Shunbin Li,Zhiyu Wang,Ruyun Zhang,Chunming Wu,Hanguang Luo

DOI: https://doi.org/10.1109/tdsc.2022.3217002

2023-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Rule-based password generation is one of the most effective and often employed techniques in the highly compute-intensive password recovery process. However, it is challenging to design and maintain a practical password mangling ruleset, which is a time-consuming task requiring specialized expertise. This paper therefore introduced MDBSCAN (Modified Density-Based Spatial Clustering of Applications with Noise), a novel density-based cluster approach in machine learning, to build an automatic password mangling rule generator. To evaluate the proposed method, cross-checks across 4 different real-world password datasets leaked from popular Internet services and applications are adopted. The results indicate that the proposed generator could produce high-quality mangling rules with a better hit rate and enhance current mangling rules by identifying hidden or omitted rules. The proposed approach also shows strong interpretability and computational efficiency. When examining the RockYou password dataset with the top 77 rules, the hit rate may rise by 11% to 104% proportionally to other well-known solutions. Furthermore, by combining the top 77 rules generated by MDBSCAN with those from other rulesets, 3–12.67% more real-world passwords can be retrieved.

Chao Shen,Tianwen Yu,Haodi Xu,Gengshan Yang,Xiaohong Guan

DOI: https://doi.org/10.1016/j.cose.2016.05.007

IF: 5.105

2016-01-01

Computers & Security

Abstract:Due to increasing security awareness of password from the public and little attention on the characteristics of real-life passwords, it is thus natural to understand the current state of characteristics of real-life passwords, and to explore how password characteristics change over time and how earlier password practice is understood in current context. In this work, we attempt to present an in-depth and comprehensive understanding of user practice in real-life passwords, and to see whether the previous observations can be confirmed or reversed, based on large-scale measurements rather than anecdotal knowledge or user surveys. Specifically, we measure password characteristics on over 6 million passwords, in terms of password length, password composition, and password selection. We then make informed comparisons of the findings between our investigation and previously reported results. Our general findings include: (1) average password length is at least 12% longer than previous results, and 75% of our passwords have the length between 8 and 10 characters; (2) there is a significant increase of using only numbers as passwords, and easy-to-reach symbols are always the first choice when users added symbols into passwords; (3) there observes a remarkable increase (about 40%) of using combo-meaningful data as passwords, and a striking proportion of using the most common passwords or login names as passwords. Our investigation also includes collecting statistics about the use of symbols, letter-case, and meaningful details, which presents a systematic analysis of password usage. The comparative results indicate that the password characteristics and password practice on this massive password data set are somewhat inconsistent with those from anecdotal knowledge and user surveys, and exhibit a substantial change over time in some ways. Further research needs to build upon this understanding for gaining insight into how password security can be improved.

GUO Yi-dong,QIU Wei-dong,LIU Bo-zhongP

DOI: https://doi.org/10.3969/j.issn.1000-3428.2014.07.052

2014-01-01

Abstract:Researches about network passwords security mainly focus on the analysis of the communication protocols and the encryption algorithm. There are few researches analyzing the behaviour of how users set their passwords. This paper proposes a new password analysis method by analyzing the attributions of passwords, having attributes resolution on original password, classifying attributions and applying Apriori algorithm on the result set of attributions classification by data mining and so on. It obtains the inherent characteristics of the password setting. Experimental results show that this method can effectively analyze the habits of real password setting from the passwords leaked by CSDN. A large number of weak passwords exist. Pure digital passwords account for 45.03%of the total. Passwords composed of family-name pinyin and digital account for a great majority of total passwords, this is 13.79%. It also demonstrates that the method is able to analyze 6.42 million passwords within 24 minutes, which shows that this method can effectively deal with the massive password data.

Rui Xu,Xiaojun Chen,Xingxing Wang,Jinqiao Shi

DOI: https://doi.org/10.1109/dsc.2018.00094

2018-01-01

Abstract:The current research mainly employs natural language processing techniques to study semantic patterns in passwords, but they do not explore deeply the construction of digits to generate more hittable guesses. In this paper, we utilize memory chunking method to split non-semantic digits in passwords, and define combination rules to split semantic digits patterns into small chunks. We use patterns customized for Chinese websites to extract structures and segments of letters and symbols. And we model them with Probabilistic Context-Free Grammars to generate password guesses. In addition, we introduce a definition called Password Guesses Probability Sparsity to describe the negative impact brought by sophisticated patterns, and develop measures to get substantial improvements. Experiment results based on large-scale datasets included over 160 million entries show our method guesses passwords much more effective than previous methods for guessing long numerical passwords and universal passwords. We achieve 107.18% relative improvements over John the Ripper for guessing long numerical passwords, and 14.46% relative gains than previous methods for guessing universal passwords.

Ding Wang,Gaopeng Jian,Ping Wang

2014-01-01

Abstract:Despite more than thirty years of intensive research efforts, textual passwords are still enveloped in mysterious veils. In this work, we make a substantial step forward in understanding the underlying distributions of passwords. By conducting linear regressions on a corpus of 97.2 million passwords (a mass of chaotic data), we for the first time show that Zipf’s law perfectly exists in user-generated passwords, figure out the corresponding exact distribution functions, and investigate some fundamental implications of our observations for password policies and password-based cryptographic protocols (e.g., authentication, encryption and signature). As one specific application of this law of nature, we propose the number of unique passwords used in regression and the absolute value of slope of the regression line together as a metric for assessing the strength of password datasets, and prove its correctness in a mathematically rigorous manner. In addition, extensive experiments (including optimal attacks, simulated optimal attacks and state-of-the-art cracking sessions) are performed to demonstrate the practical effectiveness of our metric. In two of four cases, our metric outperforms Bonneau’s α-guesswork in simplicity and to the best of knowledge, it is the first one that is both easy to approximate and accurate to facilitate comparisons, providing a useful tool for the security administrators to gain a precise grasp of the strength of their password datasets and to adjust the password policies more reasonably.

Ding Wang,Gaopeng Jian,Ping Wang

2015-01-01

Abstract:Despite more than thirty years of intensive research efforts, textual passwords are still enveloped in mysterious veils. In this work, we make a substantial step forward in understanding the underlying distributions of passwords. By conducting linear regressions on a corpus of 97.2 million passwords (a mass of chaotic data), we for the first time show that Zipf ’s law perfectly exists in user-generated passwords, figure out the corresponding exact distribution functions, and investigate some fundamental implications of our observations for password policies and password-based cryptographic protocols (e.g., authentication, encryption and signature). As one specific application of this law of nature, we propose the number of unique passwords used in regression and the absolute value of slope of the regression line together as a metric for assessing the strength of password datasets, and prove its correctness in a mathematically rigorous manner. In addition, extensive experiments (including optimal attacks, simulated optimal attacks and state-of-the-art cracking sessions) are performed to demonstrate the practical effectiveness of our metric. In two of four cases, our metric outperforms Bonneau’s α-guesswork in simplicity and to the best of knowledge, it is the first one that is both easy to approximate and accurate to facilitate comparisons, providing a useful tool for the security administrators to gain a precise grasp of the strength of their password datasets and to adjust the password policies more reasonably.

Joakim Kävrestad,Johan Zaxmy,Marcus Nohlberg

DOI: https://doi.org/10.1108/ics-11-2019-0132

2020-01-02

Information and Computer Security

Abstract:Purpose Using passwords to keep account and data safe is very common in modern computing. The purpose of this paper is to look into methods for cracking passwords as a means of increasing security, a practice commonly used in penetration testing. Further, in the discipline of digital forensics, password cracking is often an essential part of a computer examination as data has to be decrypted to be analyzed. This paper seeks to look into how users that actively encrypt data construct their passwords to benefit the forensics community. Design/methodology/approach The study began with an automated analysis of over one billion passwords in 22 different password databases that leaked to the internet. The study validated the result with an experiment were passwords created on a local website was analyzed during account creation. Further a survey was used to gather data that was used to identify differences in password behavior between user that actively encrypt their data and other users. Findings The result of this study suggests that American lowercase letters and numbers are present in almost every password and that users seem to avoid using special characters if they can. Further, the study suggests that users that actively encrypt their data are more prone to use keyboard patterns as passwords than other users. Originality/value This paper contributes to the existing body of knowledge around password behavior and suggests that password-guessing attacks should focus on American letters and numbers. Further, the paper suggests that forensics experts should consider testing patterns-based passwords when performing password-guessing attacks against encrypted data.

Ding Wang,Ping Wang

DOI: https://doi.org/10.1007/978-3-319-24177-7_23

2015-01-01

Abstract:While much has changed in Internet security over the past decades, textual passwords remain as the dominant method to secure user web accounts and they are proliferating in nearly every new web services. Nearly every web services, no matter new or aged, now enforce some form of password creation policy. In this work, we conduct an extensive empirical study of 50 password creation policies that are currently imposed on high-profile web services, including 20 policies mainly from US and 30 ones from mainland China. We observe that no two sites enforce the same password creation policy, there is little rationale under their choices of policies when changing policies, and Chinese sites generally enforce more lenient policies than their English counterparts.We proceed to investigate the effectiveness of these 50 policies in resisting against the primary threat to password accounts (i.e. online guessing) by testing each policy against two types of weak passwords which represent two types of online guessing. Our results show that among the total 800 test instances, 541 ones are accepted: 218 ones come from trawling online guessing attempts and 323 ones come from targeted online guessing attempts. This implies that, currently, the policies enforced in leading sites largely fail to serve their purposes, especially vulnerable to targeted online guessing attacks.

Kim-Phuong L. Vu,Robert W. Proctor,Abhilasha Bhargav-Spantzel,Bik-Lam Tai,Joshua Cook,E. Eugene Schultz,Bik-Lam (Belin) Tai

DOI: https://doi.org/10.1016/j.ijhcs.2007.03.007

2007-08-01

Abstract:Personal information and organizational information need to be protected, which requires that only authorized users gain access to the information. The most commonly used method for authenticating users who attempt to access such information is through the use of username–password combinations. However, this is a weak method of authentication because users tend to generate passwords that are easy to remember but also easy to crack. Proactive password checking, for which passwords must satisfy certain criteria, is one method for improving the security of user-generated passwords. The present study evaluated the time and number of attempts needed to generate unique passwords satisfying different restrictions for multiple accounts, as well as the login time and accuracy for recalling those passwords. Imposing password restrictions alone did not necessarily lead to more secure passwords. However, the use of a technique for which the first letter of each word of a sentence was used coupled with a requirement to insert a special character and digit yielded more secure passwords that were more memorable.

computer science, cybernetics,ergonomics,psychology, multidisciplinary

Rui Xu,Xiaojun Chen,Yingbing Wang,Jinqiao Shi,Haitao Mi

DOI: https://doi.org/10.1109/MILCOM.2016.7795425

2016-01-01

Abstract:The conventional password cracking methods view the consecutive digits in passwords as a single unit without understanding the internal structures of digits. In this paper, in order to enhance the analysis of numerical passwords, we borrow the idea of chunking in psychology, and segment each numerical password into small chunks to help understand the structures. Empirically, we learn chunks and structures based on their frequencies from the numerical passwords of leaked corpus, and model them with probabilistic context-free grammars to generate password guesses. Experiment results on the leaked Chinese password corpus included 24 million entries show that our approach achieves 46.91% relative gains over word lists approach, and 31.07% relative gains in the first 1 million guesses than John the Ripper (JtR), and 50.76% relative gains for guessing long numerical password than JtR.

Ding Wang,Haibo Cheng,Ping Wang,Xinyi Huang,Chao-Hsien Chu

2016-01-01

Abstract:While the computer security world has changed a lot over the last two decades, textual passwords remain the dominant authentication mechanism over the Internet and are likely to persist in the foreseeable future. Much attention (e.g., user surveys and empirical analysis) has been paid to passwords chosen by English users, yet relatively little is known about how nonEnglish users select passwords. In this work, we conduct so far the first user survey on the password behaviors of Chinese users, revealing a number of users’ basic coping strategies for managing passwords when they are confronted with the demanding tasks of keeping track of many accounts and passwords. We further perform an empirical analysis of 100 million Chinese web passwords in a comparison with 30 million English ones, a corpus among the largest ones ever studied. We identify a number of interesting structural and semantic characteristics in Chinese passwords, and also examine their security by employing two state-of-the-art password cracking techniques (i.e., probabilistic context-free grammars (PCFG) and Markov models). Particularly, our cracking results reveal a “reversal principle”: when the guess number allowed is small, Chinese passwords are much weaker than their English counterparts, yet this relationship will be reversed when the guess number is large. This well reconciles two conflicting claims about the strength of Chinese web passwords made by Bonneau in 2012 and Li et al. in 2014, respectively. At 10 guesses, the success rate of our improved PCFG-based attack against the Chinese datasets is from 33.2% to 49.8%, indicating that our attack can crack 92% to 188% more passwords than the best record reported by Li et al. in 2014. We also discuss the implications of our findings. This work is expected to help facilitate both security administrators and users to gain a better understanding of the vulnerability of Chinese passwords, as well as to shed light on future password research.

Wanda Li,Jianping Zeng

DOI: https://doi.org/10.1109/tifs.2021.3050066

IF: 7.231

2021-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Text-based passwords have long acted as the dominating authentication method. Leet, as one of the significant components in password, has not been paid enough attention yet. In this paper, we systematically study the presence of Leet in passwords. We define single and pattern forms of Leet and propose a matching approach to check whether a user password contains Leet. We extract the most prevalent counterpart pairs of Leet manifestations. Afterward, we examine the effect of Leet in passwords by incorporating Leet transformation into the probabilistic context-free grammar(PCFG) method to crack passwords. We construct the first comprehensively analyzed dictionary of Leets for passwords, which is confirmed suitable for most datasets by user survey. Experiments on four leaked password sets demonstrate that distinguished Leet usage accumulates to account for around 1% of the total dataset. Only 5% of high-frequency Leets replacement could increase the cracking rate by 0.55%. For crackers, incorporating popular Leets aids to improve password cracking performance. For users, adopting low-frequency Leets could strengthen their passwords. This research provides a new perspective to investigate Leet transformations in passwords.

A. Jallad,Zakaria Al-Qudah,Mohammed Awad,Sahar Idwan

DOI: https://doi.org/10.1109/ICEDSA.2016.7818558

2016-12-01

Abstract:No matter how sophisticated and advanced an organization's security system is, it remains vulnerable due to the human factor. In this paper, we conducted a survey to analyze the patterns used by the faculty, staff, and students when generating passwords at a small sized university. We found that users are not as aware of security requirements and practices as they think. Moreover, the vast majority of users' passwords are breakable within days or shorter. Interestingly, we found that using numbers and uppercase letters is common among users. However, numbers are mostly used at the end of the passwords and uppercase letters are mostly used at the beginning of passwords. The existence of such trends makes it easier for attackers to generate more effective dictionaries. Based on the analysis in this paper, we make recommendations to IT personnel and the general public to harden the security of their passwords.

Computer Science

Daojing He,Beibei Zhou,Xiao Yang,Sammy Chan,Yao Cheng,Nadra Guiana

DOI: https://doi.org/10.1109/mnet.001.1900482

IF: 10.294

2020-01-01

IEEE Network

Abstract:User authentication is an important means to ensure the security of users' cyber accounts. Although there are various authentication means such as irises and fingerprints, passwords are still the main authentication method for the foreseeable future due to their low cost and easy implementation. Password strength evaluation is to measure the security strength of passwords, which has been widely studied. However, we found that the current password strength evaluation methods ignore the characteristics from password creators and do not consider the impact of regional groups on password generation. In this paper, we propose the concept of group passwords to analyze the password characteristics of different groups. Based on this notion, a group-based password strength evaluation method is proposed. In addition, we analyze the vulnerabilities of largescale real-world password groups leaked in previous security incidents. The analysis results show that different password groups have different characteristics. Then, we use the attention mechanism (AM) in the neural network model to learn the dependence between group characteristics and password context features. A long short-term memory (LSTM) model with natural advantages in processing timing features is used to process the password to achieve a more accurate password strength evaluation. We demonstrate the effectiveness of groupbased password evaluation using the real-world password data sets.

Shouling Ji,Shukun Yang,Xin Hu,Weili Han,Zhigong Li,Raheem Beyah

DOI: https://doi.org/10.1109/tdsc.2015.2481884

2017-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:In this paper, we conduct a large-scale study on the crackability, correlation, and security of ${\sim}145$ million real world passwords, which were leaked from several popular Internet services and applications. To the best of our knowledge, this is the largest empirical study that has been conducted. Specifically, we first evaluate the crackability of ${\sim}145$ million real world passwords against 6+ state-of-the-art password cracking algorithms in multiple scenarios. Second, we examine the effectiveness and soundness of popular commercial password strength meters (e.g., Google, QQ) and the security impacts of username/email leakage on passwords. Finally, we discuss the implications of our results, analysis, and findings, which are expected to help both password users and system administrators to gain a deeper understanding of the vulnerability of real passwords against state-of-the-art password cracking algorithms, as well as to shed light on future password security research topics.

Suood Alroomi,Frank Li

DOI: https://doi.org/10.48550/arXiv.2309.03384

2023-09-06

Cryptography and Security

Abstract:Researchers have extensively explored how password creation policies influence the security and usability of user-chosen passwords, producing evidence-based policy guidelines. However, for web authentication to improve in practice, websites must actually implement these recommendations. To date, there has been limited investigation into what password creation policies are actually deployed by sites. Existing works are mostly dated and all studies relied on manual evaluations, assessing a small set of sites (at most 150, skewed towards top sites). Thus, we lack a broad understanding of the password policies used today. In this paper, we develop an automated technique for inferring a website's password creation policy, and apply it at scale to measure the policies of over 20K sites, over two orders of magnitude (135x) more sites than prior work. Our findings identify the common policies deployed, potential causes of weak policies, and directions for improving authentication in practice. Ultimately, our study provides the first large-scale understanding of password creation policies on the web.

Ding Wang,Ping Wang

DOI: https://doi.org/10.1007/978-3-319-24177-7_23

2015-01-01

Abstract:While much has changed in Internet security over the past decades, textual passwords remain as the dominant method to secure user web accounts and they are proliferating in nearly every new web services. Nearly every web services, no matter new or aged, now enforce some form of password creation policy. In this work, we conduct an extensive empirical study of 50 password creation policies that are currently imposed on high-profile web services, including 20 policies mainly from US and 30 ones from mainland China. We observe that no two sites enforce the same password creation policy, there is little rationale under their choices of policies when changing policies, and Chinese sites generally enforce more lenient policies than their English counterparts.

He Daojing,Yang Xiao,Wu Yu

2018-01-01

Abstract:The invention discloses a semantic transformation-based password enhancing method. The method comprises the following steps of: command blacklist matching: matching a password submitted by a user withan existing password blacklist; password strength assessment: assessing the strength of the password through comparing a generation probability for calculating user passwords with a set probability threshold value; password segmentation: segmenting the password into a plurality of fragments after carrying out semantic analysis on weak password; and password semantic transformation and enhancement: transforming the password fragments through a predefined transformation algorithm to ensure that the enhanced password and the original password has certain similarity. According to the method, theusers are fundamentally enabled to use fewer weak passwords through using a blacklist technology, and algorithms such as password strength assessment and semantic analysis and segmentation are used, so that the password availability is ensured, the password strength is improved, the guessing attack defensing ability of the passwords is strengthened and the password safety is improved.

Shuo Zhang,Jianping Zeng,Zewen Zhang

DOI: https://doi.org/10.1109/icasid.2017.8285733

2017-01-01

Abstract:Currently the password security is serious, but there is not an appropriate metric for measuring passwords. Thus, the main purpose of this paper is to provide a security time period for the user's password in an online system, allowing the user to modify the password before the security period arrives to prevent the attacker from guessing correctly. We use the guessing chain to calculate the expected time that the attacker need to guess the target password correctly based on the guessing entropy. We assume that the attacker uses a dictionary attack, which is also a probability sequence, and the dictionary is non-ordered or ordered. At the same time, we analyze the large-scale password dataset Rockyou, which contains nearly 32 million passwords. And we assume that the ordered dictionary is organized in descending frequency, in which the probability of the occurrence of the password obeys a long-tailed distribution. We explore the form of the distribution function. And we first find that the simple Zipf distribution can better fit with the empirical distribution of ordered dictionary.

Liping Li,Qinglei Zhou,Bin Li,Xueming Si

DOI: https://doi.org/10.1109/CyberC.2018.00014

2018-01-01

Abstract:Identity authentication is the first line of defense to ensure the security of information systems, and passwords are the most widely used authentication method. Choosing a valid password structure is an effective way to prevent password attacks, such as password dictionary attack. This article talked 68386069 real plaintext passwords with statistical their various features, summarized several rules for generating highly utilized passwords in certain styles. Based on these statistical features and rules, it generated high-probability password structure gene banks. With them, it formulates a dictionary to generate the candidate passwords. Thereby, this can enhance the efficiency of password recovery. We conducted extensive experiments by the real password test data, and the experimental results, compared with the dictionary provided by major websites, show that the dictionary of high probability password structure hit rate increased by about 30%. At the same time, this dictionary can save about one-third of the running time.