The science of guessing: Analyzing an anonymized corpus of 70 million passwords

Proceedings - IEEE Symposium on Security and Privacy

Volumn , Issue , 2012, Pages 538-552

  Bonneau, Joseph ^a  

^a UNIVERSITY OF CAMBRIDGE   (United Kingdom)

Author keywords

authentication; computer security; data mining; information theory; statistics

Indexed keywords

DATA MINING; FISHERIES; INFORMATION THEORY; POPULATION STATISTICS; SAMPLING;

DEMOGRAPHIC FACTORS; LARGE CORPORA; LARGE DATASETS; PARAMETERIZED; PRIVACY CONCERNS; SECURITY ENGINEERING; SHANNON'S ENTROPY; STATISTICAL TREATMENT; UNIFORM DISTRIBUTION; WEAK PASSWORDS;

AUTHENTICATION;

EID: 84878356177     PISSN: 10816011     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/SP.2012.49     Document Type: Conference Paper

References (50)

1. M. V. Wilkes, Time-sharing computer systems. New York: Elsevier, 1968.
2. J. H. Saltzer, "Protection and the Control of Information Sharing in Multics," Commun. ACM, vol. 17, pp. 388-402, 1974.
3. R. Morris and K. Thompson, "Password Security: A Case History," Commun. ACM, vol. 22, no. 11, pp. 594-597, 1979.
4. nd USENIX Security Workshop, 1990, pp. 5-14.
5. rd USENIX Security Workshop, 1992.
6. B. Schneier, "Real-World Passwords," December 2006. [Online]. Available: www.schneier.com/blog/archives/2006/12/realworld-passw.html
7. th Conference on Information Communications. IEEE, 2010, pp. 983-991.
8. th ACM Conference on Computer and Communications Security. ACM, 2010, pp. 162-175.
9. D. Seeley, "Password Cracking: A Game of Wits," Commun. ACM, vol. 32, pp. 700-703, 1989.
10. "John the Ripper," http://www.openwall.com/john/.
11. th IEEE Symposium on Security and Privacy. IEEE, 2009, pp. 391-405.
12. T. Wu, "A Real-World Analysis of Kerberos Password Security," in NDSS '99: Proceedings of the 1999 Network and Distributed System Security Symposium, 1999.
13. nd Symposium on Usable Privacy and Security. ACM, 2006, pp. 67-78.
14. J. A. Cazier and B. D. Medlin, "Password Security: An Empirical Investigation into E-Commerce Passwords and Their Crack Times." Information Systems Security, vol. 15, no. 6, pp. 45-55, 2006.
15. B. L. Riddle, M. S. Miron, and J. A. Semo, "Passwords in use in a university timesharing environment," Computers and Security, vol. 8, no. 7, pp. 569-578, 1989.
16. th ACM Conference on Computer and Communications Security. ACM, 2005, pp. 364-372.
17. C. Castelluccia, M. Dürmuth, and D. Perito, "Adaptive Password-Strength Meters from Markov Models," NDSS '12: Proceedings of the Network and Distributed System Security Symposium, 2012.
18. M. Zviran and W. J. Haga, "Password security: an empirical study," Journal of Management Information Systems, vol. 15, no. 4, pp. 161-185, 1999.
19. M. M. Devillers, "Analyzing Password Strength," Radboud University Nijmegen, Tech. Rep., 2010.
20. W. E. Burr, D. F. Dodson, and W. T. Polk, "Electronic Authentication Guideline," NIST Special Publication 800-63, 2006.
21. th International Conference on the World Wide Web. ACM, 2007, pp. 657-666.
22. th Symposium on Usable Privacy and Security. ACM, 2010.
23. P. G. Kelley, S. Komanduri, M. L. Mazurek, R. Shay, T. Vidas, L. Bauer, N. Christin, L. F. Cranor, and J. Lopez, "Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms," Carnegie Mellon University, Tech. Rep. CMU-CyLab-11-008, 2011.
24. J. Yan, A. Blackwell, R. Anderson, and A. Grant, "Password Memorability and Security: Empirical Results," IEEE Security and Privacy Magazine, vol. 2, no. 5, pp. 25-34, 2004.
25. th ACM Conference on Computer and Communications Security. ACM, 2009, pp. 635-647.
26. C. E. Shannon, "A Mathematical Theory of Communication," in Bell System Technical Journal, vol. 7, 1948, pp. 379-423.
27. C. Cachin, "Entropy measures and unconditional security in cryptography," Ph.D. dissertation, ETH Zürich, 1997.
28. J. O. Pliam, "On the Incomparability of Entropy and Marginal Guesswork in Brute-Force Attacks," in Progress in Cryptology-INDOCRYPT 2000, 2000.
29. S. Boztas, "Entropies, Guessing, and Cryptography," Department of Mathematics, Royal Melbourne Institute of Technology, Tech. Rep. 6, 1999.
30. J. L. Massey, "Guessing and Entropy," in Proceedings of the 1994 IEEE International Symposium on Information Theory, 1994, p. 204.
31. th Berkeley Symposium on Mathematics, Statistics and Probability, pp. 547-561, 1961.
32. R. V. Hartley, "Transmission of Information," Bell System Technical Journal, vol. 7, no. 3, pp. 535-563, 1928.
33. th International Conference on Financial Cryptography and Data Security, 2012.
34. th International Conference on Financial Cryptography and Data Security, 2010.
35. S. Brostoff and A. Sasse, ""Ten strikes and you're out": Increasing the number of login attempts can improve password usability," in Proceedings of CHI 2003 Workshop on HCI and Security Systems. John Wiley, 2003.
36. th Workshop on the Economics of Information Security, 2010.
37. M. Alsaleh, M. Mannan, and P. van Oorschot, "Revisiting Defenses Against Large-Scale Online Password Guessing Attacks," IEEE Transactions on Dependable and Secure Computing, vol. 9, no. 1, pp. 128-141, 2012.
38. rd Workshop on Ethics in Computer Security Research, 2012.
39. B. Kaliski, RFC 2898: PKCS #5: Password-Based Cryptography Specification Version 2.0, IETF, 2000.
40. D. E. Denning and P. J. Denning, "The tracker: a threat to statistical database security," ACM Transactions on Database Systems, vol. 4, pp. 76-96, 1979.
41. A. Narayanan and V. Shmatikov, "How To Break Anonymity of the Netflix Prize Dataset," eprint arXiv:cs/0610105, 2006.
42. H. R. Baayen, Word Frequency Distributions, ser. Text, Speech and Language Technology. Springer, 2001.
43. W. A. Gale, "Good-Turing smoothing without tears," Journal of Quantitative Linguistics, vol. 2, 1995.
44. A. Clauset, C. R. Shalizi, and M. E. J. Newman, "Power-Law Distributions in Empirical Data," SIAM Rev., vol. 51, pp. 661-703, 2009.
45. M. Font, X. Puig, and J. Ginebra, "A Bayesian analysis of frequency count data," Journal of Statistical Computation and Simulation, 2011.
46. H. Sichel, "On a distribution law for word frequencies," Journal of the American Statistical Association, 1975.
47. th USENIX Security Symposium, 2004.
48. S. Wiedenbeck, J. Waters, J.-C. Birget, A. Brodskiy, and N. Memon, "PassPoints: design and longitudinal evaluation of a graphical password system," International Journal of Human-Computer Studies, vol. 63, pp. 102-127, 2005. (Pubitemid 40753495)
49. th ACM Conference on Computer and Communications Security. ACM, 2010, pp. 176-186.
50. th International Conference on Financial Cryptography and Data Security, 2009.