Next Gen PCFG Password Cracking

IEEE Transactions on Information Forensics and Security

Volumn 10, Issue 8, 2015, Pages 1776-1791

  Houshmand, Shiva ^a   Aggarwal, Sudhir ^a   Flood, Randy ^a  

^a FLORIDA STATE UNIVERSITY   (United States)

Author keywords

Authentication; Dictionaries; Keyboard patterns; Multiwords; Password cracking; Probabilistic grammars

Indexed keywords

ACCESS CONTROL; CONTEXT FREE GRAMMARS; CRACKS; GLOSSARIES;

AUTHENTICATION TECHNIQUES; KEYBOARD PATTERNS; MULTIPLE DATA SETS; MULTIWORDS; PASSWORD CRACKING; PASSWORD GUESSING; PROBABILISTIC CONTEXT FREE GRAMMARS; PROBABILISTIC GRAMMARS;

AUTHENTICATION;

EID: 84960868732     PISSN: 15566013     EISSN: None     Source Type: Journal    
DOI: 10.1109/TIFS.2015.2428671     Document Type: Article

References (38)

1. M. Weir, S. Aggarwal, B. de Medeiros, B. Glodek, "Password cracking using probabilistic context-free grammars," in Proc. 30th IEEE Symp. Secur. Privacy, May 2009, pp. 391-405.
2. R. Veras, C. Collins, J. Thorpe, "On the semantic patterns of passwords and their security impact," in Proc. Netw. Distrib. Syst. Secur. Symp., Feb. 2014.
3. M. Dell'Amico, P. Michiardi, Y. Roudier, "Password strength: An empirical analysis," in Proc. IEEE INFOCOM, Mar. 2010, pp. 1-9.
4. P. G. Kelley et al., "Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms," in Proc. IEEE Symp. Secur. Privacy (SP), May 2012, pp. 523-537.
5. Y. Zhang, F. Monrose, M. K. Reiter, "The security of modern password expiration: An algorithmic framework and empirical analysis," in Proc. 17th ACM Conf. Comput. Commun. Secur., 2010, pp. 176-186.
6. M. Weir, S. Aggarwal, M. Collins, H. Stern, "Testing metrics for password creation policies by attacking large sets of revealed passwords," in Proc. 17th ACM Conf. Comput. Commun. Secur., 2010, pp. 162-175.
7. S. Houshmand and S. Aggarwal, "Building better passwords using probabilistic techniques," in Proc. 28th Annu. Comput. Secur. Appl. Conf., 2012, pp. 109-118.
8. A. Narayanan and V. Shmatikov, "Fast dictionary attacks on passwords using time-space tradeoff," in Proc. 12th ACM Conf. Comput. Commun. Secur., 2005, pp. 364-372.
9. C. Castelluccia, M. Dürmuth, D. Perito, "Adaptive passwordstrength meters from Markov models," in Proc. NDSS, 2012.
10. J. Ma, W. Yang, M. Luo, N. Li, "A study of probabilistic password models," in Proc. 35th IEEE Symp. Secur. Privacy, May 2014, pp. 689-704.
11. John the Ripper Password Cracker. [Online]. Available: http://www.openwall.com, accessed Apr. 30, 2015.
12. Hashcat Advanced Password Recovery. [Online]. Available: http://www.hashcat.net, accessed Apr. 30, 2015.
13. S. Riley, "Password security: What users know and what they actually do," Usability News, vol. 8, no. 1, pp. 2833-2836, 2006.
14. B. Stone-Gross et al., "Your botnet is my botnet: Analysis of a botnet takeover," in Proc. 16th ACM Conf. Comput. Commun. Secur., 2009, pp. 635-647.
15. R. Shay et al., "Encountering stronger password requirements: User attitudes and behaviors," in Proc. 6th Symp. Usable Privacy Secur., 2010, Art. ID 2.
16. S. Schechter, C. Herley, M. Mitzenmacher, "Popularity is everything: A new approach to protecting passwords from statistical-guessing attacks," in Proc. 5th USENIX Conf. Hot Topics Secur., 2010.
17. A. De Luca, R. Weiss, H. Hussmann, "PassShape: Stroke based shape passwords," in Proc. 19th Austral. Conf. Comput.-Human Interact., Entertaining User Interf., 2007, pp. 239-240.
18. D. Schweitzer, J. Boleng, C. Hughes, L. Murphy, "Visualizing keyboard pattern passwords," in Proc. 6th Int. Workshop Vis. Cyber Secur. (VizSec), 2009, pp. 69-73.
19. J. Bonneau, "The science of guessing: Analyzing an anonymized corpus of 70 million passwords," in Proc. IEEE Symp. Secur. Privacy (SP), May 2012, pp. 538-552.
20. A. Vance. (Jan. 20, 2010). If your password is 123456, just make it hackme. The New York Times. [Online]. Available: http://www.nytimes.com/2010/01/21/technology/21password.html
21. 6 Million Users' Privacy Leaked. [Online]. Available: http://www.chinaonline-marketing.com/news/anti-virus-news/csdn-tianya-renren-kaixinhacked-6-million-users-privacy-leaked/, accessed Apr. 30, 2015.
22. J. Yan, A. Blackwell, R. Anderson, A. Grant, "Password memorability and security: Empirical results," IEEE Security Privacy, vol. 2, no. 5, pp. 25-31, Sep./Oct. 2004.
23. C. Kuo, S. Romanosky, L. F. Cranor, "Human selection of mnemonic phrase-based passwords," in Proc. 2nd Symp. Usable Privacy Secur., 2006, pp. 67-78.
24. R. Shay et al., "Can long passwords be secure and usable?" in Proc. 32nd Annu. ACM Conf. Human Factors Comput. Syst., 2014, pp. 2927-2936.
25. J. Bonneau and E. Shutova, "Linguistic properties of multi-word passphrases," in Financial Cryptography and Data Security. Berlin, Germany: Springer-Verlag, 2012, pp. 1-12.
26. D. V. Klein, "'Foiling the cracker': A survey of, improvements to, password security," in Proc. 2nd USENIX Secur. Workshop, 1990, pp. 5-14.
27. R. McMillan. (Oct. 27, 2006). Phishing Attack Targets MySpace Users. [Online]. Available: http://www.infoworld.com/d/security-central/phishing-attack-targets-myspace-users-614
28. T. Warren. (2009). Thousands of Hotmail Passwords Leaked. [Online]. Available: http://www.neowin.net/news/main/09/10/05/thousands-of-hotmail-passwords-leaked-online
29. Yahoo Credentials. [Online]. Available: http://news.cnet. com/8301-1009-3-57470786-83/hackers-post-450k-credentials-pilferedfrom-yahoo, accessed Apr. 30, 2015.
30. The English Open Word List. [Online]. Available: http://dreamsteep. com/projects/the-english-open-word-list.html, accessed Apr. 30, 2015.
31. Most Common Male and Female First Names in the U.S. [Online]. Available: http://names.mongabay.com/, accessed Apr. 30, 2015.
32. Top 40, 000 Words From TV and Movie Scripts. [Online]. Available: http://en.wiktionary.org/wiki/Wiktionary:Frequencylists#TVandmoviescripts, accessed Apr. 30, 2015.
33. (2005). The Dic0294 Wordlist. [Online]. Available: http://www.outpost9.com/files/WordLists.html, accessed Apr. 30, 2015.
34. KoreLogic Rule Set. [Online]. Available: http://openwall.info/wiki/john/rules, accessed Apr. 30, 2015.
35. M. L. Mazurek et al., "Measuring password guessability for an entire university," in Proc. ACM SIGSAC Conf. Comput. Commun. Secur., 2013, pp. 173-186.
36. D. R. Cox, "Regression models and life-tables," in Breakthroughs in Statistics. New York, NY, USA: Springer-Verlag, 1992, pp. 527-541.
37. R. Peto and J. Peto, "Asymptotically efficient rank invariant test procedures," J. Roy. Statist. Soc. A (General), vol. 135, no. 2, pp. 185-207, 1972.
38. M. R. Garey and D. S. Johnson, Computers and Intractability: A Guide to the Theory of NP-Completeness. San Francisco, CA, USA: Freeman, 1979.