Yubing Bao,Jianping Zeng,Jirui Yang,Ruining Yang,Zhihui Lu

DOI: https://doi.org/10.1145/3703350

IF: 2.717

2024-01-01

ACM Transactions on Privacy and Security

Abstract:The predominant authentication method still relies on usernames and passwords. To enhance memorability, domain terms may have been opted to include as part of passwords. However, there is little analysis of the extent to which such practice affects password security, so there is a lack of guidance on how users use domain terms on websites with different domain characteristics. To address the problem, we propose a novel approach to analyze the security effect of using domain terms in passwords. The methodology primarily consists of three stages. Firstly, we utilize Web crawlers to harvest domain vocabularies, subsequently leveraging the TextRank algorithm to rank their importance. Afterward, we propose an algorithm for constructing a simulated domain-specific password dataset by replacing password elements with domain terms. Finally, password guessing experiments are done on the dataset using PCFG and Markov model to evaluate the impact of domain terms on password security. The experimental results indicate that, for systems without clear domain, 20% domain terms replacement in the test set can reduce the cracking rate by up to 5.45%. In contrast, for domain-specific systems, 20% domain terms replacement in the training set can increase the cracking rate by 6.45%. These findings provide practical guidance on the application of domain knowledge in password creation for different types of systems. In summary, this study offers a novel perspective for exploring the security implications of passwords influenced by specific domains.

Yangde Wang,Weidong Qiu,Weicheng Zhang,Hao Tian,Shujun Li

DOI: https://doi.org/10.48550/arXiv.2306.06824

2023-06-12

Cryptography and Security

Abstract:Much research has been done on user-generated textual passwords. Surprisingly, semantic information in such passwords remain underinvestigated, with passwords created by English- and/or Chinese-speaking users being more studied with limited semantics. This paper fills this gap by proposing a general framework based on semantically enhanced PCFG (probabilistic context-free grammars) named SE#PCFG. It allowed us to consider 43 types of semantic information, the richest set considered so far, for semantic password analysis. Applying SE#PCFG to 17 large leaked password databases of user speaking four languages (English, Chinese, German and French), we demonstrate its usefulness and report a wide range of new insights about password semantics at different levels such as cross-website password correlations. Furthermore, based on SE#PCFG and a new systematic smoothing method, we proposed the Semantically Enhanced Password Cracking Architecture (SEPCA). To compare the performance of SEPCA against three state-of-the-art (SOTA) benchmarks in terms of the password coverage rate: two other PCFG variants and FLA. Our experimental results showed that SEPCA outperformed all the three benchmarks consistently and significantly across 52 test cases, by up to 21.53%, 52.55% and 7.86%, respectively, at the user level (with duplicate passwords). At the level of unique passwords, SEPCA also beats the three benchmarks by up to 33.32%, 86.19% and 10.46%, respectively. The results demonstrated the power of SEPCA as a new password cracking framework.

Wanda Li,Jianping Zeng

DOI: https://doi.org/10.1109/tifs.2021.3050066

IF: 7.231

2021-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Text-based passwords have long acted as the dominating authentication method. Leet, as one of the significant components in password, has not been paid enough attention yet. In this paper, we systematically study the presence of Leet in passwords. We define single and pattern forms of Leet and propose a matching approach to check whether a user password contains Leet. We extract the most prevalent counterpart pairs of Leet manifestations. Afterward, we examine the effect of Leet in passwords by incorporating Leet transformation into the probabilistic context-free grammar(PCFG) method to crack passwords. We construct the first comprehensively analyzed dictionary of Leets for passwords, which is confirmed suitable for most datasets by user survey. Experiments on four leaked password sets demonstrate that distinguished Leet usage accumulates to account for around 1% of the total dataset. Only 5% of high-frequency Leets replacement could increase the cracking rate by 0.55%. For crackers, incorporating popular Leets aids to improve password cracking performance. For users, adopting low-frequency Leets could strengthen their passwords. This research provides a new perspective to investigate Leet transformations in passwords.

Chuanwang Wang,Junjie Zhang,Ming Xu,Haodong Zhang,Weili Han

DOI: https://doi.org/10.1016/j.cose.2022.102848

IF: 5.105

2022-01-01

Computers & Security

Abstract:Understanding which factors dominate password security is vital for users to create their secure passwords. Prior works generally consider the password length and the number of character classes as the dominant factors. However, creating secure passwords based on the above two factors becomes much more challenging than before due to the emergence of powerful data-driven guessing methods, e.g., the Probabilistic Context-free Grammars (PCFG) and its variations, Markov-based methods, and neural-network-based methods. In this paper, inspired by the segments used in PCFG, where a segment is a continuous string whose characters have a strong correlation, we conduct a comprehensive empirical analysis and find that the number of segments (# Segments for short) is a dominant factor of password security to resist against data-driven guessing. That is, the increase of # Segments generally leads to a significant improvement of password security. The observation helps us explore an optimised identification method for segments, referred to as re-segment, which reduces # Segments as much as possible to obtain accurate # Segments by leveraging five popular patterns (i.e., keyboard, abbreviation, leet, mixture, and component), to evaluate password security more accurately from an adversary’s viewpoint. Then we propose an efficient data-driven guessing method, referred to as ReSeg-PCFG, by leveraging re-segment based on the latest version of PCFG. Our study shows that ReSeg-PCFG outperforms the state-of-the-art data-driven guessing methods in almost all scenarios; e.g., it outperforms the latest version of PCFG by up to 79.34% at 1014 guesses, a commonly used threshold of off-line attacks.

Ping Wang,Ding Wang,Xinyi Huang

DOI: https://doi.org/10.7544/issn1000-1239.2016.20160483

2016-01-01

Abstract:Identity authentication is the first line of defense for information systems ,and passwords are the most widely used authentication method .Though there are a number of issues in passwords regarding security and usability , and various alternative authentication methods have also been successively proposed , password‐based authentication will remain the dominant method in the foreseeable future due to its simplicity ,low cost and easiness to change .T hus ,this topic has attracted extensive interests from worldwide researchers ,and many important results have been revealed .This work begins with the introduction of users’ vulnerable behaviors and details the password characteristics ,distribution and reuse rate .Next we summarize the primary cracking algorithms that have appeared in the past 30 years , and classify them into groups in terms of the difference in dependence on what information is exploited by the attacker .Then ,we revisit the various statistical‐based evaluation metrics for measuring the strength of password distributions .Further ,we compare the state‐of‐the‐art password strength meters .Finally ,we summarize our results and outline some future research trends .

Haodong Zhang,Chuanwang Wang,Wenqiang Ruan,Junjie Zhang,Ming Xu,Weili Han

DOI: https://doi.org/10.1145/3485832.3488025

2021-01-01

Abstract:Users usually create their passwords with meaningful digits, i.e. digit semantics, which can be partially exploited by probabilistic password guessing models with a data-driven methodology for better efficiency. However, these semantics are largely ignored by current practical password cracking tools, like John the Ripper (JtR) and Hashcat. In this paper, we are motivated to study the digit semantics in passwords and exploit them to improve the guessing efficiency of practical password cracking tools. We first design a practical extraction tool of digit semantics in passwords. Then we conduct a comprehensive empirical analysis of the digit semantics in four large-scale password sets leaked from the real world. Based on the analysis results, we further propose two new operations (the basic unit to construct mangling rules), then generate 1,974 digit semantics rules constructed from them. Moreover, in order to enforce semantics rules in JtR and Hashcat, we optimize their rule engines and running logic with the compatibility of the original built-in operations. The evaluation on the real password sets shows the significant advantage of digit semantics rules to extend current typical rule sets when we crack both Chinese and English (two of the largest user groups) passwords with digit strings.

Ding Wang,Haibo Cheng,Ping Wang,Xinyi Huang,Chao-Hsien Chu

2016-01-01

Abstract:While the computer security world has changed a lot over the last two decades, textual passwords remain the dominant authentication mechanism over the Internet and are likely to persist in the foreseeable future. Much attention (e.g., user surveys and empirical analysis) has been paid to passwords chosen by English users, yet relatively little is known about how nonEnglish users select passwords. In this work, we conduct so far the first user survey on the password behaviors of Chinese users, revealing a number of users’ basic coping strategies for managing passwords when they are confronted with the demanding tasks of keeping track of many accounts and passwords. We further perform an empirical analysis of 100 million Chinese web passwords in a comparison with 30 million English ones, a corpus among the largest ones ever studied. We identify a number of interesting structural and semantic characteristics in Chinese passwords, and also examine their security by employing two state-of-the-art password cracking techniques (i.e., probabilistic context-free grammars (PCFG) and Markov models). Particularly, our cracking results reveal a “reversal principle”: when the guess number allowed is small, Chinese passwords are much weaker than their English counterparts, yet this relationship will be reversed when the guess number is large. This well reconciles two conflicting claims about the strength of Chinese web passwords made by Bonneau in 2012 and Li et al. in 2014, respectively. At 10 guesses, the success rate of our improved PCFG-based attack against the Chinese datasets is from 33.2% to 49.8%, indicating that our attack can crack 92% to 188% more passwords than the best record reported by Li et al. in 2014. We also discuss the implications of our findings. This work is expected to help facilitate both security administrators and users to gain a better understanding of the vulnerability of Chinese passwords, as well as to shed light on future password research.

Ming Xu,Chuanwang Wang,Jitao Yu,Junjie Zhang,Kai Zhang,Weili Han

DOI: https://doi.org/10.1145/3460120.3484743

2021-01-01

Abstract:ABSTRACTTextual password security hinges on the guessing models adopted by attackers, in which a suitable password composition representation is an influential factor. Unfortunately, the conventional models roughly regard a password as a sequence of characters, or natural-language-based words, which are password-irrelevant. Experience shows that passwords exhibit internal and refined patterns, e.g., "4ever, ing or 2015", varying significantly among periods and regions. However, the refined representations and their security impacts could not be automatically understood by state-of-the-art guessing models (e.g., Markov). In this paper, we regard a password as a composition of several chunks, where a chunk is a sequence of related characters that appear together frequently, to model passwords. Based on the concept, we propose a password-specific segmentation method that can automatically split passwords into several chunks, and then build three chunk-level guessing models, adopted from Markov, Probabilistic Context-free Grammar (PCFG) and neural-network-based models. Based on the extensive evaluation with over 250 million passwords, these chunk-level models can improve their guessing efficiency by an average of 5.7%, 51.2% and 41.9%, respectively, in an offline guessing scenario, showcasing the power of a suitable password representation during attacks. By analysing these efficient attacks, we find that the presence of common chunks in a password is a stronger indicator for password vulnerability than the character class complexity. To protect users against such attacks, we develop a client-side and real-time password strength meter to estimate the passwords' resistance based on chunk-level guessing models.

Chao Shen,Tianwen Yu,Haodi Xu,Gengshan Yang,Xiaohong Guan

DOI: https://doi.org/10.1016/j.cose.2016.05.007

IF: 5.105

2016-01-01

Computers & Security

Abstract:Due to increasing security awareness of password from the public and little attention on the characteristics of real-life passwords, it is thus natural to understand the current state of characteristics of real-life passwords, and to explore how password characteristics change over time and how earlier password practice is understood in current context. In this work, we attempt to present an in-depth and comprehensive understanding of user practice in real-life passwords, and to see whether the previous observations can be confirmed or reversed, based on large-scale measurements rather than anecdotal knowledge or user surveys. Specifically, we measure password characteristics on over 6 million passwords, in terms of password length, password composition, and password selection. We then make informed comparisons of the findings between our investigation and previously reported results. Our general findings include: (1) average password length is at least 12% longer than previous results, and 75% of our passwords have the length between 8 and 10 characters; (2) there is a significant increase of using only numbers as passwords, and easy-to-reach symbols are always the first choice when users added symbols into passwords; (3) there observes a remarkable increase (about 40%) of using combo-meaningful data as passwords, and a striking proportion of using the most common passwords or login names as passwords. Our investigation also includes collecting statistics about the use of symbols, letter-case, and meaningful details, which presents a systematic analysis of password usage. The comparative results indicate that the password characteristics and password practice on this massive password data set are somewhat inconsistent with those from anecdotal knowledge and user surveys, and exhibit a substantial change over time in some ways. Further research needs to build upon this understanding for gaining insight into how password security can be improved.

Xin Su,Bingying Wang,Xuewu Zhang,Yupeng Wang,Dongmin Choi

DOI: https://doi.org/10.1002/cpe.4150

2018-01-01

Abstract:Secure mechanisms have been adapted to satisfy the needs of mobile subscribers; however, the mobile environment is quite different from a desktop PC or laptop-based environment. The existing attack patterns in mobile environments are also quite different, and the countermeasures applied should be enhanced. In regards to usability, the mobile environment is based on mobility, and thus, mobile devices are designed and developed to enhance the owner's efficiency. To avoid forgetting passwords, people are willing to adopt simple alphanumeric-character combinations, which are easy to remember and convenient to enter. As a result, the passwords have a high probability of being cracked or exposed. In this paper, we study the potential security problems caused by simple and weak passwords, discuss drawbacks of some conventional works, and propose 3 creative schemes to increase the complexity and strength of passwords by applying the envisioned features. Note that our proposals are based on the assumption that the textual passwords are not difficult for users to remember or enter and do not cause inconvenience to users. In other words, the proposed methods can increase the complexity of simple passwords without the awareness of users.

Kim-Phuong L. Vu,Robert W. Proctor,Abhilasha Bhargav-Spantzel,Bik-Lam Tai,Joshua Cook,E. Eugene Schultz,Bik-Lam (Belin) Tai

DOI: https://doi.org/10.1016/j.ijhcs.2007.03.007

2007-08-01

Abstract:Personal information and organizational information need to be protected, which requires that only authorized users gain access to the information. The most commonly used method for authenticating users who attempt to access such information is through the use of username–password combinations. However, this is a weak method of authentication because users tend to generate passwords that are easy to remember but also easy to crack. Proactive password checking, for which passwords must satisfy certain criteria, is one method for improving the security of user-generated passwords. The present study evaluated the time and number of attempts needed to generate unique passwords satisfying different restrictions for multiple accounts, as well as the login time and accuracy for recalling those passwords. Imposing password restrictions alone did not necessarily lead to more secure passwords. However, the use of a technique for which the first letter of each word of a sentence was used coupled with a requirement to insert a special character and digit yielded more secure passwords that were more memorable.

computer science, cybernetics,ergonomics,psychology, multidisciplinary

Weili Han,Ming Xu,Junjie Zhang,Chuanwang Wang,Kai Zhang,X. Sean Wang

DOI: https://doi.org/10.1109/tifs.2020.3003696

IF: 7.231

2021-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Long passwords are gaining popularity in password policy recommendations; however, data-driven guessing studies are woefully inadequate in adapting to long passwords, lacking in both guessing efficiency and their composition guidelines. For state-of-the-art data-driven password guessing methods such as PCFGs (Probabilistic Context-free Grammars), their guessing efficiency is limited by the presence of a large scale training data, or the lack thereof. Given that long passwords leaked in the real world are typically scarce, coupled with the fact that the data-driven methods' performance depends on training data, obtaining good performance on long passwords has become a key challenge. To overcome the dataset limitation, we propose a framework TransPCFG, that transfers the knowledge, (i.e., grammars in PCFGs), from short passwords to facilitate long password guessing. We further perform an empirical evaluation based on three real-world datasets and the results demonstrate superior performance over the state-of-the-art data-driven guessing methods under ${10}^{14}$ offline guesses. For passwords with 16 characters, TransPCFG can compromise an average of 23.30% of the passwords, outperforming PCFG_v4.1 by 56.10%. Additionally,for better password-composition guidelines, we find that long password-composition policies requiring more segments are more resistant to guessing attacks. For the segment, the password 12zxcvbnword1997 has four segments since it follows the template ${Digit}_{2}{Keyboard}_{6}{Letter}_{4}{Year}_{4}$ . We thus recommend users to create long passwords with four or more segments instead of the widely recommended more character classes for security.

computer science, theory & methods,engineering, electrical & electronic

Wenting Li,Jiahong Yang,Haibo Cheng,Ping Wang,Kaitai Liang

DOI: https://doi.org/10.1109/icassp49357.2023.10096535

2023-01-01

Abstract:Modeling password distributions is a fundamental problem in password security, benefiting the research and applications on password guessing, password strength meters, honey password vaults, etc. As one of the best segment-based password models, WordPCFG has been proposed to capture individual semantic segments (called words) in passwords. However, we find WordPCFG does not address well the ambiguity of password segmentation by maximum matching, leading to the unreasonable segmentation of many password and further the inaccuracy of modeling password distributions. To address the ambiguity, we improve WordPCFG by maximum probability segmentation with A*-like pruning algorithm. The experimental results show that the improved WordPCFG cracks 99.26%–99.95% passwords, with nearly 5.67%–18.01% improvement.

Shouling Ji,Shukun Yang,Xin Hu,Weili Han,Zhigong Li,Raheem Beyah

DOI: https://doi.org/10.1109/tdsc.2015.2481884

2017-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:In this paper, we conduct a large-scale study on the crackability, correlation, and security of ${\sim}145$ million real world passwords, which were leaked from several popular Internet services and applications. To the best of our knowledge, this is the largest empirical study that has been conducted. Specifically, we first evaluate the crackability of ${\sim}145$ million real world passwords against 6+ state-of-the-art password cracking algorithms in multiple scenarios. Second, we examine the effectiveness and soundness of popular commercial password strength meters (e.g., Google, QQ) and the security impacts of username/email leakage on passwords. Finally, we discuss the implications of our results, analysis, and findings, which are expected to help both password users and system administrators to gain a deeper understanding of the vulnerability of real passwords against state-of-the-art password cracking algorithms, as well as to shed light on future password security research topics.

Gilbert Notoatmodjo,Clark D. Thomborson

2009-01-01

Abstract:The security of many computer systems hinges on the secrecy of a single word - if an adversary obtains knowledge of a password, they will gain access to the resources controlled by this password. Human users are the 'weakest link' in password control, due to our propensity to reuse passwords and to create weak ones. Policies which forbid such unsafe password practices are often violated, even if these policies are well-advertised. We have studied how users perceive their accounts and their passwords. Our participants mentally classified their accounts and passwords into a few groups, based on a small number of perceived similarities. Our participants used stronger passwords, and reused passwords less, in account groups which they considered more important. Our participants thus demonstrated awareness of the basic tenets of password safety, but they did not behave safely in all respects. Almost half of our participants reused at least one of the passwords in their high-importance accounts. Our findings add to the body of evidence that a typical computer user suffers from 'password overload'. Our concepts of password and account grouping point the way toward more intuitive user interfaces for password-and account-management systems.

T.V. Laptyeva,S. Flach,K. Kladko

DOI: https://doi.org/10.1209/0295-5075/95/50007

2011-07-01

Abstract:Vulnerabilities related to weak passwords are a pressing global economic and security issue. We report a novel, simple, and effective approach to address the weak password problem. Building upon chaotic dynamics, criticality at phase transitions, CAPTCHA recognition, and computational round-off errors we design an algorithm that strengthens security of passwords. The core idea of our method is to split a long and secure password into two components. The first component is memorized by the user. The second component is transformed into a CAPTCHA image and then protected using evolution of a two-dimensional dynamical system close to a phase transition, in such a way that standard brute-force attacks become ineffective. We expect our approach to have wide applications for authentication and encryption technologies.

Cryptography and Security,Other Condensed Matter,Chaotic Dynamics

Haibo Cheng,Wenting Li,Ping Wang,Kaitai Liang

DOI: https://doi.org/10.1109/icassp39728.2021.9414886

2021-01-01

Abstract:Probabilistic context-free grammars (PCFGs) have been pro-posed to capture password distributions, and further been used in password guessing attacks and password strength meters. However, current PCFGs suffer from the limitation of inaccurate segmentation of password, which leads to misestimation of password probability and thus seriously affects their performance. In this paper, we propose a word extraction approach for passwords, and further present an improved PCFG model, called WordPCFG. The WordPCFG using word extraction method can precisely extract semantic segments (called word) from passwords based on cohesion and freedom of words. We evaluate our WordPCFG on six large-scale datasets, showing that WordPCFG cracks 83.04%–95.47% passwords and obtains 12.96%–71.84% improvement over the state-of-the-art PCFGs.

Cem S. Sahin,Robert Lychev,Neal Wagner

DOI: https://doi.org/10.48550/arXiv.1512.05814

2015-12-18

Abstract:Although it is common for users to select bad passwords that can be easily cracked by attackers, password-based authentication remains the most widely-used method. To encourage users to select good passwords, enterprises often enforce policies. Such policies have been proven to be ineffectual in practice. Accurate assessment of a password's resistance to cracking attacks is still an unsolved problem, and our work addresses this challenge. Although the best way to determine how difficult it may be to crack a user-selected password is to check its resistance to cracking attacks employed by attackers in the wild, implementing such a strategy at an enterprise would be infeasible in practice. We first formalize the concepts of password complexity and strength with concrete definitions emphasizing their differences. Our framework captures human biases and many known techniques attackers use to recover stolen credentials in real life, such as brute-force attacks. Building on our definitions, we develop a general framework for calculating password complexity and strength that could be used in practice. Our approach is based on the key insight that an attacker's success at cracking a password must be defined by its available computational resources, time, function used to store that password, as well as the topology that bounds that attacker's search space based on that attacker's available inputs, transformations it can use to tweak and explore its inputs, and the path of exploration which can be based on the attacker's perceived probability of success. We also provide a general framework for assessing the accuracy of password complexity and strength estimators that can be used to compare other tools available in the wild.

Cryptography and Security

Ding Wang,Ping Wang

DOI: https://doi.org/10.1007/978-3-319-24177-7_23

2015-01-01

Abstract:While much has changed in Internet security over the past decades, textual passwords remain as the dominant method to secure user web accounts and they are proliferating in nearly every new web services. Nearly every web services, no matter new or aged, now enforce some form of password creation policy. In this work, we conduct an extensive empirical study of 50 password creation policies that are currently imposed on high-profile web services, including 20 policies mainly from US and 30 ones from mainland China. We observe that no two sites enforce the same password creation policy, there is little rationale under their choices of policies when changing policies, and Chinese sites generally enforce more lenient policies than their English counterparts.We proceed to investigate the effectiveness of these 50 policies in resisting against the primary threat to password accounts (i.e. online guessing) by testing each policy against two types of weak passwords which represent two types of online guessing. Our results show that among the total 800 test instances, 541 ones are accepted: 218 ones come from trawling online guessing attempts and 323 ones come from targeted online guessing attempts. This implies that, currently, the policies enforced in leading sites largely fail to serve their purposes, especially vulnerable to targeted online guessing attacks.

Ding Wang,Ping Wang

DOI: https://doi.org/10.1007/978-3-319-24177-7_23

2015-01-01

Abstract:While much has changed in Internet security over the past decades, textual passwords remain as the dominant method to secure user web accounts and they are proliferating in nearly every new web services. Nearly every web services, no matter new or aged, now enforce some form of password creation policy. In this work, we conduct an extensive empirical study of 50 password creation policies that are currently imposed on high-profile web services, including 20 policies mainly from US and 30 ones from mainland China. We observe that no two sites enforce the same password creation policy, there is little rationale under their choices of policies when changing policies, and Chinese sites generally enforce more lenient policies than their English counterparts.