Showing papers on "Password strength published in 2020"

Recurrent GANs Password Cracker For IoT Password Security Enhancement

Abstract: Text-based passwords are a fundamental and popular means of authentication. Password authentication can be simply implemented because it does not require any equipment, unlike biometric authentication, and it relies only on the users' memory. This reliance on memory is a weakness of passwords, and people therefore usually use easy-to-remember passwords, such as "iloveyou1234". However, these sample passwords are not difficult to crack. The default passwords of IoT also are text-based passwords and are easy to crack. This weakness enables free password cracking tools such as Hashcat and JtR to execute millions of cracking attempts per second. Finally, this weakness creates a security hole in networks by giving hackers access to an IoT device easily. Research has been conducted to better exploit weak passwords to improve password-cracking performance. The Markov model and probabilistic context-free-grammar (PCFG) are representative research results, and PassGAN, which uses generative adversarial networks (GANs), was recently introduced. These advanced password cracking techniques contribute to the development of better password strength checkers. We studied some methods of improving the performance of PassGAN, and developed two approaches for better password cracking: the first was changing the convolutional neural network (CNN)-based improved Wasserstein GAN (IWGAN) cost function to an RNN-based cost function; the second was employing the dual-discriminator GAN structure. In the password cracking performance experiments, our models showed 10%-15% better performance than PassGAN. Through additional performance experiments with PCFG, we identified the cracking performance advantages of PassGAN and our models over PCFG. Finally, we prove that our models enhanced password strength estimation through a comparison with zxcvbn.

A survey exploring open source Intelligence for smarter password cracking

Abstract: From the end of the last century to date, consumers are increasingly living their lives online. In today’s world, the average person spends a significant proportion of their time connecting with people online through multiple platforms. This online activity results in people freely sharing an increasing amount of personal information – as well as having to manage how they share that information. For law enforcement, this corresponds to a slew of new sources of digital evidence valuable for digital forensic investigation. A combination of consumer level encryption becoming default on personal computing and mobile devices and the need to access information stored with third parties has resulted in a need for robust password cracking techniques to progress lawful investigation. However, current password cracking techniques are expensive, time-consuming processes that are not guaranteed to be successful in the time-frames common for investigations. In this paper, the potential for Open Source Intelligence (OSINT) being leveraged for more efficient password cracking is explored. A comprehensive survey of the literature on password strength, password cracking, and OSINT is outlined, and the law enforcement challenges surrounding these topics are discussed. Additionally, an analysis on password structure as well as demographic factors influencing password selection is presented. Finally, the potential impact of OSINT to password cracking by law enforcement is discussed.

An eye gaze-driven metric for estimating the strength of graphical passwords based on image hotspots

Abstract: In this paper, we propose an eye gaze-driven metric based on hotspot vs. non-hotspot segments of images for unobtrusively estimating the strength of user-created graphical passwords by analyzing the users' eye gaze behavior during password creation. To examine the feasibility of this method, i.e., the existence of correlation between the proposed metric and the strength of users' generated passwords, we conducted an eye-tracking study (n=42), in which users created a graphical password with a personalized image that triggers declarative memory of users (familiar image) vs. an image illustrating generic content unfamiliar to the users' episodic and semantic memory (generic image). Results revealed a strong positive correlation between the password strength and the proposed eye gaze-driven metric, pointing towards a new direction for the design of intelligent eye gaze-driven graphical password schemes for unobtrusively assisting users in making better password choices.

Markov Model for Password Attack Prevention

Abstract: With the rapid increase in multi-user systems, the strength of passwords plays a crucial role in password authentication methods. Password strength meters help the users for the selection of secured passwords. But existing password strength meters are not enough to provide high level of security that makes the selection of strong password by users. Rule-based methods that measure the strength of passwords fall short in terms of accuracy and password frequencies differ among platforms. Use of Markov model-based strength meters improves the strength of password in more accurate way than the existing state-of-the-art methods. This paper describes how to proactively evaluate passwords with a strength meter by using Markov models. A mathematical proof of the prevention of guessable password attacks is presented. The proposed method improves the accuracy of current password protection methods significantly with a simpler, faster, and more secure implementation.

Framing Effects on Online Security Behavior.

Abstract: We conducted an incentivized lab experiment examining the effect of gain vs. loss-framed warning messages on online security behavior. We measured the probability of suffering a cyberattack during the experiment as the result of five specific security behaviors: choosing a safe connection, providing minimum information during the sign-up process, choosing a strong password, choosing a trusted vendor, and logging-out. A loss-framed message led to more secure behavior during the experiment. The experiment also measured the effect of trusting beliefs and cybersecurity knowledge. Trusting beliefs had a negative effect on security behavior, while cybersecurity knowledge had a positive effect.

Comparison study of machine learning classifiers to detect anomalies

Abstract: In this era of Internet ensuring the confidentiality, authentication and integrity of any resource exchanged over the net is the imperative. Presence of intrusion prevention techniques like strong password, firewalls etc. are not sufficient to monitor such voluminous network traffic as they can be breached easily. Existing signature based detection techniques like antivirus only offers protection against known attacks whose signatures are stored in the database.Thus, the need for real-time detection of aberrations is observed. Existing signature based detection techniques like antivirus only offers protection against known attacks whose signatures are stored in the database. Machine learning classifiers are implemented here to learn how the values of various fields like source bytes, destination bytes etc. in a network packet decides if the packet is compromised or not . Finally the accuracy of their detection is compared to choose the best suited classifier for this purpose. The outcome thus produced may be useful to offer real time detection while exchanging sensitive information such as credit card details.

Reducing Bias in Modeling Real-world Password Strength via Deep Learning and Dynamic Dictionaries

Abstract: Password security hinges on an in-depth understanding of the techniques adopted by attackers. Unfortunately, real-world adversaries resort to pragmatic guessing strategies such as dictionary attacks that are inherently difficult to model in password security studies. In order to be representative of the actual threat, dictionary attacks must be thoughtfully configured and tuned. However, this process requires a domain-knowledge and expertise that cannot be easily replicated. The consequence of inaccurately calibrating dictionary attacks is the unreliability of password security analyses, impaired by a severe measurement bias. In the present work, we introduce a new generation of dictionary attacks that is consistently more resilient to inadequate configurations. Requiring no supervision or domain-knowledge, this technique automatically approximates the advanced guessing strategies adopted by real-world attackers. To achieve this: (1) We use deep neural networks to model the proficiency of adversaries in building attack configurations. (2) Then, we introduce dynamic guessing strategies within dictionary attacks. These mimic experts' ability to adapt their guessing strategies on the fly by incorporating knowledge on their targets. Our techniques enable more robust and sound password strength estimates within dictionary attacks, eventually reducing overestimation in modeling real-world threats in password security. Code available: this https URL

Hybritus: a password strength checker by ensemble learning from the query feedbacks of websites

Abstract: Password authentication is vulnerable to dictionary attacks. Password strength measurement helps users to choose hard-to-guess passwords and enhance the security of systems based on password authentication. Although there are many password strength metrics and tools, none of them produces an objective measurement with inconsistent policies and different dictionaries. In this work, we analyzed the password policies and checkers of top 100 popular websites that are selected from Alexa rankings. The checkers are inconsistent and thus they may label the same password as different strength labels, because each checker is sensitive to its configuration, e.g., the algorithm used and the training data. Attackers are empowered to exploit the above vulnerabilities to crack the protected systems more easily. As such, single metrics or local training data are not enough to build a robust and secure password checker. Based on these observations, we proposed Hybritus that integrates different websites’ strategies and views into a global and robust model of the attackers with multiple layer perceptron (MLP) neural networks. Our data set is comprised of more than 3.3 million passwords taken from the leaked, transformed and randomly generated dictionaries. The data set were sent to 10 website checkers to get the feedbacks on the strength of passwords labeled as strong, medium and weak. Then we used the features of passwords generated by term frequency-inverse document frequency to train and test Hybritus. The experimental results show that the accuracy of passwords strength checking can be as high as 97.7% and over 94% even if it was trained with only ten thousand passwords. User study shows that Hybritus is usable as well as secure.

A New Targeted Password Guessing Model

Abstract: TarGuess-I is a leading targeted password guessing model using users’ personally identifiable information (PII) proposed at ACM CCS 2016 by Wang et al. Owing to its superior guessing performance, TarGuess-I has attracted widespread attention in password security. Yet, TarGuess-I fails to capture popular passwords and special strings in passwords correctly. Thus we propose TarGuess-I\( ^+ \): an improved password guessing model, which is capable of identifying popular passwords by generating top-300 most popular passwords from similar websites and grasping special strings by extracting continuous characters from user-generated PII. We conduct a series of experiments on 6 real-world leaked datasets and the results show that our improved model outperforms TarGuess-I by 9.07% on average with 1000 guesses, which proves the effectiveness of our improvements.

Skeptic: Automatic, Justified and Privacy-Preserving Password Composition Policy Selection

Abstract: The choice of password composition policy to enforce on a password-protected system represents a critical security decision, and has been shown to significantly affect the vulnerability of user-chosen passwords to guessing attacks. In practice, however, this choice is not usually rigorous or justifiable, with a tendency for system administrators to choose password composition policies based on intuition alone. In this work, we propose a novel methodology that draws on password probability distributions constructed from large sets of real-world password data which have been filtered according to various password composition policies. Password probabilities are then redistributed to simulate different user password reselection behaviours in order to automatically determine the password composition policy that will induce the distribution of user-chosen passwords with the greatest uniformity, a metric which we show to be a useful proxy to measure overall resistance to password guessing attacks. Further, we show that by fitting power-law equations to the password probability distributions we generate, we can justify our choice of password composition policy without any direct access to user password data. Finally, we present Skeptic---a software toolkit that implements this methodology, including a DSL to enable system administrators with no background in password security to compare and rank password composition policies without resorting to expensive and time-consuming user studies. Drawing on 205,176,321 passwords across 3 datasets, we lend validity to our approach by demonstrating that the results we obtain align closely with findings from a previous empirical study into password composition policy effectiveness.

Introducing a Machine Learning Password Metric Based on EFKM Clustering Algorithm

Abstract: we introduce a password strength metric using Enhanced Fuzzy K-Means clustering algorithm (EFKM henceforth). The EFKM is trained on the OWASP list of 10002 weak passwords. After that, the optimized centroids are maximized to develop a password strength metric. The resulting meter was validated by contrasting with three entropy-based metrics using two datasets: the training dataset (OWASP) and a dataset that we collected from github website that contains 5189451 leaked passwords. Our metric is able to recognize all the passwords from the OWASP as weak passwords only. Regarding the leaked passwords, the metric recognizes almost the entire set as weak passwords. We found that the results of the EFKM-based metric and the entropy-based meters are consistent. Hence the EFKM metric demonstrates its validity as an efficient password strength checker.

Effects of culture on graphical password image selection and design

Abstract: The purpose of this study is to examine the effects of culture on the cross-cultural design of the recognition-based graphical password (RBG-P) interface as inferred from Chinese and Saudi subjects’ image selections.,The authors use a between-group design adopted using two groups of participants from China and the Kingdom of Saudi Arabia to measure the differences caused by the effects of cultures on graphical password image selections. Three hypotheses have been tested in a four-week long study carried out using two questionnaires and an RBG-P webtool designed for images selection.,The results have indicated that participants are equally biased not only toward their own culture but also depending on their opinions about other cultures. In addition, when creating the password, it has been observed that culture not only influenced the image selection to create the password but also have an effect on the sequence of the images forming the password.,Appropriately used image selection differences can be used appropriately in cross-cultural designs that will lead to better development of culturally adaptive interfaces that will boost the security posture of RBG-P authentication.,Some RBG-P interfaces that are produced outside the designer’s culture may suffer the effects of cultural differences. Hence, to incorporate culture in the interface, authentication systems within applications should be flexible by designing images that fit the culture in which the software will be used. To this end, access control interface testing should also be carried out in the environmental and cultural context in which it is will be used.,This paper provides useful information for international developers who develop cross-cultural usable secure designs. In such environments, the cross-culturally designs may have significant effects on the acceptability and adoption adaptation of the interface to multi-cultural settings.

Interpretable Probabilistic Password Strength Meters via Deep Learning

Abstract: Probabilistic password strength meters have been proved to be the most accurate tools to measure password strength. Unfortunately, by construction, they are limited to solely produce an opaque security estimation that fails to fully support the user during the password composition. In the present work, we move the first steps towards cracking the intelligibility barrier of this compelling class of meters. We show that probabilistic password meters inherently own the capability of describing the latent relation occurring between password strength and password structure. In our approach, the security contribution of each character composing a password is disentangled and used to provide explicit fine-grained feedback for the user. Furthermore, unlike existing heuristic constructions, our method is free from any human bias, and, more importantly, its feedback has a clear probabilistic interpretation. In our contribution: (1) we formulate the theoretical foundations of interpretable probabilistic password strength meters; (2) we describe how they can be implemented via an efficient and lightweight deep learning framework suitable for client-side operability.

An Empirical Analysis on the Usability and Security of Passwords

Abstract: Security and usability are two essential aspects of a system, but they usually move in opposite directions. Sometimes, to achieve security, usability has to be compromised, and vice versa. Password-based authentication systems require both security and usability. However, to increase password security, absurd rules are introduced, which often drive users to compromise the usability of their passwords. Users tend to forget complex passwords and use techniques such as writing them down, reusing them, and storing them in vulnerable ways. Enhancing the strength while maintaining the usability of a password has become one of the biggest challenges for users and security experts. In this paper, we define the pronounceability of a password as a means to measure how easy it is to memorize - an aspect we associate with usability. We examine a dataset of more than 7 million passwords to determine whether the usergenerated passwords are secure. Moreover, we convert the usergenerated passwords into phonemes and measure the pronounceability of the phoneme-based representations. We then establish a relationship between the two and suggest how password creation strategies can be adapted to better align with both security and usability.

Modified Password Guessing Methods Based on TarGuess-I

Abstract: is a leading online targeted password guessing model using users’ personally identifiable information (PII) proposed at ACM CCS 2016 by Wang et al. It has attracted widespread attention in password security owing to its superior guessing performance. Yet, after analyzing the users’ vulnerable behaviors of using popular passwords and constructing passwords with users’ PII, we find that this model does not take into account popular passwords, keyboard patterns, and the special strings. The special strings are the strings related to users but do not appear in the users’ demographic information. Thus, we propose , a modified password guessing model with three semantic methods, including (1) identifying popular passwords by generating top-300 lists from similar websites, (2) recognizing keyboard patterns by relative position, and (3) catching the special strings by extracting continuous characters from user-generated PII. We conduct a series of evaluations on six large-scale real-world leaked password datasets. The experimental results show that our modified model outperforms by 2.62% within guesses.

Skeptic: Automatic, Justified and Privacy-Preserving Password Composition Policy Selection

Abstract: The choice of password composition policy to enforce on a password-protected system represents a critical security decision, and has been shown to significantly affect the vulnerability of user-chosen passwords to guessing attacks. In practice, however, this choice is not usually rigorous or justifiable, with a tendency for system administrators to choose password composition policies based on intuition alone. In this work, we propose a novel methodology that draws on password probability distributions constructed from large sets of real-world password data which have been filtered according to various password composition policies. Password probabilities are then redistributed to simulate different user password reselection behaviours in order to automatically determine the password composition policy that will induce the distribution of user-chosen passwords with the greatest uniformity, a metric which we show to be a useful proxy to measure overall resistance to password guessing attacks. Further, we show that by fitting power-law equations to the password probability distributions we generate, we can justify our choice of password composition policy without any direct access to user password data. Finally, we present Skeptic---a software toolkit that implements this methodology, including a DSL to enable system administrators with no background in password security to compare and rank password composition policies without resorting to expensive and time-consuming user studies. Drawing on 205,176,321 pass words across 3 datasets, we lend validity to our approach by demonstrating that the results we obtain align closely with findings from a previous empirical study into password composition policy effectiveness.

Password Enhancement Based on Semantic Transformation

Abstract: With the continuous development of authentication approaches, password-based authentication is still the first choice for various online services today. The security of password-based authentication relies heavily on the strength of the passwords created by users. Password enhancement is a general way to increase the difficulty of cracking a password. An ideal password enhancement strategy should take into account both the usability (mainly the memorability) and the security of passwords. However, it has been found that the higher the password strength, the lower the usability of the password, and vice versa. In order to balance the usability and the security of the password, we propose a password enhancement method based on semantic transformation, which can effectively analyze the semantic structure of a given password. This enhances the password's strength through one or more password semantic transformations to make the password better protected against guessing attacks. Finally, we use publicly available real-world password data sets leaked in previous security incidents to conduct experiments. Our password enhancement strategy significantly reduces the proportion of guesses by a classic password guessing attack, which demonstrates the effectiveness of the method.

A Preliminary Analysis of Password Guessing Algorithm

Abstract: Recently, password guessing algorithms have received increased attention in the field of password security. In this paper, we present a brief review of various existing typical password guessing algorithms from the aspects of hypothesis, identified information, and theoretical models. We employ multiple criteria to understand and evaluate the performance of these algorithms. By analyzing the experimental results, we summarize the characteristics of different password guessing algorithms. We have experimentally proved that when the guess number is the same, the two algorithms guess more passwords than one algorithm. Furthermore, we propose a hybrid password guessing algorithm-PaMLGuess. The algorithm has both strong interpretability and generalization ability and uses probability mapping to solve the problem that the magnitudes of the probabilities given by different password guessing algorithms vary widely. Our work aims to gain a deeper understanding of an attacker’s capabilities and provide an improvement direction for password strength meters(PSMs) to help system administrators prevent the use of weak passwords.

Research on blockchain technology in cryptographic exploration

Abstract: Building a traditional factory into a smart factory is one of the goals of “Industry 4.0”. As factories move towards smart development, the existing network security systems can no longer meet the needs of enterprises and users. Aiming at the hidden dangers of information leakage and illegal access to the data of cryptographic production facilities and products in the smart factory, the article combines the core technology of the Internet of Things radio frequency identification (RFID) technology and blockchain technology, and proposes a blockchain-based technology, the lightweight password security authentication mechanism of the smart factory RFID system, which has the characteristics of lightweight, anti-data leakage, and low management cost. It can ensure the safe and reliable access of industrial data while preventing the application of RFID in smart factories. Security issues such as replay attacks, man-in-the-middle attacks, and server spoofing attacks also provide new ideas for the research on data security protection for smart factories.

Assisting Users to Create Stronger Passwords Using ContextBased MicroTraining

Abstract: In this paper, we describe and evaluate how the learning framework ContextBased MicroTraining (CBMT) can be used to assist users to create strong passwords. Rather than a technical enforcing measure, CBMT is a framework that provides information security training to users when they are in a situation where the training is directly relevant. The study is carried out in two steps. First, a survey is used to measure how well users understand password guidelines that are presented in different ways. The second part measures how using CBMT to present password guidelines affect the strength of the passwords created. This experiment was carried out by implementing CBMT at the account registration page of a local internet service provider and observing the results on user-created passwords. The results of the study show that users presented with passwords creation guidelines using a CBMT learning module do understand the password creation guidelines to a higher degree than other users. Further, the experiment shows that users presented with password guidelines in the form of a CBMT learning module do create passwords that are longer and more secure than other users. The assessment of password security was performed using the zxcvbn tool, developed by Dropbox, that measures password entropy.

DeepMnemonic: Password Mnemonic Generation via Deep Attentive Encoder-Decoder Model

Abstract: Strong passwords are fundamental to the security of password-based user authentication systems. In recent years, much effort has been made to evaluate password strength or to generate strong passwords. Unfortunately, the usability or memorability of the strong passwords has been largely neglected. In this paper, we aim to bridge the gap between strong password generation and the usability of strong passwords. We propose to automatically generate textual password mnemonics, i.e., natural language sentences, which are intended to help users better memorize passwords. We introduce \textit{DeepMnemonic}, a deep attentive encoder-decoder framework which takes a password as input and then automatically generates a mnemonic sentence for the password. We conduct extensive experiments to evaluate DeepMnemonic on the real-world data sets. The experimental results demonstrate that DeepMnemonic outperforms a well-known baseline for generating semantically meaningful mnemonic sentences. Moreover, the user study further validates that the generated mnemonic sentences by DeepMnemonic are useful in helping users memorize strong passwords.

Augmenting Password Strength Meter Design using the Elaboration Likelihood Model: Evidence from Randomized Experiments

Abstract: Encouraging users to create stronger passwords has always been one of the key issues in password-based authentication. It is particularly important as passwords are still the most common user authentication method. Furthermore, prior works have highlighted that most passwords are significantly weak. In this paper, we seek to mitigate such an issue by proposing a context-based password strength meter and investigating its effectiveness on users' password generating behavior. We conduct a randomized experiment on Amazon MTurk involving hypothetical account creating scenarios. We observe the change in users' behavior in terms of the number of occasions where users change their password after seeing the warning message, the number of occasions where users want to learn more about creating stronger passwords, and the changes in password strength. We find that our proposed password strength meter is significantly effective. Users exposed to our password strength meter are more likely to change their password, and those new passwords are stronger. Furthermore, if the information is readily available, users are willing to invest their time to learn about creating a stronger password, even in a traditional password strength meter setting. Our findings suggest that simply incorporating a contextual information to password strength meters could be one of potential methods in promoting secure behaviors among end users.

Authentication and password storing improvement using SXR algorithm with a hash function

Abstract: Secure password storing is essential in systems working based on password authentication. In this paper, SXR algorithm (Split, Exclusive OR, and Replace) was proposed to improve secure password storing and could also be applied to current authentication systems. SXR algorithm consisted of four steps. First, the received password from users was hashed through a general hash function. Second, the ratio and the number of iterations from the secret key (username and password) were calculated. Third, the hashed password and ratio were computed, and the hashed password was divided based on the ratio (Split) into two values. Both the values were applied to XOR equation according to the number of iterations, resulting in two new values. Last, the obtained values were concatenated and stored in the database (Replace). On evaluating, complexity analyses and comparisons has shown that SXR algorithm could provide attack resistance with a stronger hashed password against the aforementioned attacks. Consequently, even if the hackers hacked the hashed password, it would be challenging and would consume more time to decrypt the actual one, because the pattern of the stored password is the same as the one that has been hashed through the general hash function.

Password Strength Analyzer Using Segmentation Algorithms

Abstract: Passwords are as yet the prevailing path for user verification and system security while other validation techniques exist. So selecting a strong password is a challenging thing. Passwords are used in every walk of life like logging into a system, creating an account in an online store, banking, etc. People struggle to remember all of their passwords and so they prefer to use passwords based on their personal attributes viz.their name, spouse name, date of birth, etc. Choosing such passwords could be at the risk of being hacked. Generally the strength of passwords is checked based on the general guidelines like it should contain alphanumeric characters, special symbols, etc. But it never checks whether the chosen password is based on user attributes. Our proposed system checks the strength of passwords through segmentation algorithms and analyses whether the chosen password is based on user attributes and it is considered to be a weak password and strong if it is not based on user attributes. In this paper, an optimal segmentation algorithm named Password Segmentation Algorithm is proposed to segment password and user attributes, and later the correlation between a segmented password and user attributes is done. Passwords with less correlation of private details are the safest to use.

Interpretable Probabilistic Password Strength Meters via Deep Learning

Abstract: Probabilistic password strength meters have been proved to be the most accurate tools to measure password strength. Unfortunately, by construction, they are limited to solely produce an opaque security estimation that fails to fully support the user during the password composition. In the present work, we move the first steps towards cracking the intelligibility barrier of this compelling class of meters. We show that probabilistic password meters inherently own the capability to describe the latent relation between password strength and password structure. In our approach, the security contribution of each character composing a password is disentangled and used to provide explicit fine-grained feedback for the user. Furthermore, unlike existing heuristic constructions, our method is free from any human bias, and, more importantly, its feedback has a clear probabilistic interpretation.

Group Password Strength Meter Based on Attention Mechanism

Abstract: User authentication is an important means to ensure the security of users' cyber accounts. Although there are various authentication means such as irises and fingerprints, passwords are still the main authentication method for the foreseeable future due to their low cost and easy implementation. Password strength evaluation is to measure the security strength of passwords, which has been widely studied. However, we found that the current password strength evaluation methods ignore the characteristics from password creators and do not consider the impact of regional groups on password generation. In this paper, we propose the concept of group passwords to analyze the password characteristics of different groups. Based on this notion, a group-based password strength evaluation method is proposed. In addition, we analyze the vulnerabilities of largescale real-world password groups leaked in previous security incidents. The analysis results show that different password groups have different characteristics. Then, we use the attention mechanism (AM) in the neural network model to learn the dependence between group characteristics and password context features. A long short-term memory (LSTM) model with natural advantages in processing timing features is used to process the password to achieve a more accurate password strength evaluation. We demonstrate the effectiveness of groupbased password evaluation using the real-world password data sets.