given that long passwords leaked in the real world are typically scarce, coupled with the fact that the data-driven methods' performance depends on training data, obtaining good performance on long passwords has become a key challenge. To overcome the dataset limitation, we propose a framework TransPCFG, that transfers the knowledge, (i.e., grammars in PCFGs), from short passwords to facilitate long password guessing. We further perform an empirical evaluation based on three real-world datasets and the results demonstrate superior performance over the state-of-the-art data-driven guessing methods under ${10}^{14}$ offline guesses. For passwords with 16 characters, TransPCFG can compromise an average of 23.30% of the passwords, outperforming PCFG_v4.1 by 56.10%. Additionally,for better password-composition guidelines, we find that long password-composition policies requiring more segments are more resistant to guessing attacks. For the segment, the password 12zxcvbnword1997 has four segments since it follows the template ${Digit}_{2}{Keyboard}_{6}{Letter}_{4}{Year}_{4}$ . We thus recommend users to create long passwords with four or more segments instead of the widely recommended more character classes for security.

computer science, theory & methods,engineering, electrical & electronic

Xiaochun Gan,Meng Chen,Dong Li,Zongyan Wu,Weili Han,Hu Chen

DOI: https://doi.org/10.1109/icece54449.2021.9674437

2021-01-01

Abstract:Password guessing plays an important role in studying the vulnerability of passwords to improve security. In modern password guessing methods, the patterns of passwords from users in specific regions are discovered from a large number of leaked passwords. Most traditional methods, such as PCFG, Markov process, and other deep learning methods rely only on the training set. Different from other application areas of machine learning, the training set of password guessing comes from leaked real password sets, such as Rockyou, CSDN, and VK. Traditional approaches of password guessing are effective for large-scale training sets. However, the size of leaked password sets leaked by users of small languages or users of specific organizations is very small, which makes it difficult for current password guessing methods which relying only on training sets to discover enough words in passwords. In order to solve this problem, this paper proposed a corpus-based password guessing method. First, we analyzed the common words and their categories in the leaked password sets from users in three different countries. On this basis, we proposed an organization method for multiple language corpora, and constructed corpora of more than 3 million words. Secondly, we improved the traditional PCFG password segmentation method and described password structure based on corpora. Third, we evaluated the probability of words in the corpora which are not appearing in the training set based on the Lapalace smoothing. Actual tests show that our method can produce a finer structure than the PCFG. When the size of the training set decreases, the cracking rate of the PCFG decreases significantly, while the impact of our method is not significant, and the cracking rate is significantly higher than that of the PCFG.

Zhijie Xie,Min Zhang,Yuqi Guo,Zhenhan Li,Hongjun Wang

DOI: https://doi.org/10.1155/2020/8837210

2020-01-01

Wireless Communications and Mobile Computing

Abstract:TarGuess − I is a leading online targeted password guessing model using users’ personally identifiable information (PII) proposed at ACM CCS 2016 by Wang et al. It has attracted widespread attention in password security owing to its superior guessing performance. Yet, after analyzing the users’ vulnerable behaviors of using popular passwords and constructing passwords with users’ PII, we find that this model does not take into account popular passwords, keyboard patterns, and the special strings. The special strings are the strings related to users but do not appear in the users’ demographic information. Thus, we propose TarGuess − I + K P X , a modified password guessing model with three semantic methods, including (1) identifying popular passwords by generating top-300 lists from similar websites, (2) recognizing keyboard patterns by relative position, and (3) catching the special strings by extracting continuous characters from user-generated PII. We conduct a series of evaluations on six large-scale real-world leaked password datasets. The experimental results show that our modified model outperforms TarGuess − I by 2.62% within 100 guesses.

Chao Shen,Tianwen Yu,Haodi Xu,Gengshan Yang,Xiaohong Guan

DOI: https://doi.org/10.1016/j.cose.2016.05.007

IF: 5.105

2016-01-01

Computers & Security

Abstract:Due to increasing security awareness of password from the public and little attention on the characteristics of real-life passwords, it is thus natural to understand the current state of characteristics of real-life passwords, and to explore how password characteristics change over time and how earlier password practice is understood in current context. In this work, we attempt to present an in-depth and comprehensive understanding of user practice in real-life passwords, and to see whether the previous observations can be confirmed or reversed, based on large-scale measurements rather than anecdotal knowledge or user surveys. Specifically, we measure password characteristics on over 6 million passwords, in terms of password length, password composition, and password selection. We then make informed comparisons of the findings between our investigation and previously reported results. Our general findings include: (1) average password length is at least 12% longer than previous results, and 75% of our passwords have the length between 8 and 10 characters; (2) there is a significant increase of using only numbers as passwords, and easy-to-reach symbols are always the first choice when users added symbols into passwords; (3) there observes a remarkable increase (about 40%) of using combo-meaningful data as passwords, and a striking proportion of using the most common passwords or login names as passwords. Our investigation also includes collecting statistics about the use of symbols, letter-case, and meaningful details, which presents a systematic analysis of password usage. The comparative results indicate that the password characteristics and password practice on this massive password data set are somewhat inconsistent with those from anecdotal knowledge and user surveys, and exhibit a substantial change over time in some ways. Further research needs to build upon this understanding for gaining insight into how password security can be improved.

Xiaochun Gan,Dong Li,Hu Chen

DOI: https://doi.org/10.1109/itaic54216.2022.9836812

2022-01-01

Abstract:Previous studies have shown that the passwords set by users in different countries are related to their language and culture. This paper introduces a method of analyzing features of words in passwords based on corpora. The first step is constructing specific corpora, mainly including: collecting raw corpora, converting non-English words in raw corpora into ASCII strings, setting the priority of different corpora, and finally combining them according to the priority to build specific corpora. Based on corpus, the frequency of different sense-group in password can be evaluated by the coverage of corpora or a sense-group. According the above methods, the corpora of General Purpose, English, Russian, Japanese and Vietnamese are collected, and the features of words in passwords from Russia, Japan and Vietnam are analyzed. Recovering these features is of great significance to improve the strength of user password.

Zhijie Xie,Min Zhang,Anqi Yin,Zhenhan Li

DOI: https://doi.org/10.1007/978-3-030-55304-3_18

2020-01-01

Abstract:TarGuess-I is a leading targeted password guessing model using users’ personally identifiable information (PII) proposed at ACM CCS 2016 by Wang et al. Owing to its superior guessing performance, TarGuess-I has attracted widespread attention in password security. Yet, TarGuess-I fails to capture popular passwords and special strings in passwords correctly. Thus we propose TarGuess-I: an improved password guessing model, which is capable of identifying popular passwords by generating top-300 most popular passwords from similar websites and grasping special strings by extracting continuous characters from user-generated PII. We conduct a series of experiments on 6 real-world leaked datasets and the results show that our improved model outperforms TarGuess-I by 9.07% on average with 1000 guesses, which proves the effectiveness of our improvements.