基于攻击算法的海量真实用户口令数据分析

doi:10.11896/jsjkx.200900077

计算机科学 ›› 2020, Vol. 47 ›› Issue (11): 48-54.doi: 10.11896/jsjkx.200900077

所属专题：智能移动身份认证

基于攻击算法的海量真实用户口令数据分析

谢志杰, 张旻, 李振汉, 王红军

国防科技大学电子对抗学院合肥 230037
网络空间安全态势感知与评估安徽省重点实验室合肥 230037

收稿日期:2020-09-09 修回日期:2020-10-08 出版日期:2020-11-15 发布日期:2020-11-05
通讯作者: 张旻(zhangmindy@nudt.edu.cn)
作者简介:xzj9510@nudt.edu.cn
基金资助:
国家自然科学基金(61971473);安徽省自然科学基金项目(1908085QF291)

Analysis of Large-scale Real User Password Data Based on Cracking Algorithms

XIE Zhi-jie, ZHANG Min, LI Zhen-han, WANG Hong-jun

College of Electronic Engineering,National University of Defense Technology,Hefei 230037,China
Anhui Province Key Laboratory of Cyberspace Security Situation Awareness and Evaluation,Hefei 230037,China

Received:2020-09-09 Revised:2020-10-08 Online:2020-11-15 Published:2020-11-05
About author:XIE Zhi-jie,born in 1995,postgra-duate,is a member of China Computer Federation.His main research interests include password security.
ZHANG Min,born in 1966,Ph.D,professor,Ph.D supervisor.His main research interests include communication network security and intelligent computing.
Supported by:
This work was supported by the National Natural Science Foundation of China(61971473) and Anhui Provincial Natural Science Foundation(1908085QF291).

摘要/Abstract

摘要： 口令认证是现今主要的身份认证方式,已广泛应用于金融、军事和网络等领域。文中从攻击者的角度对口令的安全性展开研究,利用海量真实的用户数据对口令的一般特征进行统计分析,基于概率上下文无关文法(Probabilistic Context-Free Grammars,PCFG)口令猜测算法、TarGuess-I定向口令猜测模型的口令脆弱性分析,发现了用户在选择生成口令时存在易被攻击者发现并被利用的脆弱行为,如偏好使用简单结构口令、基于模式设计口令、基于语义生成口令以及偏好使用姓名和用户名等个人信息生成口令等,总结了这些脆弱行为的特征,为避免用户设置脆弱口令以及设计口令强度评估方法提供了依据。

关键词: 脆弱行为, 口令安全, 口令猜测, 用户信息

Abstract: Password authentication is the main authentication method nowadays.It is widely used in various fields,such as finance,military and internet.In this paper,password security is studied from the perspective of an attacker.Large-scale real user data is used for statistical analyses of password general characteristics,and for password vulnerability analyses based on Probabilistic Context-Free Grammars (PCFG) password guessing algorithm and TarGuess-I targeted password guessing model.Through the above analyses,it is found in users' passwords that there are vulnerable behaviors that can be easily discovered and exploited by attackers,such as choosing simple structure passwords,generating passwords based on patterns,password containing semantics and passwords containing personal information (i.e.,name and user name).These vulnerable behavior characteristics are summarized to provide a basis for reminding users to avoid setting weak passwords and studying the method of password strength meter.

Key words: Password guessing, Password security, User information, Vulnerable behaviors

中图分类号:

TP309

谢志杰, 张旻, 李振汉, 王红军. 基于攻击算法的海量真实用户口令数据分析[J]. 计算机科学, 2020, 47(11): 48-54. https://doi.org/10.11896/jsjkx.200900077

XIE Zhi-jie, ZHANG Min, LI Zhen-han, WANG Hong-jun. Analysis of Large-scale Real User Password Data Based on Cracking Algorithms[J]. Computer Science, 2020, 47(11): 48-54. https://doi.org/10.11896/jsjkx.200900077

参考文献

[1] WANG P,WANG D,HUANG X.Advances in Password Security [J].Journal of Computer Research and Development,2016,53(10):2173-2188.
[2] ADAMS A,SASSE M A.Users are not the enemy[J].Communications of the ACM,1999,42(12):40-46.
[3] YAMPOLSKIY R V.Analyzing user password selection behavior for reduction of password space[C]//Proceedings 40th Annual 2006 International Carnahan Conference on Security Technology.2006:109-115.
[4] WANG D,WANG P,HE D,et al.Birthday,name and bifacial-security:understanding passwords of chinese web users[C]//28th USENIX Security Symposium (USENIX Security 19).2019:1537-1555.
[5] LIU G,QIU W,MENG K,et al.Password Vulnerability assessment and recovery based on rules mined from large-scale real data[J].Chinese Journal of Computers,2016,39(3):454-467.
[6] BEAUTEMENT A,SASSE M A,WONHAM M.The compliance budget:managing security behaviour in organisations[C]//Proceedings of the 2008 New Security Paradigms Workshop.2008:47-58.
[7] NITHYANAND R,JOHNSON R.The password allocationproblem:Strategies for reusing passwords effectively[C]//Proceedings of the 12th ACM Workshop on Workshop on Privacy in the Electronic Society.2013:255-260.
[8] FLORENCIO D,HERLEY C.A large-scale study of web password habits[C]//Proceedings of the 16th international conference on World Wide Web.2007:657-666.
[9] WEIR M,AGGARWAL S,DE MEDEIROS B,et al.Password cracking using probabilistic context-free grammars[C]//2009 30th IEEE Symposium on Security and Privacy.2009:391-405.
[10] VERAS R,COLLINS C,THORPE J.On Semantic Patterns of Passwords and their Security Impact[C]//NDSS.2014.
[11] MA J,YANG W,LUO M,et al.A study of probabilistic password models[C]//2014 IEEE Symposium on Security and Privacy.2014:689-704.
[12] NARAYANAN A,SHMATIKOV V.Fast dictionary attacks on passwords using time-space tradeoff[C]//Proceedings of the 12th ACM Conference on Computer and Communications Security.2005:364-372.
[13] MELICHER W,UR B,SEGRETI S M,et al.Fast,lean,and accurate:Modeling password guessability using neural networks[C]//25th USENIX Security Symposium (USENIX Security 16).2016:175-191.
[14] HITAJ B,GASTI P,ATENIESE G,et al.Passgan:A deeplearning approach for password guessing[C]//International Conference on Applied Cryptography and Network Security.2019:217-237.
[15] WANG D,HE D,CHENG H,et al.fuzzyPSM:A new password strength meter using fuzzy probabilistic context-free grammars[C]//2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).2016:595-606.
[16] FLORÊNCIO D,HERLEY C,VAN OORSCHOT P C.An ad-ministrator's guide to internet password research[C]//28th Large Installation System Administration Conference (LISA14).2014:44-61.
[17] DAS A,BONNEAU J,CAESAR M,et al.The tangled web of password reuse[C]//NDSS.2014:23-26.
[18] WANG D,ZHANG Z,WANG P,et al.Targeted online password guessing:An underestimated threat[C]//Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security.2016:1242-1254.
[19] LI Y,WANG H,SUN K.A study of personal information in human-chosen passwords and its security implications[C]//IEEE INFOCOM 2016-The 35th Annual IEEE International Conference on Computer Communications.2016:1-9.
[20] LI Z,HAN W,XU W.A large-scale empirical analysis of chinese web passwords[C]//23rd USENIX Security Symposium (USENIX Security 14).2014:559-574.
[21] WANG D,CHENG H,WANG P,et al.Zipf's law in passwords[J].IEEE Transactions on Information Forensics and Security,2017,12(11):2776-2791.

Metrics

Viewed

Full text

Abstract

Cited

Shared

Discussed

基于攻击算法的海量真实用户口令数据分析

Analysis of Large-scale Real User Password Data Based on Cracking Algorithms

PDF (PC)

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 7

Metrics

本文评价

推荐阅读 0

[1]	常庚, 赵岚, 陈文. MLSTM:一种基于多序列长度LSTM的口令猜测方法 MLSTM:A Password Guessing Method Based on Multiple Sequence Length LSTM 计算机科学, 2022, 49(4): 354-361. https://doi.org/10.11896/jsjkx.210300008
[2]	张建安. 基于移动切换认证的分层异构网络中的用户敏感信息隐藏方法 Users’ Sensitive Information Hiding Method in Hierarchical Heterogeneous Network Based on Mobile Switching Authentication 计算机科学, 2019, 46(3): 217-220. https://doi.org/10.11896/j.issn.1002-137X.2019.03.032
[3]	陈贵平,王子牛. 基于大数据分析的用户信息多重加密存储技术 Multiple Encrypted Storage Technology of User Information Based on Big Data Analysis 计算机科学, 2018, 45(7): 150-153. https://doi.org/10.11896／j.issn.1002-137X.2018.07.025
[4]	刘桂阳,郭欣桐,席桂清,刘金明. 昆虫标本图像的多角度采集与三维观察 Multi Angle Acquisition and 3D Observation of Insect Specimen Image 计算机科学, 2016, 43(Z6): 239-241. https://doi.org/10.11896/j.issn.1002-137X.2016.6A.058
[5]	王杰华,刘会平,邵浩然,夏海燕. 一种新颖的基于Hash函数的无线双向安全认证方案 Novel Two-way Security Authentication Wireless Scheme Based on Hash Function 计算机科学, 2016, 43(11): 205-209. https://doi.org/10.11896/j.issn.1002-137X.2016.11.040
[6]	谢铭，吴产乐. 用户信息保护下的学习资源知识点自动提取 Topic Extracting with User Information Protection on Web 计算机科学, 2011, 38(3): 203-205.
[7]	蔡登卢增祥李衍达. 信息协同过滤计算机科学, 2002, 29(6): 1-4.