A study of probabilistic password models

Proceedings - IEEE Symposium on Security and Privacy

Volumn , Issue , 2014, Pages 689-704

  Ma, Jerry ^a   Yang, Weining ^b   Luo, Min ^c   Li, Ninghui ^b  

^a Quora Inc ^*  (United States)

^b PURDUE UNIVERSITY   (United States)

^c WUHAN UNIVERSITY   (China)

Author keywords

[No Author keywords available]

Indexed keywords

CONTEXT FREE GRAMMARS; GRAPHIC METHODS; MARKOV PROCESSES; MODELING LANGUAGES; NATURAL LANGUAGE PROCESSING SYSTEMS;

PASSWORD CRACKING; PASSWORD STRENGTH; PROBABILISTIC CONTEXT FREE GRAMMARS; PROBABILITY THRESHOLD; RECENT RESEARCHES; SMOOTHING METHODS; STATISTICAL LANGUAGE MODELING; SYSTEMATIC EVALUATION;

AUTHENTICATION;

EID: 84914107564     PISSN: 10816011     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/SP.2014.50     Document Type: Conference Paper

References (26)

1. Passwords, 2009. http://wiki.skullsecurity.org/Passwords.
2. Csdn cleartext passwords, 2011. http://dazzlepod.com/csdn/.
3. John the ripper password cracker, 2013. http://www.openwall.com/john/.
4. Openwall wordlists collection, 2013. http://www.openwall.com/wordlists/.
5. J. Bonneau. Guessing human-chosen secrets. Thesis, University of Cambridge, 2012.
6. J. Bonneau. The science of guessing: analyzing an anonymized corpus of 70 million passwords. In Proceedings of IEEE Symposium on Security and Privacy, pages 538-552. IEEE, 2012.
7. W. E. Burr, D. F. Dodson, and W. T. Polk. Electronic authentication guideline. US Department of Commerce, Technology Administration, National Institute of Standards and Technology, 2004.
8. C. Castelluccia, M. Dürmuth, and D. Perito. Adaptive password-strength meters from Markov models. In Proceedings of NDSS, 2012.
9. M. Dell'Amico, P. Michiardi, and Y. Roudier. Password strength: an empirical analysis. In Proceedings of INFOCOM, pages 1-9, 2010.
10. S. Egelman, A. Sotirakopoulos, I. Muslukhov, K. Beznosov, and C. Herley. Does my password go up to eleven?: The impact of password meters on password selection. In Proceedings of CHI, pages 2379-2388, 2013.
11. D. Florencio and C. Herley. A large-scale study of web password habits. In Proceedings of WWW, pages 657-666, 2007.
12. A. Forget, S. Chiasson, P. C. van Oorschot, and R. Biddle. Improving text passwords through persuasion. In Proceedings of SOUPS, pages 1-12, 2008.
13. W. A. Gale and G. Sampson. Good-turing frequency estimation without tears. Journal of Quantitative Linguistics, 2(1):217-237, 1995.
14. C. Herley and P. C. van Oorschot. A research agenda acknowledging the persistence of passwords. IEEE Security & Privacy, 10(1):28-36, 2012.
15. S. Houshmand and S. Aggarwal. Building better passwords using probabilistic techniques. In Proceedings of ACSAC, pages 109-118, 2012.
16. S. M. Katz. Estimation of probabilities from sparse data for the language model component of a speech recogniser. IEEE Transactions on Acoustics, Speech, and Signal Processing, 35(3):400401, 1987.
17. P. G. Kelley, S. Komanduri, M. L. Mazurek, R. Shay, T. Vidas, L. Bauer, N. Christin, L. F. Cranor, and J. Lopez. Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms. In IEEE Symposium on Security and Privacy, pages 523-537, 2012.
18. S. Komanduri, R. Shay, P. G. Kelley, M. L. Mazurek, L. Bauer, N. Christin, L. F. Cranor, and S. Egelman. Of passwords and people: measuring the effect of password-composition policies. In CHI, pages 2595-2604, 2011.
19. D. Malone and K. Maher. Investigating the distribution of password choices. In Proceedings of WWW, pages 301-310, 2012.
20. M. L. Mazurek, S. Komanduri, T. Vidas, L. Bauer, N. Christin, L. F. Cranor, P. G. Kelley, R. Shay, and B. Ur. Measuring password guessability for an entire university. In Proceedings of ACM CCS, pages 173-186, Berlin, Germany, 2013. ACM.
21. A. Narayanan and V. Shmatikov. Fast dictionary attacks on passwords using time-space tradeoff. In Proceedings of ACM CCS, pages 364-372, 2005.
22. R. Shay, S. Komanduri, P. G. Kelley, P. G. Leon, M. L. Mazurek, L. Bauer, N. Christin, and L. F. Cranor. Encountering stronger password requirements: user attitudes and behaviors. In Proceedings of the Sixth Symposium on Usable Privacy and Security, SOUPS '10, pages 2:1-2:20, New York, NY, USA, 2010. ACM.
23. B. Ur, P. G. Kelley, S. Komanduri, J. Lee, M. Maass, M. Mazurek, T. Passaro, R. Shay, T. Vidas, L. Bauer, et al. How does your password measure up? the effect of strength meters on password creation. In Proceedings of USENIX Security Symposium, 2012.
24. M. Weir, S. Aggarwal, M. Collins, and H. Stern. Testing metrics for password creation policies by attacking large sets of revealed passwords. In Proceedings of the 17th ACM conference on Computer and communications security, pages 162-175, 2010.
25. M. Weir, S. Aggarwal, B. de Medeiros, and B. Glodek. Password cracking using probabilistic context-free grammars. In IEEE Symposium on Security and Privacy, pages 391-405, 2009.
26. Y. Zhang, F. Monrose, and M. K. Reiter. The security of modern password expiration: An algorithmic framework and empirical analysis. In Proceedings of ACM CCS, pages 176-186, 2010.