Computer Science ›› 2020, Vol. 47 ›› Issue (11): 48-54.doi: 10.11896/jsjkx.200900077

Special Issue: Intelligent Mobile Authentication

• Intelligent Mobile Authentication • Previous Articles     Next Articles

Analysis of Large-scale Real User Password Data Based on Cracking Algorithms

XIE Zhi-jie, ZHANG Min, LI Zhen-han, WANG Hong-jun   

  1. College of Electronic Engineering,National University of Defense Technology,Hefei 230037,China
    Anhui Province Key Laboratory of Cyberspace Security Situation Awareness and Evaluation,Hefei 230037,China
  • Received:2020-09-09 Revised:2020-10-08 Online:2020-11-15 Published:2020-11-05
  • About author:XIE Zhi-jie,born in 1995,postgra-duate,is a member of China Computer Federation.His main research interests include password security.
    ZHANG Min,born in 1966,Ph.D,professor,Ph.D supervisor.His main research interests include communication network security and intelligent computing.
  • Supported by:
    This work was supported by the National Natural Science Foundation of China(61971473) and Anhui Provincial Natural Science Foundation(1908085QF291).

Abstract: Password authentication is the main authentication method nowadays.It is widely used in various fields,such as finance,military and internet.In this paper,password security is studied from the perspective of an attacker.Large-scale real user data is used for statistical analyses of password general characteristics,and for password vulnerability analyses based on Probabilistic Context-Free Grammars (PCFG) password guessing algorithm and TarGuess-I targeted password guessing model.Through the above analyses,it is found in users' passwords that there are vulnerable behaviors that can be easily discovered and exploited by attackers,such as choosing simple structure passwords,generating passwords based on patterns,password containing semantics and passwords containing personal information (i.e.,name and user name).These vulnerable behavior characteristics are summarized to provide a basis for reminding users to avoid setting weak passwords and studying the method of password strength meter.

Key words: Password guessing, Password security, User information, Vulnerable behaviors

CLC Number: 

  • TP309
[1] WANG P,WANG D,HUANG X.Advances in Password Security [J].Journal of Computer Research and Development,2016,53(10):2173-2188.
[2] ADAMS A,SASSE M A.Users are not the enemy[J].Communications of the ACM,1999,42(12):40-46.
[3] YAMPOLSKIY R V.Analyzing user password selection behavior for reduction of password space[C]//Proceedings 40th Annual 2006 International Carnahan Conference on Security Technology.2006:109-115.
[4] WANG D,WANG P,HE D,et al.Birthday,name and bifacial-security:understanding passwords of chinese web users[C]//28th USENIX Security Symposium (USENIX Security 19).2019:1537-1555.
[5] LIU G,QIU W,MENG K,et al.Password Vulnerability assessment and recovery based on rules mined from large-scale real data[J].Chinese Journal of Computers,2016,39(3):454-467.
[6] BEAUTEMENT A,SASSE M A,WONHAM M.The compliance budget:managing security behaviour in organisations[C]//Proceedings of the 2008 New Security Paradigms Workshop.2008:47-58.
[7] NITHYANAND R,JOHNSON R.The password allocationproblem:Strategies for reusing passwords effectively[C]//Proceedings of the 12th ACM Workshop on Workshop on Privacy in the Electronic Society.2013:255-260.
[8] FLORENCIO D,HERLEY C.A large-scale study of web password habits[C]//Proceedings of the 16th international conference on World Wide Web.2007:657-666.
[9] WEIR M,AGGARWAL S,DE MEDEIROS B,et al.Password cracking using probabilistic context-free grammars[C]//2009 30th IEEE Symposium on Security and Privacy.2009:391-405.
[10] VERAS R,COLLINS C,THORPE J.On Semantic Patterns of Passwords and their Security Impact[C]//NDSS.2014.
[11] MA J,YANG W,LUO M,et al.A study of probabilistic password models[C]//2014 IEEE Symposium on Security and Privacy.2014:689-704.
[12] NARAYANAN A,SHMATIKOV V.Fast dictionary attacks on passwords using time-space tradeoff[C]//Proceedings of the 12th ACM Conference on Computer and Communications Security.2005:364-372.
[13] MELICHER W,UR B,SEGRETI S M,et al.Fast,lean,and accurate:Modeling password guessability using neural networks[C]//25th USENIX Security Symposium (USENIX Security 16).2016:175-191.
[14] HITAJ B,GASTI P,ATENIESE G,et al.Passgan:A deeplearning approach for password guessing[C]//International Conference on Applied Cryptography and Network Security.2019:217-237.
[15] WANG D,HE D,CHENG H,et al.fuzzyPSM:A new password strength meter using fuzzy probabilistic context-free grammars[C]//2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).2016:595-606.
[16] FLORÊNCIO D,HERLEY C,VAN OORSCHOT P C.An ad-ministrator's guide to internet password research[C]//28th Large Installation System Administration Conference (LISA14).2014:44-61.
[17] DAS A,BONNEAU J,CAESAR M,et al.The tangled web of password reuse[C]//NDSS.2014:23-26.
[18] WANG D,ZHANG Z,WANG P,et al.Targeted online password guessing:An underestimated threat[C]//Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security.2016:1242-1254.
[19] LI Y,WANG H,SUN K.A study of personal information in human-chosen passwords and its security implications[C]//IEEE INFOCOM 2016-The 35th Annual IEEE International Conference on Computer Communications.2016:1-9.
[20] LI Z,HAN W,XU W.A large-scale empirical analysis of chinese web passwords[C]//23rd USENIX Security Symposium (USENIX Security 14).2014:559-574.
[21] WANG D,CHENG H,WANG P,et al.Zipf's law in passwords[J].IEEE Transactions on Information Forensics and Security,2017,12(11):2776-2791.
[1] CHANG Geng, ZHAO Lan, CHEN Wen. MLSTM:A Password Guessing Method Based on Multiple Sequence Length LSTM [J]. Computer Science, 2022, 49(4): 354-361.
[2] ZHANG Jian-an. Users’ Sensitive Information Hiding Method in Hierarchical Heterogeneous Network Based on Mobile Switching Authentication [J]. Computer Science, 2019, 46(3): 217-220.
[3] CHEN Gui-ping,WANG Zi-niu. Multiple Encrypted Storage Technology of User Information Based on Big Data Analysis [J]. Computer Science, 2018, 45(7): 150-153.
[4] WANG Jie-hua, LIU Hui-ping, SHAO Hao-ran and XIA Hai-yan. Novel Two-way Security Authentication Wireless Scheme Based on Hash Function [J]. Computer Science, 2016, 43(11): 205-209.
[5] XIE Ming,WU Chan-le. Topic Extracting with User Information Protection on Web [J]. Computer Science, 2011, 38(3): 203-205.
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
No Suggested Reading articles found!