计算机科学 ›› 2020, Vol. 47 ›› Issue (11): 48-54.doi: 10.11896/jsjkx.200900077
所属专题: 智能移动身份认证
谢志杰, 张旻, 李振汉, 王红军
XIE Zhi-jie, ZHANG Min, LI Zhen-han, WANG Hong-jun
摘要: 口令认证是现今主要的身份认证方式,已广泛应用于金融、军事和网络等领域。文中从攻击者的角度对口令的安全性展开研究,利用海量真实的用户数据对口令的一般特征进行统计分析,基于概率上下文无关文法(Probabilistic Context-Free Grammars,PCFG)口令猜测算法、TarGuess-I定向口令猜测模型的口令脆弱性分析,发现了用户在选择生成口令时存在易被攻击者发现并被利用的脆弱行为,如偏好使用简单结构口令、基于模式设计口令、基于语义生成口令以及偏好使用姓名和用户名等个人信息生成口令等,总结了这些脆弱行为的特征,为避免用户设置脆弱口令以及设计口令强度评估方法提供了依据。
中图分类号:
[1] WANG P,WANG D,HUANG X.Advances in Password Security [J].Journal of Computer Research and Development,2016,53(10):2173-2188. [2] ADAMS A,SASSE M A.Users are not the enemy[J].Communications of the ACM,1999,42(12):40-46. [3] YAMPOLSKIY R V.Analyzing user password selection behavior for reduction of password space[C]//Proceedings 40th Annual 2006 International Carnahan Conference on Security Technology.2006:109-115. [4] WANG D,WANG P,HE D,et al.Birthday,name and bifacial-security:understanding passwords of chinese web users[C]//28th USENIX Security Symposium (USENIX Security 19).2019:1537-1555. [5] LIU G,QIU W,MENG K,et al.Password Vulnerability assessment and recovery based on rules mined from large-scale real data[J].Chinese Journal of Computers,2016,39(3):454-467. [6] BEAUTEMENT A,SASSE M A,WONHAM M.The compliance budget:managing security behaviour in organisations[C]//Proceedings of the 2008 New Security Paradigms Workshop.2008:47-58. [7] NITHYANAND R,JOHNSON R.The password allocationproblem:Strategies for reusing passwords effectively[C]//Proceedings of the 12th ACM Workshop on Workshop on Privacy in the Electronic Society.2013:255-260. [8] FLORENCIO D,HERLEY C.A large-scale study of web password habits[C]//Proceedings of the 16th international conference on World Wide Web.2007:657-666. [9] WEIR M,AGGARWAL S,DE MEDEIROS B,et al.Password cracking using probabilistic context-free grammars[C]//2009 30th IEEE Symposium on Security and Privacy.2009:391-405. [10] VERAS R,COLLINS C,THORPE J.On Semantic Patterns of Passwords and their Security Impact[C]//NDSS.2014. [11] MA J,YANG W,LUO M,et al.A study of probabilistic password models[C]//2014 IEEE Symposium on Security and Privacy.2014:689-704. [12] NARAYANAN A,SHMATIKOV V.Fast dictionary attacks on passwords using time-space tradeoff[C]//Proceedings of the 12th ACM Conference on Computer and Communications Security.2005:364-372. [13] MELICHER W,UR B,SEGRETI S M,et al.Fast,lean,and accurate:Modeling password guessability using neural networks[C]//25th USENIX Security Symposium (USENIX Security 16).2016:175-191. [14] HITAJ B,GASTI P,ATENIESE G,et al.Passgan:A deeplearning approach for password guessing[C]//International Conference on Applied Cryptography and Network Security.2019:217-237. [15] WANG D,HE D,CHENG H,et al.fuzzyPSM:A new password strength meter using fuzzy probabilistic context-free grammars[C]//2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).2016:595-606. [16] FLORÊNCIO D,HERLEY C,VAN OORSCHOT P C.An ad-ministrator's guide to internet password research[C]//28th Large Installation System Administration Conference (LISA14).2014:44-61. [17] DAS A,BONNEAU J,CAESAR M,et al.The tangled web of password reuse[C]//NDSS.2014:23-26. [18] WANG D,ZHANG Z,WANG P,et al.Targeted online password guessing:An underestimated threat[C]//Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security.2016:1242-1254. [19] LI Y,WANG H,SUN K.A study of personal information in human-chosen passwords and its security implications[C]//IEEE INFOCOM 2016-The 35th Annual IEEE International Conference on Computer Communications.2016:1-9. [20] LI Z,HAN W,XU W.A large-scale empirical analysis of chinese web passwords[C]//23rd USENIX Security Symposium (USENIX Security 14).2014:559-574. [21] WANG D,CHENG H,WANG P,et al.Zipf's law in passwords[J].IEEE Transactions on Information Forensics and Security,2017,12(11):2776-2791. |
[1] | 常庚, 赵岚, 陈文. MLSTM:一种基于多序列长度LSTM的口令猜测方法 MLSTM:A Password Guessing Method Based on Multiple Sequence Length LSTM 计算机科学, 2022, 49(4): 354-361. https://doi.org/10.11896/jsjkx.210300008 |
[2] | 张建安. 基于移动切换认证的分层异构网络中的用户敏感信息隐藏方法 Users’ Sensitive Information Hiding Method in Hierarchical Heterogeneous Network Based on Mobile Switching Authentication 计算机科学, 2019, 46(3): 217-220. https://doi.org/10.11896/j.issn.1002-137X.2019.03.032 |
[3] | 陈贵平,王子牛. 基于大数据分析的用户信息多重加密存储技术 Multiple Encrypted Storage Technology of User Information Based on Big Data Analysis 计算机科学, 2018, 45(7): 150-153. https://doi.org/10.11896/j.issn.1002-137X.2018.07.025 |
[4] | 刘桂阳,郭欣桐,席桂清,刘金明. 昆虫标本图像的多角度采集与三维观察 Multi Angle Acquisition and 3D Observation of Insect Specimen Image 计算机科学, 2016, 43(Z6): 239-241. https://doi.org/10.11896/j.issn.1002-137X.2016.6A.058 |
[5] | 王杰华,刘会平,邵浩然,夏海燕. 一种新颖的基于Hash函数的无线双向安全认证方案 Novel Two-way Security Authentication Wireless Scheme Based on Hash Function 计算机科学, 2016, 43(11): 205-209. https://doi.org/10.11896/j.issn.1002-137X.2016.11.040 |
[6] | 谢铭,吴产乐. 用户信息保护下的学习资源知识点自动提取 Topic Extracting with User Information Protection on Web 计算机科学, 2011, 38(3): 203-205. |
[7] | 蔡登 卢增祥 李衍达. 信息协同过滤 计算机科学, 2002, 29(6): 1-4. |
|