Shouling Ji,Shukun Yang,Xin Hu,Weili Han,Zhigong Li,Raheem Beyah

DOI: https://doi.org/10.1109/tdsc.2015.2481884

2017-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:In this paper, we conduct a large-scale study on the crackability, correlation, and security of ${\sim}145$ million real world passwords, which were leaked from several popular Internet services and applications. To the best of our knowledge, this is the largest empirical study that has been conducted. Specifically, we first evaluate the crackability of ${\sim}145$ million real world passwords against 6+ state-of-the-art password cracking algorithms in multiple scenarios. Second, we examine the effectiveness and soundness of popular commercial password strength meters (e.g., Google, QQ) and the security impacts of username/email leakage on passwords. Finally, we discuss the implications of our results, analysis, and findings, which are expected to help both password users and system administrators to gain a deeper understanding of the vulnerability of real passwords against state-of-the-art password cracking algorithms, as well as to shed light on future password security research topics.

Jeremiah Blocki,Ben Harsha,Samson Zhou

DOI: https://doi.org/10.48550/arXiv.2006.05023

2020-06-09

Abstract:We develop an economic model of an offline password cracker which allows us to make quantitative predictions about the fraction of accounts that a rational password attacker would crack in the event of an authentication server breach. We apply our economic model to analyze recent massive password breaches at Yahoo!, Dropbox, LastPass and AshleyMadison. All four organizations were using key-stretching to protect user passwords. In fact, LastPass' use of PBKDF2-SHA256 with $10^5$ hash iterations exceeds 2017 NIST minimum recommendation by an order of magnitude. Nevertheless, our analysis paints a bleak picture: the adopted key-stretching levels provide insufficient protection for user passwords. In particular, we present strong evidence that most user passwords follow a Zipf's law distribution, and characterize the behavior of a rational attacker when user passwords are selected from a Zipf's law distribution. We show that there is a finite threshold which depends on the Zipf's law parameters that characterizes the behavior of a rational attacker -- if the value of a cracked password (normalized by the cost of computing the password hash function) exceeds this threshold then the adversary's optimal strategy is always to continue attacking until each user password has been cracked. In all cases (Yahoo!, Dropbox, LastPass and AshleyMadison) we find that the value of a cracked password almost certainly exceeds this threshold meaning that a rational attacker would crack all passwords that are selected from the Zipf's law distribution (i.e., most user passwords). This prediction holds even if we incorporate an aggressive model of diminishing returns for the attacker (e.g., the total value of $500$ million cracked passwords is less than $100$ times the total value of $5$ million passwords). See paper for full abstract.

Cryptography and Security

Shunbin Li,Zhiyu Wang,Ruyun Zhang,Chunming Wu,Hanguang Luo

DOI: https://doi.org/10.1109/tdsc.2022.3217002

2023-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Rule-based password generation is one of the most effective and often employed techniques in the highly compute-intensive password recovery process. However, it is challenging to design and maintain a practical password mangling ruleset, which is a time-consuming task requiring specialized expertise. This paper therefore introduced MDBSCAN (Modified Density-Based Spatial Clustering of Applications with Noise), a novel density-based cluster approach in machine learning, to build an automatic password mangling rule generator. To evaluate the proposed method, cross-checks across 4 different real-world password datasets leaked from popular Internet services and applications are adopted. The results indicate that the proposed generator could produce high-quality mangling rules with a better hit rate and enhance current mangling rules by identifying hidden or omitted rules. The proposed approach also shows strong interpretability and computational efficiency. When examining the RockYou password dataset with the top 77 rules, the hit rate may rise by 11% to 104% proportionally to other well-known solutions. Furthermore, by combining the top 77 rules generated by MDBSCAN with those from other rulesets, 3–12.67% more real-world passwords can be retrieved.

Chao Shen,Tianwen Yu,Haodi Xu,Gengshan Yang,Xiaohong Guan

DOI: https://doi.org/10.1016/j.cose.2016.05.007

IF: 5.105

2016-01-01

Computers & Security

Abstract:Due to increasing security awareness of password from the public and little attention on the characteristics of real-life passwords, it is thus natural to understand the current state of characteristics of real-life passwords, and to explore how password characteristics change over time and how earlier password practice is understood in current context. In this work, we attempt to present an in-depth and comprehensive understanding of user practice in real-life passwords, and to see whether the previous observations can be confirmed or reversed, based on large-scale measurements rather than anecdotal knowledge or user surveys. Specifically, we measure password characteristics on over 6 million passwords, in terms of password length, password composition, and password selection. We then make informed comparisons of the findings between our investigation and previously reported results. Our general findings include: (1) average password length is at least 12% longer than previous results, and 75% of our passwords have the length between 8 and 10 characters; (2) there is a significant increase of using only numbers as passwords, and easy-to-reach symbols are always the first choice when users added symbols into passwords; (3) there observes a remarkable increase (about 40%) of using combo-meaningful data as passwords, and a striking proportion of using the most common passwords or login names as passwords. Our investigation also includes collecting statistics about the use of symbols, letter-case, and meaningful details, which presents a systematic analysis of password usage. The comparative results indicate that the password characteristics and password practice on this massive password data set are somewhat inconsistent with those from anecdotal knowledge and user surveys, and exhibit a substantial change over time in some ways. Further research needs to build upon this understanding for gaining insight into how password security can be improved.

Ding Wang,Haibo Cheng,Ping Wang,Xinyi Huang,Chao-Hsien Chu

2016-01-01

Abstract:While the computer security world has changed a lot over the last two decades, textual passwords remain the dominant authentication mechanism over the Internet and are likely to persist in the foreseeable future. Much attention (e.g., user surveys and empirical analysis) has been paid to passwords chosen by English users, yet relatively little is known about how nonEnglish users select passwords. In this work, we conduct so far the first user survey on the password behaviors of Chinese users, revealing a number of users’ basic coping strategies for managing passwords when they are confronted with the demanding tasks of keeping track of many accounts and passwords. We further perform an empirical analysis of 100 million Chinese web passwords in a comparison with 30 million English ones, a corpus among the largest ones ever studied. We identify a number of interesting structural and semantic characteristics in Chinese passwords, and also examine their security by employing two state-of-the-art password cracking techniques (i.e., probabilistic context-free grammars (PCFG) and Markov models). Particularly, our cracking results reveal a “reversal principle”: when the guess number allowed is small, Chinese passwords are much weaker than their English counterparts, yet this relationship will be reversed when the guess number is large. This well reconciles two conflicting claims about the strength of Chinese web passwords made by Bonneau in 2012 and Li et al. in 2014, respectively. At 10 guesses, the success rate of our improved PCFG-based attack against the Chinese datasets is from 33.2% to 49.8%, indicating that our attack can crack 92% to 188% more passwords than the best record reported by Li et al. in 2014. We also discuss the implications of our findings. This work is expected to help facilitate both security administrators and users to gain a better understanding of the vulnerability of Chinese passwords, as well as to shed light on future password research.

Shuo Zhang,Jianping Zeng,Zewen Zhang

DOI: https://doi.org/10.1109/icasid.2017.8285733

2017-01-01

Abstract:Currently the password security is serious, but there is not an appropriate metric for measuring passwords. Thus, the main purpose of this paper is to provide a security time period for the user's password in an online system, allowing the user to modify the password before the security period arrives to prevent the attacker from guessing correctly. We use the guessing chain to calculate the expected time that the attacker need to guess the target password correctly based on the guessing entropy. We assume that the attacker uses a dictionary attack, which is also a probability sequence, and the dictionary is non-ordered or ordered. At the same time, we analyze the large-scale password dataset Rockyou, which contains nearly 32 million passwords. And we assume that the ordered dictionary is organized in descending frequency, in which the probability of the occurrence of the password obeys a long-tailed distribution. We explore the form of the distribution function. And we first find that the simple Zipf distribution can better fit with the empirical distribution of ordered dictionary.

Xiujia Guo,Haibo Chen,Xuqin Liu,Xiangyu Xu,Zhong Chen

DOI: https://doi.org/10.48550/arXiv.1511.08324

2015-11-26

Cryptography and Security

Abstract:In this paper, we present a novel vision of large scale of empirical password sets available and improve the understanding of passwords by revealing their interconnections and considering the security on a level of the whole password set instead of one single password level. Through the visualization of Yahoo, Phpbb, 12306, etc. we, for the first time, show what the spatial structure of empirical password sets are like and take the community and clustering patterns of the passwords into account to shed lights on the definition of popularity of a password based on their frequency and degree separately. Furthermore, we propose a model of statistical guessing attack from the perspective of the data's topological space, which provide an explanation of the "cracking curve". We also give a lower bound of the minimum size of the dictionary needed to compromise arbitrary ratio of any given password set by proving that it is equivalent to the minimum dominating set problem, which is a NP-complete problem. Hence the minimal dictionary problem is also NP-complete.

Ding Wang,Haibo Cheng,Ping Wang

2017-01-01

Abstract:Textual passwords remain the dominant authentication mechanism over the Internet and are likely to persist in the foreseeable future. Much attention has been paid to passwords chosen by English users, yet only a few studies have examined how non-English users select passwords. In this paper, we fill the gap by employing both user-survey data and real-life data. We conduct so far the first user survey on the password behaviors of Chinese web users, the world’s largest Internet population (710 million). Our survey reveals a number of similarities and differences in coping strategies between these two user groups. We also explore some new questions regarding user sentiments and perceptions of security: 45% of Chinese users report that they insert (birth)dates into passwords, 55% believe their current passwords are more secure than previous ones and 69% consider password management as a bother. We further perform an extensive, empirical analysis of 73.1 million Chinese web passwords in a comparison with 33.2 million English counterparts. We identify a number of interesting structural and semantic characteristics in Chinese passwords, confirm many findings from our survey and also examine password security by employing two state-of-the-art cracking techniques. Particularly, our cracking results reveal the bifacial-security nature of Chinese passwords: when the guess number allowed is small, they are much weaker than their English counterparts, yet this relationship will be reversed when the guess number becomes large. This well reconciles two conflicting claims about the strength of Chinese web passwords made by Bonneau in IEEE S&P’12 and Li et al. in Usenix SEC’14, respectively. At 107 guesses, our improved PCFG-based attack can crack 33.2%∼49.8% of the Chinese datasets, indicating that our attack can crack 92%∼188% more passwords than the best record reported by Li et al. We also discuss some implications of our findings. Keywords—User authentication, Password security, Semantic pattern, Probabilistic context-free grammar, Markov model.

Erqiang Zhou,Yejian Peng,Guanghui Shao,Fuhu Deng,Yurun Miao,Wulong Fan

DOI: https://doi.org/10.1016/j.future.2023.09.013

2024-01-01

Abstract:Textual password is one of the most important authentic means used in modern information systems and password cracking is an important means of measuring password strength. Recently, data-driven approaches are proposed in order to improve the efficiency and accuracy of the password guessing process. These methods usually train a model based on leaked password datasets so as to capture the internal patterns hidden behind the human created passwords, and most of them focus on the relationships between characters within a password. In this article, we emphasizes that the character relations between passwords need also to be considered. We treat a password as a sequence of chunks or segments, which is a small sub-string of the password and appears frequently in a password dataset. Instead of modeling the relations of chunks within a password, we proposed a method, which selects a seed password from a training set, breaks the seed password into chunks, and then generates new passwords by choosing a chunk and replacing it with another one according to their similarities. Several experiments are conducted on three password datasets so as to evaluate different aspects of the proposed approach. The results show that the proposed method is comparable with the state-of-the-art approaches, such as PassGAN, DPG, FLA and PCFG v4.3, which is the latest version of PCFG. The results also revealed that chunk level relations between passwords play an important role in the process of password creation.

Zhiyong Li,Tao Li,Fangdong Zhu

DOI: https://doi.org/10.1145/3325773.3325779

2019-01-01

Abstract:Password authentication is the most widely used authentication method in information systems. The traditional proactive password detection method is generally implemented by counting password length, character class number and computing password information entropy to improve password security. However, passwords that pass proactive password detection do not represent that they are secure. In this paper, based on the research of the characteristics of password distribution under big data, we propose an online password guessing method, which collects a dataset of guessing passwords composed of weak passwords, high frequency passwords and personal information related passwords. It is used to guess the 13k password dataset leaked in China's largest ticketing website, China Railways 12306 website. The experimental results show that even if our guess object has passed the strict proactive password detection, we can construct a guessing password dataset contain only 100 passwords, and effectively guess 4.84% of the passwords.

Lifeng Han

DOI: https://doi.org/10.48550/arXiv.1411.7803

2023-01-30

Abstract:With the rapid development of internet technologies, social networks, and other related areas, user authentication becomes more and more important to protect the data of users. Password authentication is one of the widely used methods to achieve authentication for legal users and defense against intruders. There have been many password-cracking methods developed during the past years, and people have been designing countermeasures against password cracking all the time. However, we find that the survey work on password cracking research has not been done very much. This paper is mainly to give a brief review of the password cracking methods, import technologies of password cracking, and the countermeasures against password cracking that are usually designed at two stages including the password design stage (e.g. user education, dynamic password, use of tokens, computer generations) and after the design (e.g. reactive password checking, proactive password checking, password encryption, access control). The main objective of this work is to offer the abecedarian IT security professionals and the common audiences some knowledge about computer security and password cracking and promote the development of this area. Keywords- Computer security; User authentication; Password cracking; Cryptanalysis; Countermeasures

Cryptography and Security

Bo Lu,Xiaokuan Zhang,Ziman Ling,Yinqian Zhang,Zhiqiang Lin

DOI: https://doi.org/10.1145/3274694.3274714

2018-12-03

Abstract:Text passwords remain a primary means for user authentication on modern computer systems. However, recent studies have shown the promises of guessing user passwords efficiently with auxiliary information of the targeted accounts, such as the users' personal information, previously used passwords, or those used in other systems. Authentication rate-limiting mechanisms, such as account lockout and login throttling, are common methods to defeat online password cracking attacks. But to date, no published studies have investigated how authentication rate-limiting is implemented by popular websites. In this paper, we present a measurement study of such countermeasures against online password cracking. Towards this end, we propose a black-box approach to modeling and validating the websites' implementation of the rate-limiting mechanisms. We applied the tool to examine all 182 websites that we were able to analyze in the Alexa Top 500 websites in the United States. The results are rather surprising: 131 websites (72%) allow frequent, unsuccessful login attempts without account lockout or login throttling (though some of these websites force the adversary to lower the login frequency or constantly change his IP addresses to circumvent the rate-limiting enforcement). The remaining 51 websites are not absolutely secure either: 28 websites may block a legitimate user with correct passwords when the account is locked out, effectively enabling authentication denial-of-service attacks.

Xiaochun Gan,Meng Chen,Dong Li,Zongyan Wu,Weili Han,Hu Chen

DOI: https://doi.org/10.1109/icece54449.2021.9674437

2021-01-01

Abstract:Password guessing plays an important role in studying the vulnerability of passwords to improve security. In modern password guessing methods, the patterns of passwords from users in specific regions are discovered from a large number of leaked passwords. Most traditional methods, such as PCFG, Markov process, and other deep learning methods rely only on the training set. Different from other application areas of machine learning, the training set of password guessing comes from leaked real password sets, such as Rockyou, CSDN, and VK. Traditional approaches of password guessing are effective for large-scale training sets. However, the size of leaked password sets leaked by users of small languages or users of specific organizations is very small, which makes it difficult for current password guessing methods which relying only on training sets to discover enough words in passwords. In order to solve this problem, this paper proposed a corpus-based password guessing method. First, we analyzed the common words and their categories in the leaked password sets from users in three different countries. On this basis, we proposed an organization method for multiple language corpora, and constructed corpora of more than 3 million words. Secondly, we improved the traditional PCFG password segmentation method and described password structure based on corpora. Third, we evaluated the probability of words in the corpora which are not appearing in the training set based on the Lapalace smoothing. Actual tests show that our method can produce a finer structure than the PCFG. When the size of the training set decreases, the cracking rate of the PCFG decreases significantly, while the impact of our method is not significant, and the cracking rate is significantly higher than that of the PCFG.

Liron David,Avishai Wool

DOI: https://doi.org/10.48550/arXiv.1912.02551

2020-05-05

Abstract:Human-chosen passwords are the a dominant form of authentication systems. Passwords strength estimators are used to help users avoid picking weak passwords by predicting how many attempts a password cracker would need until it finds a given password. In this paper we propose a novel password strength estimator, called PESrank, which accurately models the behavior of a powerful password cracker. PESrank calculates the rank of a given password in an optimal descending order of likelihood. PESrank estimates a given password's rank in fractions of a second---without actually enumerating the passwords---so it is practical for online use. It also has a training time that is drastically shorter than previous methods. Moreover, PESrank is efficiently tweakable to allow model personalization in fractions of a second, without the need to retrain the model; and it is explainable: it is able to provide information on why the password has its calculated rank, and gives the user insight on how to pick a better password. Our idea is to cast the question of password rank estimation in a probabilistic framework used in side-channel cryptanalysis. We view each password as a point in a $d$-dimensional search space, and learn the probability distribution of each dimension separately. The dimensions represent the base word, plus a dimension for each possible transformation such as adding a suffix or using a capitalization pattern. Using this model, password strength estimation is analogous to side-channel rank estimation. We implemented PERrank in Python and conducted an extensive evaluation study of it. We also integrated it into the registration page of a course at our university. Even with a model based on 905 million passwords, the response time was well under 1 second, with up to a 1-bit accuracy margin between the upper bound and the lower bound on the rank.

Cryptography and Security

Aikaterini Kanta,Iwen Coisel,Mark Scanlon

DOI: https://doi.org/10.1016/j.fsidi.2020.301075

2020-12-01

Abstract:From the end of the last century to date, consumers are increasingly living their lives online. In today’s world, the average person spends a significant proportion of their time connecting with people online through multiple platforms. This online activity results in people freely sharing an increasing amount of personal information – as well as having to manage how they share that information. For law enforcement, this corresponds to a slew of new sources of digital evidence valuable for digital forensic investigation. A combination of consumer level encryption becoming default on personal computing and mobile devices and the need to access information stored with third parties has resulted in a need for robust password cracking techniques to progress lawful investigation. However, current password cracking techniques are expensive, time-consuming processes that are not guaranteed to be successful in the time-frames common for investigations. In this paper, the potential for Open Source Intelligence (OSINT) being leveraged for more efficient password cracking is explored. A comprehensive survey of the literature on password strength, password cracking, and OSINT is outlined, and the law enforcement challenges surrounding these topics are discussed. Additionally, an analysis on password structure as well as demographic factors influencing password selection is presented. Finally, the potential impact of OSINT to password cracking by law enforcement is discussed.

computer science, information systems, interdisciplinary applications

Shouling Ji,Shukun Yang,Anupam Das,Xin Hu,Raheem Beyah

DOI: https://doi.org/10.1109/infocom.2017.8057067

2017-01-01

Abstract:In this paper, we study the correlation between passwords across different datasets which quantitatively explains the success of existing training-based password cracking techniques. We also study the correlation between a user's password and his/her social profile. This enabled us to develop the first social profile-aware password strength meter, namely SocialShield. Our quantification techniques and SocialShield have meaningful implications to system administrators, users, and researchers, e.g., helping them quantitatively understand the threats posed by a password leakage incident, defending against emerging profile-based password attacks, and facilitating the research of countermeasures against existing and newly developed training-based password attacks. We validate our proposed quantification techniques and SocialShield through extensive experiments by leveraging real-world leaked passwords. Experimental results demonstrate that our quantification techniques are accurate in measuring correlation among different leaked datasets and that although SocialShield is light-weight, it is effective in defending against profile-based password attacks.

Cem S. Sahin,Robert Lychev,Neal Wagner

DOI: https://doi.org/10.48550/arXiv.1512.05814

2015-12-18

Abstract:Although it is common for users to select bad passwords that can be easily cracked by attackers, password-based authentication remains the most widely-used method. To encourage users to select good passwords, enterprises often enforce policies. Such policies have been proven to be ineffectual in practice. Accurate assessment of a password's resistance to cracking attacks is still an unsolved problem, and our work addresses this challenge. Although the best way to determine how difficult it may be to crack a user-selected password is to check its resistance to cracking attacks employed by attackers in the wild, implementing such a strategy at an enterprise would be infeasible in practice. We first formalize the concepts of password complexity and strength with concrete definitions emphasizing their differences. Our framework captures human biases and many known techniques attackers use to recover stolen credentials in real life, such as brute-force attacks. Building on our definitions, we develop a general framework for calculating password complexity and strength that could be used in practice. Our approach is based on the key insight that an attacker's success at cracking a password must be defined by its available computational resources, time, function used to store that password, as well as the topology that bounds that attacker's search space based on that attacker's available inputs, transformations it can use to tweak and explore its inputs, and the path of exploration which can be based on the attacker's perceived probability of success. We also provide a general framework for assessing the accuracy of password complexity and strength estimators that can be used to compare other tools available in the wild.

Cryptography and Security

Haodong Zhang,Chuanwang Wang,Wenqiang Ruan,Junjie Zhang,Ming Xu,Weili Han

DOI: https://doi.org/10.1145/3485832.3488025

2021-01-01

Abstract:Users usually create their passwords with meaningful digits, i.e. digit semantics, which can be partially exploited by probabilistic password guessing models with a data-driven methodology for better efficiency. However, these semantics are largely ignored by current practical password cracking tools, like John the Ripper (JtR) and Hashcat. In this paper, we are motivated to study the digit semantics in passwords and exploit them to improve the guessing efficiency of practical password cracking tools. We first design a practical extraction tool of digit semantics in passwords. Then we conduct a comprehensive empirical analysis of the digit semantics in four large-scale password sets leaked from the real world. Based on the analysis results, we further propose two new operations (the basic unit to construct mangling rules), then generate 1,974 digit semantics rules constructed from them. Moreover, in order to enforce semantics rules in JtR and Hashcat, we optimize their rule engines and running logic with the compatibility of the original built-in operations. The evaluation on the real password sets shows the significant advantage of digit semantics rules to extend current typical rule sets when we crack both Chinese and English (two of the largest user groups) passwords with digit strings.

Ping Wang,Ding Wang,Xinyi Huang

DOI: https://doi.org/10.7544/issn1000-1239.2016.20160483

2016-01-01

Abstract:Identity authentication is the first line of defense for information systems ,and passwords are the most widely used authentication method .Though there are a number of issues in passwords regarding security and usability , and various alternative authentication methods have also been successively proposed , password‐based authentication will remain the dominant method in the foreseeable future due to its simplicity ,low cost and easiness to change .T hus ,this topic has attracted extensive interests from worldwide researchers ,and many important results have been revealed .This work begins with the introduction of users’ vulnerable behaviors and details the password characteristics ,distribution and reuse rate .Next we summarize the primary cracking algorithms that have appeared in the past 30 years , and classify them into groups in terms of the difference in dependence on what information is exploited by the attacker .Then ,we revisit the various statistical‐based evaluation metrics for measuring the strength of password distributions .Further ,we compare the state‐of‐the‐art password strength meters .Finally ,we summarize our results and outline some future research trends .

Jing Zou,Dongdai Lin,Guo-Cui Mi

DOI: https://doi.org/10.1109/icmlc.2011.6016851

2011-01-01

Abstract:Due to the parallel nature of brute force attack, it is well suited to use parallel or distributed computing to recover passwords encrypted by one-way hash functions. When distributing the password cracking task between threads or nodes, it is necessary to divide the search space into several subspaces. It is ideal that the size of these subspaces is the same for a load balanced solution. However, increasing the length of passwords will raise the number of combinations exponentially. This will raises issues for the search space uniform partition. This paper presents a universal distributed model for password cracking capable of dividing the search space evenly. For this, the paper addresses the definition of a base-n-like number, and discusses operations on it and relations with base-n number. The model is data independent, easily implemented and needs a few of communications. Experimental results are then shown.