Measuring real-world accuracies and biases in modeling password guessability

Proceedings of the 24th USENIX Security Symposium

Volumn , Issue , 2015, Pages 463-481

  Ur, Blase ^a   Segreti, Sean M ^a   Bauer, Lujo ^a   Christin, Nicolas ^a   Cranor, Lorrie Faith ^a   Komanduri, Saranga ^a   Kurilova, Darya ^a   Mazurek, Michelle L ^b   Melicher, William ^a   Shay, Richard ^a  

^a CARNEGIE MELLON UNIVERSITY   (United States)

^b UNIVERSITY OF MARYLAND   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

AUTOMATION;

COMMON FEATURES; FULLY AUTOMATED; PARAMETERIZED; PASSWORD SECURITY; PASSWORD STRENGTH; SCIENTIFIC EVIDENCE; SECURITY AUDIT; TRAINING DATA;

AUTHENTICATION;

EID: 85076274968     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (72)

1. The “web2” file of english words. http://www.bee-man.us/computer/grep/grep.htm#web2, 2004.
2. BONNEAU, J. The Gawker hack: How a million passwords were lost. Light Blue Touchpaper Blog, December 2010. http://www.lightbluetouchpaper.org/2010/12/15/thegawker-hack-how-a-million-passwords-were-lost/.
3. BONNEAU, J. The science of guessing: Analyzing an anonymized corpus of 70 million passwords. In Proc. IEEE Symp. Security & Privacy (2012).
4. BONNEAU, J. Statistical metrics for individual password strength. In Proc. WPS (2012).
5. BONNEAU, J., HERLEY, C., VAN OORSCHOT, P. C., AND STAJANO, F. The quest to replace passwords: A framework for comparative evaluation of Web authentication schemes. In Proc. IEEE Symp. Security & Privacy (2012).
6. BONNEAU, J., AND XU, R. Of contraseñas, sysmawt, and mìmǎ: Character encoding issues for web passwords. In Proc. W2SP (2012).
7. BRODKIN, J. 10 (or so) of the worst passwords exposed by the LinkedIn hack. Ars Technica, June 2012.
8. BURR, W. E., DODSON, D. F., AND POLK, W. T. Electronic authentication guideline. Tech. rep., NIST, 2006.
9. CARNEGIE MELLON UNIVERSITY. Password guessability service. https://pgs.ece.cmu.edu, 2015.
10. CASTELLUCCIA, C., DÜRMUTH, M., AND PERITO, D. Adaptive password-strength meters from Markov models. In Proc. NDSS (2012).
11. CHOU, H.-C., LEE, H.-C., YU, H.-J., LAI, F.-P., HUANG, K.H., AND HSUEH, C.-W. Password cracking based on learned patterns from disclosed passwords. IJICIC (2013).
12. CHRYSANTHOU, Y. Modern password cracking: A hands-on approach to creating an optimised and versatile attack. Master’s thesis, Royal Holloway, University of London, 2013.
13. CURLYBOI. Hashtopus. http://hashtopus.nech.me/manual.html, 2009-.
14. DAS, A., BONNEAU, J., CAESAR, M., BORISOV, N., AND WANG, X. The tangled web of password reuse. In Proc. NDSS (2014).
15. DE CARNÉ DE CARNAVALET, X., AND MANNAN, M. From very weak to very strong: Analyzing password-strength meters. In Proc. NDSS (2014).
16. DELL’AMICO, M., MICHIARDI, P., AND ROUDIER, Y. Password strength: An empirical analysis. In Proc. INFOCOM (2010).
17. DEV, J. A. Usage of botnets for high speed md5 hash cracking. In INTECH (2013).
18. DÜRMUTH, M., ANGELSTORF, F., CASTELLUCCIA, C., PERITO, D., AND CHAABANE, A. OMEN: Faster password guessing using an ordered markov enumerator. In Proc. ESSoS (2015).
19. DÜRMUTH, M., CHAABANE, A., PERITO, D., AND CASTELLUCCIA, C. When privacy meets security: Leveraging personal information for password cracking. CoRR (2013).
20. FAHL, S., HARBACH, M., ACAR, Y., AND SMITH, M. On The Ecological Validity of a Password Study. In Proc. SOUPS (2013).
21. FORGET, A., CHIASSON, S., VAN OORSCHOT, P., AND BIDDLE, R. Improving text passwords through persuasion. In Proc. SOUPS (2008).
22. GOODIN, D. Hackers expose 453,000 credentials allegedly taken from Yahoo service. Ars Technica, July 2012.
23. GOODIN, D. Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331”. Ars Technica, May 2013.
24. GOODIN, D. “thereisnofatebutwhatwemake”-turbo-charged cracking comes to long passwords. Ars Technica, August 2013.
25. GOODIN, D. Meet wordhound, the tool that puts a personal touch on password cracking. Ars Technica, August 2014.
26. GOOGLE. Web 1T 5-gram version 1, 2006. http://www.ldc.upenn.edu/Catalog/CatalogEntry.jsp? catalogId=LDC2006T13.
27. HAIBLE. gperf. https://www.gnu.org/software/gperf/, 2010-.
28. HAQUE, S. T., WRIGHT, M., AND SCIELZO, S. A study of user password strategy for multiple accounts. In Proc. CODASPY (2013).
29. IMPERVA. Consumer password worst practices, 2010. http://www.imperva.com/docs/WP_Consumer_Password_Worst_Practices.pdf.
30. INSIDEPRO. PasswordsPro. http://www.insidepro.com/eng/passwordspro.shtml, 2003-.
31. KELLEY, P. G., KOMANDURI, S., MAZUREK, M. L., SHAY, R., VIDAS, T., BAUER, L., CHRISTIN, N., CRANOR, L. F., AND LOPEZ, J. Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms. In Proc. IEEE Symp. Security & Privacy (2012).
32. KOMANDURI, S. Modeling the adversary to evaluate password strengh with limited samples. PhD thesis, Carnegie Mellon University, 2015.
33. KOMANDURI, S., SHAY, R., CRANOR, L. F., HERLEY, C., AND SCHECHTER, S. Telepathwords: Preventing weak passwords by reading users’ minds. In Proc. USENIX Security (2014).
34. KOMANDURI, S., SHAY, R., KELLEY, P. G., MAZUREK, M. L., BAUER, L., CHRISTIN, N., CRANOR, L. F., AND EGELMAN, S. Of passwords and people: Measuring the effect of password-composition policies. In Proc. CHI (2011).
35. KORELOGIC.”Crack Me If You Can” - DEFCON 2010. http://contest-2010.korelogic.com/rules.html, 2010-.
36. KORELOGIC.”Crack Me If You Can” - DEFCON 2013. http://contest-2013.korelogic.com, 2010-.
37. KORELOGIC. Pathwell topologies. KoreLogic Blog, 2014. https://blog.korelogic.com/blog/2014/04/04/ pathwell_topologies.
38. KORELOGIC.”Analytical Solutions: Password Recovery Service. http://contest-2010.korelogic.com/prs.html, 2015.
39. LOVE, D. Apple on iCloud breach: It’s not our fault hackers guessed celebrity passwords. International Business Times, September 2014.
40. MA, J., YANG, W., LUO, M., AND LI, N. A study of probabilistic password models. In Proc. IEEE Symp. Security & Privacy (2014).
41. MARECHAL, S. Automatic wordlist mangling rule generation. Openwall Blog, 2012. http://www.openwall.com/presentations/Passwords12-Mangling-RulesGeneration/.
42. MAZUREK, M. L., KOMANDURI, S., VIDAS, T., BAUER, L., CHRISTIN, N., CRANOR, L. F., KELLEY, P. G., SHAY, R., AND UR, B. Measuring password guessability for an entire university. In Proc. CCS (2013).
43. MORRIS, R., AND THOMPSON, K. Password security: A case history. CACM 22, 11 (1979).
44. MWR INFOSECURITY. MWR InfoSecurity, 2014. https://www.mwrinfosecurity.com/.
45. NARAYANAN, A., AND SHMATIKOV, V. Fast dictionary attacks on passwords using time-space tradeoff. In Proc. CCS (2005).
46. OPENWALL. Wordlists. http://download.openwall.net/pub/wordlists/, 2015.
47. PERCIVAL, C. Stronger key derivation via sequential memory-hard function. In Proc. BSD Conference (2009).
48. PERLROTH, N. Adobe hacking attack was bigger than previously thought. The New York Times Bits Blog, October 2013.
49. PESLYAK, A. John the Ripper. http://www.openwall.com/john/, 1996-.
50. PESLYAK, A. John the Ripper. http://www.openwall.com/john/doc/MODES.shtml, 1996-.
51. PHDAYS. “Hash Runner”– Positive Hack Days. http://2013.phdays.com/program/contests/, 2013.
52. PROVOS, N., AND MAZIERES, D. A future-adaptable password scheme. In Proc. USENIX (1999).
53. RAO, A., JHA, B., AND KINI, G. Effect of grammar on security of long passwords. In Proc. CODASPY (2013).
54. SCHNEIER, B. MySpace passwords aren’t so dumb. Wired, December 2012.
55. SCOWL. Spell checker oriented word lists. http://wordlist.sourceforge.net, 2015.
56. SHAY, R., KOMANDURI, S., DURITY, A. L., HUH, P. S., MAZUREK, M. L., SEGRETI, S. M., UR, B., BAUER, L., CRANOR, L. F., AND CHRISTIN, N. Can long passwords be secure and usable? In Proc. CHI (2014).
57. STEUBE, J. Hashcat. https://hashcat.net/oclhashcat/, 2009-.
58. STEUBE, J. Mask Attack. https://hashcat.net/wiki/doku.php?id=mask_attack, 2009-.
59. STEUBE, J. Rule-based Attack. https://hashcat.net/wiki/doku.php?id=rule_based_attack, 2009-.
60. STOBERT, E., AND BIDDLE, R. The password life cycle: User behaviour in managing passwords. In Proc. SOUPS (2014).
61. STRICTURE GROUP. Password auditing services. http://stricture-group.com/services/password-audits.htm.
62. TRUSTWAVE. eHarmony password dump analysis, June 2012. http://blog.spiderlabs.com/2012/06/eharmonypassword-dump-analysis.html.
63. TRUSTWAVE. 2014 business password analysis. Password Research, 2014.
64. TRUST WAVESPIDERLABS. SpiderLabs/KoreLogic-Rules. https://github.com/SpiderLabs/KoreLogic- Rules, 2012.
65. UR, B., KELLY, P. G., KOMANDURI, S., LEE, J., MAASS, M., MAZUREK, M., PASSARO, T., SHAY, R., VIDAS, T., BAUER, L., CHRISTIN, N., AND CRANOR, L. F. How does your password measure up? The effect of strength meters on password creation. In Proc. USENIX Security (August 2012).
66. UR, B., NOMA, F., BEES, J., SEGRETI, S. M., SHAY, R., BAUER, L., CHRISTIN, N., AND CRANOR, L. F. “i added ‘!’ at the end to make it secure”: Observing password creation in the lab. In Proc. SOUPS (2015).
67. VANCE, A. If your password is 123456, just make it hackme. New York Times, 2010.
68. VERAS, R., COLLINS, C., AND THORPE, J. On the semantic patterns of passwords and their security impact. In Proc. NDSS (2014).
69. WEIR, M., AGGARWAL, S., COLLINS, M., AND STERN, H. Testing metrics for password creation policies by attacking large sets of revealed passwords. In Proc. CCS (2010).
70. WEIR, M., AGGARWAL, S., MEDEIROS, B. D., AND GLODEK, B. Password cracking using probabilistic context-free grammars. In Proc. IEEE Symp. Security & Privacy (2009).
71. YAZDI, S. H. Analyzing password strength and efficient password cracking. Master’s thesis, The Florida State University, 2011.
72. ZHANG, Y., MONROSE, F., AND REITER, M. K. The security of modern password expiration: An algorithmic framework and empirical analysis. In Proc. CCS (2010).