Chao Shen,Tianwen Yu,Haodi Xu,Gengshan Yang,Xiaohong Guan

DOI: https://doi.org/10.1016/j.cose.2016.05.007

IF: 5.105

2016-01-01

Computers & Security

Abstract:Due to increasing security awareness of password from the public and little attention on the characteristics of real-life passwords, it is thus natural to understand the current state of characteristics of real-life passwords, and to explore how password characteristics change over time and how earlier password practice is understood in current context. In this work, we attempt to present an in-depth and comprehensive understanding of user practice in real-life passwords, and to see whether the previous observations can be confirmed or reversed, based on large-scale measurements rather than anecdotal knowledge or user surveys. Specifically, we measure password characteristics on over 6 million passwords, in terms of password length, password composition, and password selection. We then make informed comparisons of the findings between our investigation and previously reported results. Our general findings include: (1) average password length is at least 12% longer than previous results, and 75% of our passwords have the length between 8 and 10 characters; (2) there is a significant increase of using only numbers as passwords, and easy-to-reach symbols are always the first choice when users added symbols into passwords; (3) there observes a remarkable increase (about 40%) of using combo-meaningful data as passwords, and a striking proportion of using the most common passwords or login names as passwords. Our investigation also includes collecting statistics about the use of symbols, letter-case, and meaningful details, which presents a systematic analysis of password usage. The comparative results indicate that the password characteristics and password practice on this massive password data set are somewhat inconsistent with those from anecdotal knowledge and user surveys, and exhibit a substantial change over time in some ways. Further research needs to build upon this understanding for gaining insight into how password security can be improved.

Ping Wang,Ding Wang,Xinyi Huang

DOI: https://doi.org/10.7544/issn1000-1239.2016.20160483

2016-01-01

Abstract:Identity authentication is the first line of defense for information systems ,and passwords are the most widely used authentication method .Though there are a number of issues in passwords regarding security and usability , and various alternative authentication methods have also been successively proposed , password‐based authentication will remain the dominant method in the foreseeable future due to its simplicity ,low cost and easiness to change .T hus ,this topic has attracted extensive interests from worldwide researchers ,and many important results have been revealed .This work begins with the introduction of users’ vulnerable behaviors and details the password characteristics ,distribution and reuse rate .Next we summarize the primary cracking algorithms that have appeared in the past 30 years , and classify them into groups in terms of the difference in dependence on what information is exploited by the attacker .Then ,we revisit the various statistical‐based evaluation metrics for measuring the strength of password distributions .Further ,we compare the state‐of‐the‐art password strength meters .Finally ,we summarize our results and outline some future research trends .

Jun Luo,Jin Deng,Chu Lu,Hong Liu

DOI: https://doi.org/10.1109/HPCC/SmartCity/DSS.2019.00377

2019-01-01

Abstract:Password generation becomes an emerging issue to improve the efficiency of authentication in social engineering and plays an important role in checking the security vulnerability since the weak password may lead to possible attacks for different users. To determine the password vulnerability and to enhance user privacy, a recurrent neural network (i.e., long short-term memory (LSTM) and gated recurrent unit (GRU)) based password generation scheme is proposed for group attribute context-ware applications. In this work, different group attributes are considered for modeling training, natural language processing is adopted for password prediction, and password similarity computing is established for analyzing the group relations. The password strength evaluation is performed on the fixed length password based on generation probability. It indicates that group attributes based password generation model has more accuracy than the ordinary model.

Chuangchuang SONG,Yong FANG,Cheng HUANG,Liang LIU

DOI: https://doi.org/10.11772/j.issn.1001-9081.2017102516

2018-01-01

Abstract:Focused on the issue that the existing password evaluation models cannot be used universally,and there is no evaluation model applicable from simple passwords to very complex passwords.A password evaluation model was designed based on multi-model ensemble learning.Firstly,an actual password training set was used to train multiple existing password evaluation models as the sub-models.Secondly,a multiple trained evaluation sub-models were used as the base learners for ensemble learning,and the ensemble learning strategy which designed to be partial to weakness,was used to get all advantages of sub-models.Finally,a common password evaluation model with high accuracy was obtained.Actual user password set that leaked on the network was used as the experimental data set.The experimental results show that the multi-model ensemble learning model used to evaluate the password strength of different complexity passwords,has a high accuracy and is universal.The proposed model has good applicability in the evaluation of passwords.

Shunbin Li,Zhiyu Wang,Ruyun Zhang,Chunming Wu,Hanguang Luo

DOI: https://doi.org/10.1109/tdsc.2022.3217002

2023-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Rule-based password generation is one of the most effective and often employed techniques in the highly compute-intensive password recovery process. However, it is challenging to design and maintain a practical password mangling ruleset, which is a time-consuming task requiring specialized expertise. This paper therefore introduced MDBSCAN (Modified Density-Based Spatial Clustering of Applications with Noise), a novel density-based cluster approach in machine learning, to build an automatic password mangling rule generator. To evaluate the proposed method, cross-checks across 4 different real-world password datasets leaked from popular Internet services and applications are adopted. The results indicate that the proposed generator could produce high-quality mangling rules with a better hit rate and enhance current mangling rules by identifying hidden or omitted rules. The proposed approach also shows strong interpretability and computational efficiency. When examining the RockYou password dataset with the top 77 rules, the hit rate may rise by 11% to 104% proportionally to other well-known solutions. Furthermore, by combining the top 77 rules generated by MDBSCAN with those from other rulesets, 3–12.67% more real-world passwords can be retrieved.

Daojing He,Xiao Yang,Beibei Zhou,Yu Wu,Yao Cheng,Nadra Guizani

DOI: https://doi.org/10.1109/mnet.2019.1900033

IF: 10.294

2019-01-01

IEEE Network

Abstract:With the continuous development of authentication approaches, password-based authentication is still the first choice for various online services today. The security of password-based authentication relies heavily on the strength of the passwords created by users. Password enhancement is a general way to increase the difficulty of cracking a password. An ideal password enhancement strategy should take into account both the usability (mainly the memorability) and the security of passwords. However, it has been found that the higher the password strength, the lower the usability of the password, and vice versa. In order to balance the usability and the security of the password, we propose a password enhancement method based on semantic transformation, which can effectively analyze the semantic structure of a given password. This enhances the password's strength through one or more password semantic transformations to make the password better protected against guessing attacks. Finally, we use publicly available real-world password data sets leaked in previous security incidents to conduct experiments. Our password enhancement strategy significantly reduces the proportion of guesses by a classic password guessing attack, which demonstrates the effectiveness of the method.

Prof. Saritha Murali,

DOI: https://doi.org/10.55041/ijsrem17298

2022-12-25

INTERANTIONAL JOURNAL OF SCIENTIFIC RESEARCH IN ENGINEERING AND MANAGEMENT

Abstract:This paper outlines research based on password strength measurement analysis using various machine learning approaches. In the current world, a password is the most indispensable authentication mechanism concerning any system security. Although there are multiple authentication methods available nowadays which provide improved security such as biometrics and smart cards still the password authentication mechanism is auspicious to everyone for enhanced system security. Generally, humans prefer to set a password related to their birthplace, date of birth, keyboard patterns, dictionary words, phone number, etc. Online or offline attackers and intruders can guess these passwords easily and intrude the system security. Privacy and data protection have become a need today. Cyber security is growing in its importance in literally every domain in recent years. Every person must safeguard their data and have a basic understanding of the technical developments taking place in many businesses. Key Words: Machine learning, password, Multi-Layer Perceptron

English Else

Tao Zhang,Zelei Cheng,Yi Qin,Qiang Li,Lin Shi

DOI: https://doi.org/10.1109/trustcom50675.2020.00155

2020-01-01

Abstract:Text passwords are the most widely used authentication methods and will also be used in the future. Text passwords can be regarded as meaningful strings, and deep learning methods have an advantage of text processing. LSTM, RNN, GAN and other deep learning models have been using in password guessing and password strength measurements. In the paper, we make a survey on state-of-the-art deep learning methods for password guessing and password strength evaluation, including password pattern extraction, candidate password generation and password strength measurement. Compared with traditional methods, neural networks based methods can achieve better results and performance.

GUO Yi-dong,QIU Wei-dong,LIU Bo-zhongP

DOI: https://doi.org/10.3969/j.issn.1000-3428.2014.07.052

2014-01-01

Abstract:Researches about network passwords security mainly focus on the analysis of the communication protocols and the encryption algorithm. There are few researches analyzing the behaviour of how users set their passwords. This paper proposes a new password analysis method by analyzing the attributions of passwords, having attributes resolution on original password, classifying attributions and applying Apriori algorithm on the result set of attributions classification by data mining and so on. It obtains the inherent characteristics of the password setting. Experimental results show that this method can effectively analyze the habits of real password setting from the passwords leaked by CSDN. A large number of weak passwords exist. Pure digital passwords account for 45.03%of the total. Passwords composed of family-name pinyin and digital account for a great majority of total passwords, this is 13.79%. It also demonstrates that the method is able to analyze 6.42 million passwords within 24 minutes, which shows that this method can effectively deal with the massive password data.

Ming Xu,Chuanwang Wang,Jitao Yu,Junjie Zhang,Kai Zhang,Weili Han

DOI: https://doi.org/10.1145/3460120.3484743

2021-01-01

Abstract:ABSTRACTTextual password security hinges on the guessing models adopted by attackers, in which a suitable password composition representation is an influential factor. Unfortunately, the conventional models roughly regard a password as a sequence of characters, or natural-language-based words, which are password-irrelevant. Experience shows that passwords exhibit internal and refined patterns, e.g., "4ever, ing or 2015", varying significantly among periods and regions. However, the refined representations and their security impacts could not be automatically understood by state-of-the-art guessing models (e.g., Markov). In this paper, we regard a password as a composition of several chunks, where a chunk is a sequence of related characters that appear together frequently, to model passwords. Based on the concept, we propose a password-specific segmentation method that can automatically split passwords into several chunks, and then build three chunk-level guessing models, adopted from Markov, Probabilistic Context-free Grammar (PCFG) and neural-network-based models. Based on the extensive evaluation with over 250 million passwords, these chunk-level models can improve their guessing efficiency by an average of 5.7%, 51.2% and 41.9%, respectively, in an offline guessing scenario, showcasing the power of a suitable password representation during attacks. By analysing these efficient attacks, we find that the presence of common chunks in a password is a stronger indicator for password vulnerability than the character class complexity. To protect users against such attacks, we develop a client-side and real-time password strength meter to estimate the passwords' resistance based on chunk-level guessing models.

Binh Le Thanh Thai,Hidema Tanaka

DOI: https://doi.org/10.1109/access.2024.3401195

IF: 3.9

2024-05-22

IEEE Access

Abstract:Nowadays, passwords play an important role in ensuring practical security. Password strength meters (PSMs) are typical and well-known tools developed to help users estimate password strength. Among existing PSMs, Markov-based PSMs offer high accuracy and reliability. However, these PSMs are often compared with other types of PSMs, and no study has compared their accuracy in detail. Two types of Markov models introduced in previous studies are the Simple Markov Model (SMM) and the Layered Markov Model (LMM). When calculating the probability of a password, these models consider two factors: character position and password length. However, these two models do not cover all possible cases of these two factors. In this paper, we introduce the application of two new Markov models, which can be seen as "hybrid models" of SMM and LMM, into PSMs, called Simple Markov Model with password length consideration (SMMl) and unique Layered Markov Model (uLMM), to cover all the missing cases. Then, we present two specific scenarios and compare the effectiveness of four types of Markov models in evaluating passwords based on these two scenarios. The experimental results indicate that the SMMl model, one of the two models proposed in this paper, yields the best effectiveness. This result also suggests that the number of samples of sub-string sequences obtained during the training process affects the effectiveness of password evaluation. Therefore, we conduct a detailed analysis related to this issue. These results will support us in developing new PSMs in the future.

computer science, information systems,telecommunications,engineering, electrical & electronic

Ming Xu,Weili Han

DOI: https://doi.org/10.1155/2019/5184643

IF: 1.968

2019-01-01

Security and Communication Networks

Abstract:Textual passwords are still dominating the authentication of remote file sharing and website logins, although researchers recently showed several vulnerabilities about this authentication mechanism. When a user creates or changes a password, a website usually leverages a password strength meter (PSM for short) to show the strength of the password. When the password is evaluated as a weak one, the user may replace the password with a stronger or securer one. However, the user is usually confused when the password, especially a frequently used password, is shown as a weak one. We argue that an explainable password strength meter addon, which could show the reasons of weak, may help users to more effectively create a secure password. Unfortunately, we find few sites in Alexa global top 100 showing these details. Motivated to help users with an explainable PSM, this paper proposes an addon to PSMs providing feedbacks in the form of pattern passwords explaining why a password is weak. This PSM addon can detect twelve types of patterns, which cover a very large proportion among 70 million of leaked real passwords from high-profile websites. According to our evaluation and user study, our PSM addon, which leverages textual pattern passwords, can effectively detect these popular patterns and effectively help users create securer passwords.

HONG Meng,QIU Weidong,WANG Yangde

DOI: https://doi.org/10.11959/j.issn.2096-109x.2024008

2024-01-01

Abstract:Password-based authentication has been widely used as the primary authentication mechanism.However,occasional large-scale password leaks have highlighted the vulnerability of passwords to risks such as guessing or theft.In recent years,research on password analysis using natural language processing techniques has progressed,treating passwords as a special form of natural language.Nevertheless,limited studies have investigated the impact of password text segmentation granularity on the effectiveness of password analysis with large language models.A multi-granularity password-analyzing framework was proposed based on a large language model,which follows the pre-training paradigm and autonomously learns prior knowledge of password distribution from large unlabelled da-tasets.The framework comprised three modules:the synchronization network,backbone network,and tail network.The synchronization network module implemented char-level,template-level,and chunk-level password segmenta-tion,extracting knowledge on character distribution,structure,word chunk composition,and other password features.The backbone network module constructed a generic password model to learn the rules governing password compo-sition.The tail network module generated candidate passwords for guessing and analyzing target databases.Experi-mental evaluations were conducted on eight password databases including Tianya and Twitter,analyzing and sum-marizing the effectiveness of the proposed framework under different language environments and word segmenta-tion granularities.The results indicate that in Chinese user scenarios,the performance of the password-analyzing framework based on char-level and chunk-level segmentation is comparable,and significantly superior to the framework based on template-level segmentation.In English user scenarios,the framework based on chunk-level segmentation demonstrates the best password-analyzing performance.

Yangde Wang,Haozhang Li,Weidong Qiu,Shujun Li,Peng Tang

DOI: https://doi.org/10.1007/978-981-97-5101-3_22

2024-07-19

Abstract:Textual passwords are still the most widely used user authentication mechanism. Due to the close connections between textual passwords and natural languages, advanced technologies in natural language processing (NLP) and machine learning (ML) could be used to model passwords for different purposes such as studying human password-creation behaviors and developing more advanced password cracking methods for informing better defence mechanisms. In this paper, we propose PassTSL (modeling human-created Passwords through Two-Stage Learning), inspired by the popular pretraining-finetuning framework in NLP and deep learning (DL). We report how different pretraining settings affected PassTSL and proved its effectiveness by applying it to six large leaked password databases. Experimental results showed that it outperforms five state-of-the-art (SOTA) password cracking methods on password guessing by a significant margin ranging from 4.11% to 64.69% at the maximum point. Based on PassTSL, we also implemented a password strength meter (PSM), and our experiments showed that it was able to estimate password strength more accurately, causing fewer unsafe errors (overestimating the password strength) than two other SOTA PSMs when they produce the same rate of safe errors (underestimating the password strength): a neural-network based method and zxcvbn. Furthermore, we explored multiple finetuning settings, and our evaluations showed that, even a small amount of additional training data, e.g., only 0.1% of the pretrained data, can lead to over 3% improvement in password guessing on average. We also proposed a heuristic approach to selecting finetuning passwords based on JS (Jensen-Shannon) divergence and experimental results validated its usefulness. In summary, our contributions demonstrate the potential and feasibility of applying advanced NLP and ML methods to password modeling and cracking.

Cryptography and Security,Artificial Intelligence,Computation and Language

Chen Ruihao,Qiu Weidong

DOI: https://doi.org/10.3969/j.issn.1007-757X.2015.04.014

2015-01-01

Abstract:This paper proposes an analyzing method which is fit for a large number of passwords. By building up a neural network model, it can analyze and dig for potential relationships between password attributes. After attribute assignment for passwords of different application types, it can utilize neural network tool in MATLAB to finish model building, training and simulation testing, in order to find out potential and valuable relationships or rules between attributes. With such relationships, it can help to deduce un-known attribute values from the already known ones, or provide some directivity help for password cracking and recovery work by generating brute force cracking dictionary, which reflects the users’ habits of password setting.

Ding Wang,Debiao He,Haibo Cheng,Ping Wang

DOI: https://doi.org/10.1109/DSN.2016.60

2016-01-01

Abstract:To provide timely feedbacks to users, nearly every respectable Internet service now imposes a password strength meter (PSM) upon user registration or password change. It is a rare bit of good news in password research that well-designed PSMs do help improve the strength of user-chosen passwords. However, leading PSMs in the industrial world (e.g., Zxcvbn, KeePSM and NIST PSM) are mainly composed of simple heuristic rules and found to be highly inaccurate, while state-of-the-art PSMs from academia (e.g., probabilistic context-free grammar based ones and Markov-based ones) are still far from satisfactory, especially incompetent at gauging weak passwords. As preventing weak passwords is the primary goal of any PSM, this means that existing PSMs largely fail to serve their purpose. To fill this gap, in this paper we propose a novel PSM that is grounded on real user behavior. Our user survey reveals that when choosing passwords for a new web service, most users (77.38%) simply retrieve one of their existing passwords from memory and then reuse (or slightly modify) it. This is in vast contrast to the seemingly intuitive yet unrealistic assumption (often implicitly) made in most of the existing PSMs that, when user registers, a whole new password is constructed by mixing segments of letter, digit and/or symbol or by combining n-grams. To model users' realistic behaviors, we use passwords leaked from a less sensitiveservice as our base dictionary and another list of relatively strong passwords leaked from a sensitive service as our training dictionary, and determine how mangling rules are employed by users to construct passwords for new services. This process automatically creates a fuzzy probabilistic context-free grammar (PCFG) and gives rise to our fuzzy-PCFG-based meter, fuzzyPSM. It can react dynamically to changes in how users choose passwords and is evaluated by comparisons with five representative PSMs. Extensive experiments on 11 real-world password lists show that fuzzyPSM, in general, outperforms all its counterparts, especially accurate in telling apart weak passwords and suitable for services where online guessing attacks prevail.

Cem S. Sahin,Robert Lychev,Neal Wagner

DOI: https://doi.org/10.48550/arXiv.1512.05814

2015-12-18

Abstract:Although it is common for users to select bad passwords that can be easily cracked by attackers, password-based authentication remains the most widely-used method. To encourage users to select good passwords, enterprises often enforce policies. Such policies have been proven to be ineffectual in practice. Accurate assessment of a password's resistance to cracking attacks is still an unsolved problem, and our work addresses this challenge. Although the best way to determine how difficult it may be to crack a user-selected password is to check its resistance to cracking attacks employed by attackers in the wild, implementing such a strategy at an enterprise would be infeasible in practice. We first formalize the concepts of password complexity and strength with concrete definitions emphasizing their differences. Our framework captures human biases and many known techniques attackers use to recover stolen credentials in real life, such as brute-force attacks. Building on our definitions, we develop a general framework for calculating password complexity and strength that could be used in practice. Our approach is based on the key insight that an attacker's success at cracking a password must be defined by its available computational resources, time, function used to store that password, as well as the topology that bounds that attacker's search space based on that attacker's available inputs, transformations it can use to tweak and explore its inputs, and the path of exploration which can be based on the attacker's perceived probability of success. We also provide a general framework for assessing the accuracy of password complexity and strength estimators that can be used to compare other tools available in the wild.

Cryptography and Security

Kim-Phuong L. Vu,Robert W. Proctor,Abhilasha Bhargav-Spantzel,Bik-Lam Tai,Joshua Cook,E. Eugene Schultz,Bik-Lam (Belin) Tai

DOI: https://doi.org/10.1016/j.ijhcs.2007.03.007

2007-08-01

Abstract:Personal information and organizational information need to be protected, which requires that only authorized users gain access to the information. The most commonly used method for authenticating users who attempt to access such information is through the use of username–password combinations. However, this is a weak method of authentication because users tend to generate passwords that are easy to remember but also easy to crack. Proactive password checking, for which passwords must satisfy certain criteria, is one method for improving the security of user-generated passwords. The present study evaluated the time and number of attempts needed to generate unique passwords satisfying different restrictions for multiple accounts, as well as the login time and accuracy for recalling those passwords. Imposing password restrictions alone did not necessarily lead to more secure passwords. However, the use of a technique for which the first letter of each word of a sentence was used coupled with a requirement to insert a special character and digit yielded more secure passwords that were more memorable.

computer science, cybernetics,ergonomics,psychology, multidisciplinary

Xin Su,Bingying Wang,Xuewu Zhang,Yupeng Wang,Dongmin Choi

DOI: https://doi.org/10.1002/cpe.4150

2018-01-01

Abstract:Secure mechanisms have been adapted to satisfy the needs of mobile subscribers; however, the mobile environment is quite different from a desktop PC or laptop-based environment. The existing attack patterns in mobile environments are also quite different, and the countermeasures applied should be enhanced. In regards to usability, the mobile environment is based on mobility, and thus, mobile devices are designed and developed to enhance the owner's efficiency. To avoid forgetting passwords, people are willing to adopt simple alphanumeric-character combinations, which are easy to remember and convenient to enter. As a result, the passwords have a high probability of being cracked or exposed. In this paper, we study the potential security problems caused by simple and weak passwords, discuss drawbacks of some conventional works, and propose 3 creative schemes to increase the complexity and strength of passwords by applying the envisioned features. Note that our proposals are based on the assumption that the textual passwords are not difficult for users to remember or enter and do not cause inconvenience to users. In other words, the proposed methods can increase the complexity of simple passwords without the awareness of users.

Yao Cheng,Chang Xu,Zhen Hai,Yingjiu Li

DOI: https://doi.org/10.1109/tdsc.2020.2987025

2022-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Strong passwords are fundamental to the security of password-based user authentication systems. In the recent years, much effort has been made to evaluate the password strength or to generate strong passwords. Unfortunately, the usability or memorability of the strong passwords has been largely neglected. In this article, we aim to bridge the gap between strong password generation and the usability of strong passwords. We propose to automatically generate textual password mnemonics, i.e., natural language sentences, which are intended to help users better memorize passwords. We introduce DeepMnemonic, a deep attentive encoder-decoder framework which takes a password as input and then automatically generates a mnemonic sentence for the password. We conduct extensive experiments to evaluate DeepMnemonic on the real-world data sets. The experimental results demonstrate that DeepMnemonic outperforms a well-known baseline for generating semantically meaningful mnemonic sentences. Moreover, the user study further validates that the generated mnemonic sentences by DeepMnemonic are useful in helping users memorize strong passwords.

computer science, information systems, software engineering, hardware & architecture