scispace - formally typeset
Search or ask a question

Showing papers on "Password strength published in 2021"


Proceedings ArticleDOI
23 May 2021
TL;DR: In this article, a deep generative model representation learning approach for password guessing is introduced, which can generate passwords with arbitrary biases and dynamically adapt the estimated password distribution to match the distribution of the attacked password set.
Abstract: Learning useful representations from unstructured data is one of the core challenges, as well as a driving force, of modern data-driven approaches. Deep learning has demonstrated the broad advantages of learning and harnessing such representations.In this paper, we introduce a deep generative model representation learning approach for password guessing. We show that an abstract password representation naturally offers compelling and versatile properties that open new directions in the extensively studied, and yet presently active, password guessing field. These properties can establish novel password generation techniques that are neither feasible nor practical with the existing probabilistic and non-probabilistic approaches. Based on these properties, we introduce: (1) A general framework for conditional password guessing that can generate passwords with arbitrary biases; and (2) an Expectation Maximization-inspired framework that can dynamically adapt the estimated password distribution to match the distribution of the attacked password set.

26 citations


Journal ArticleDOI
TL;DR: The proposed work suggests the mutual authentication-based protocol, helping in the handshake between two nodes, which involves the various subsections that include registering the user, token generation, sending and receiving messages through multiple algorithms.

12 citations


Proceedings ArticleDOI
Ming Xu1, C Wang1, Jitao Yu1, Junjie Zhang1, Kai Zhang1, Weili Han1 
12 Nov 2021
TL;DR: In this article, the authors proposed a chunk-level guessing model, where a chunk is a sequence of related characters that appear together frequently, to model passwords, and they found that the presence of common chunks in a password is a stronger indicator for password vulnerability than the character class complexity.
Abstract: Textual password security hinges on the guessing models adopted by attackers, in which a suitable password composition representation is an influential factor. Unfortunately, the conventional models roughly regard a password as a sequence of characters, or natural-language-based words, which are password-irrelevant. Experience shows that passwords exhibit internal and refined patterns, e.g., "4ever, ing or 2015", varying significantly among periods and regions. However, the refined representations and their security impacts could not be automatically understood by state-of-the-art guessing models (e.g., Markov). In this paper, we regard a password as a composition of several chunks, where a chunk is a sequence of related characters that appear together frequently, to model passwords. Based on the concept, we propose a password-specific segmentation method that can automatically split passwords into several chunks, and then build three chunk-level guessing models, adopted from Markov, Probabilistic Context-free Grammar (PCFG) and neural-network-based models. Based on the extensive evaluation with over 250 million passwords, these chunk-level models can improve their guessing efficiency by an average of 5.7%, 51.2% and 41.9%, respectively, in an offline guessing scenario, showcasing the power of a suitable password representation during attacks. By analysing these efficient attacks, we find that the presence of common chunks in a password is a stronger indicator for password vulnerability than the character class complexity. To protect users against such attacks, we develop a client-side and real-time password strength meter to estimate the passwords' resistance based on chunk-level guessing models.

10 citations


Journal ArticleDOI
TL;DR: In this article, a comparative study of state-of-the-art deep learning based facial recognition technologies was conducted to determine via accuracy and other metrics which of those methods are most effective.
Abstract: In the realm of computer security, the username/password standard is becoming increasingly antiquated. Usage of the same username and password across various accounts can leave a user open to potential vulnerabilities. Authentication methods of the future need to maintain the ability to provide secure access without a reduction in speed. Facial recognition technologies are quickly becoming integral parts of user security, allowing for a secondary level of user authentication. Augmenting traditional username and password security with facial biometrics has already seen impressive results; however, studying these techniques is necessary to determine how effective these methods are within various parameters. A Convolutional Neural Network (CNN) is a powerful classification approach which is often used for image identification and verification. Quite recently, CNNs have shown great promise in the area of facial image recognition. The comparative study proposed in this paper offers an in-depth analysis of several state-of-the-art deep learning based-facial recognition technologies, to determine via accuracy and other metrics which of those are most effective. In our study, VGG-16 and VGG-19 showed the highest levels of image recognition accuracy, as well as F1-Score. The most favorable configurations of CNN should be documented as an effective way to potentially augment the current username/password standard by increasing the current method’s security with additional facial biometrics.

10 citations


Journal ArticleDOI
TL;DR: In this paper, a new authentication method has been proposed for the Internet of Things (IoT) devices, which is based on electroencephalography EEG signals, and hand gestures.
Abstract: In this paper, a new authentication method has been proposed for the Internet of Things (IoT) devices. This method is based on electroencephalography EEG signals, and hand gestures. The proposed EEG signals authentication method used a low price NeuroSky MindWave headset. This was based on choosing the adaptive thresholds of attention and meditation mode for the authentication key. Hand gestures to control authentication processes by using a general camera. To verify that a new authentication method is widely accepted, it must meet two main conditions, security and usability. The evaluation of the prototype usability was based on ISO 9241-11:2018 standards usability model. Results revealed that the proposed method demonstrated the usability of authentication by using EEG signals with the accuracy of 92%, the efficiency of 93%, and user satisfaction is acceptable and satisfying. To evaluate the security of the prototype, we consider the most important three threats related to IoT devices which they are guessing, physical observation, and targeted impersonation. The results showed that the password strength, using the proposed system is stronger than the traditional keyboard. The proposed authentication method also is resistant to target impersonation and physical observation.

7 citations


Journal ArticleDOI
01 Aug 2021
TL;DR: This research investigated whether nudging with messages based on participants’ self-schemas could lead them to create stronger passwords, and whether differences across the Big Five personality traits, secure password knowledge, attitudes and behavior, need for cognition, and general risk-taking predicted the strength of passwords created during the study.
Abstract: The use of strong passwords is viewed as a recommended cybersecurity practice, as the hacking of weak passwords led to major cybersecurity breaches. The present research investigated whether nudging with messages based on participants’ self-schemas could lead them to create stronger passwords. We modeled our study on prior health-related research demonstrating positive results using messages based on self-schema categories (i.e., True Colors categories -compassionate, loyal, intellectual, and adventurous). We carried out an online study, one with 256 (185 women, 66 men, 5 other) undergraduates and one with 424 (240 men, 179 women, 5 other) Amazon Mechanical Turk (MTurk) workers, in which we randomly assigned participants to receive messages that matched or mismatched their self-schema. We also investigated whether differences across the Big Five personality traits, secure password knowledge, attitudes and behavior, need for cognition, and general risk-taking predicted the strength of passwords that participants created during the study. Multiple individual difference variables predicted password strength (i.e., conscientiousness, emotional stability, need for cognition, self-reported secure password knowledge, attitude, and behavior, and general risk-taking). MTurk workers had higher levels of cybersecurity knowledge and created stronger passwords than college students. The nudging messages did not lead to stronger passwords. Implications for strategies to increase the use of secure passwords are discussed.

6 citations


Journal ArticleDOI
TL;DR: This work proposes a new PSM based on Reuse, Leet and Separation, namely RLS-PSM, and uses the Monte Carlo method and weighted Spearman coefficient to measure and compare the robustness and accuracy of this PSM, leading PSMs (including Markov-based PSM), and password cracking tools (including JtR and Hashcat).
Abstract: Password strength meters (PSMs) are being widely used, but they often give conflicting, inaccurate and misleading feedback, which defeats their purpose. Except for fuzzyPSM, all PSMs assume passwords are newly constructed, which is not true in reality. FuzzyPSM considers password reuse, six major leet transformations and initial capitalization, and performs the best as evaluated by Golla and Durmuth at ACM CCS’18. On the basis of fuzzyPSM, we propose a new PSM based on R euse, L eet and S eparation, namely RLS-PSM. First, we classify password reuse behaviors into capitalization and those that use special characters for leet or separation, and calculate the corresponding probabilities. Then, to balance efficiency and precision, we use Long Short-Term Memory to calculate the probabilities of alphanumeric strings. Besides, we propose to use benchmark passwords to show the relative strength of a password. Due to the varied impacts of different service types and diversified economic value of websites, we consider parameter settings of RLS-PSM under six different service types. Finally, we use the Monte Carlo method and weighted Spearman coefficient to measure and compare the robustness and accuracy of RLS-PSM, leading PSMs (including Markov-based PSM, PCFG-based PSM, fuzzyPSM, RNN, and Zxcvbn), and password cracking tools (including JtR and Hashcat). We find that the robustness of RLS-PSM is significantly higher than all counterparts when evaluating attempts > 104 (e.g., on average, Fraction of Successfully Evaluated passwords of RLS-PSM is 18.9% higher than fuzzyPSM). The accuracy of RLS-PSM is also better than other mainstream PSMs used for comparison in this paper, except for fuzzyPSM.

5 citations


Proceedings ArticleDOI
08 May 2021
TL;DR: In this paper, the relation between password creation and cognitive load inferred from eye pupil diameter was investigated, and the results showed that passwords with different strengths affect the pupil diameter, thereby giving an indication of the user's cognitive state.
Abstract: Strict password policies can frustrate users, reduce their productivity, and lead them to write their passwords down. This paper investigates the relation between password creation and cognitive load inferred from eye pupil diameter. We use a wearable eye tracker to monitor the user’s pupil size while creating passwords with different strengths. To assess how creating passwords of different strength (namely weak and strong) influences users’ cognitive load, we conducted a lab study (N = 15). We asked the participants to create and enter 6 weak and 6 strong passwords. The results showed that passwords with different strengths affect the pupil diameter, thereby giving an indication of the user’s cognitive state. Our initial investigation shows the potential for new applications in the field of cognition-aware user interfaces. For example, future systems can use our results to determine whether the user created a strong password based on their gaze behavior, without the need to reveal the characteristics of the password.

5 citations


Journal ArticleDOI
01 Mar 2021
TL;DR: The results of this study indicate that the security performance of the Bcrypt Algorithm is very good in warding off Brute Force attacks for mixed characters while the numeric and alphabetic characters are not good enough.
Abstract: The Bcrypt algorithm is a hashing function created from the Blowfish Algorithm by two computer security researchers, Niels Provos and David Mazieres. This hashing function has several advantages, using the original random salt (the salt is the order in which it is added to the password to make it harder to bruteforce). Random salts also prevent lookup table creation. On this basis, the authors try to do a Brute Force experiment on plaintext that has been encrypted by the Bcrypt Algorithm based on 3 characters, namely alphabetic characters, numeric characters and mixed characters to see the security results of the Bcrypt Algorithm. From the results of tests conducted, the alphabetic character with a total of 4 characters can be returned to the original plaintext within 4 days while if the number of 5 characters cannot be found the original plaintext. Then the numeric characters with a total of 7 characters can be found in the original plaintext within 10 hours. Meanwhile, for mixed characters with a total of 7 characters, the original plaintext cannot be found within 5 days. The results of this study indicate that the security performance of the Bcrypt Algorithm is very good in warding off Brute Force attacks for mixed characters while the numeric and alphabetic characters are not good enough.

5 citations


Journal ArticleDOI
TL;DR: Wang et al. as discussed by the authors proposed a matching approach to check whether a user password contains Leet and extracted the most prevalent counterpart pairs of Leet manifestations, and then they examined the effect of leet in passwords by incorporating Leet transformation into the probabilistic context-free grammar (PCFG) method to crack passwords.
Abstract: Text-based passwords have long acted as the dominating authentication method. Leet, as one of the significant components in password, has not been paid enough attention yet. In this paper, we systematically study the presence of Leet in passwords. We define single and pattern forms of Leet and propose a matching approach to check whether a user password contains Leet. We extract the most prevalent counterpart pairs of Leet manifestations. Afterward, we examine the effect of Leet in passwords by incorporating Leet transformation into the probabilistic context-free grammar(PCFG) method to crack passwords. We construct the first comprehensively analyzed dictionary of Leets for passwords, which is confirmed suitable for most datasets by user survey. Experiments on four leaked password sets demonstrate that distinguished Leet usage accumulates to account for around 1% of the total dataset. Only 5% of high-frequency Leets replacement could increase the cracking rate by 0.55%. For crackers, incorporating popular Leets aids to improve password cracking performance. For users, adopting low-frequency Leets could strengthen their passwords. This research provides a new perspective to investigate Leet transformations in passwords.

4 citations


Proceedings ArticleDOI
25 May 2021
TL;DR: In this paper, the authors investigate the use of gaze behaviour as a means to assess password strength as perceived by users. And they demonstrate how eye tracking can enable this: by analysing people's gaze behaviour during password creation, its strength can be determined.
Abstract: We investigate the use of gaze behaviour as a means to assess password strength as perceived by users. We contribute to the effort of making users choose passwords that are robust against guessing-attacks. Our particular idea is to consider also the users’ understanding of password strength in security mechanisms. We demonstrate how eye tracking can enable this: by analysing people’s gaze behaviour during password creation, its strength can be determined. To demonstrate the feasibility of this approach, we present a proof of concept study (N = 15) in which we asked participants to create weak and strong passwords. Our findings reveal that it is possible to estimate password strength from gaze behaviour with an accuracy of 86% using Machine Learning. Thus, we enable research on novel interfaces that consider users’ understanding with the ultimate goal of making users choose stronger passwords.

Journal ArticleDOI
TL;DR: Wang et al. as discussed by the authors presented a large-scale empirical study on password-cracking methods proposed by the academic community since 2005, leveraging about 220 million plaintext passwords leaked from 12 popular websites during the past decade.
Abstract: Researchers proposed several data-driven methods to efficiently guess user-chosen passwords for password strength metering or password recovery in the past decades. However, these methods are usually evaluated under ad hoc scenarios with limited data sets. Thus, this motivates us to conduct a systematic and comparative investigation with a very large-scale data corpus for such state-of-the-art cracking methods. In this paper, we present the large-scale empirical study on password-cracking methods proposed by the academic community since 2005, leveraging about 220 million plaintext passwords leaked from 12 popular websites during the past decade. Specifically, we conduct our empirical evaluation in two cracking scenarios, i.e., cracking under extensive-knowledge and limited-knowledge. The evaluation concludes that no cracking method may outperform others from all aspects in these offline scenarios. The actual cracking performance is determined by multiple factors, including the underlying model principle along with dataset attributes such as length and structure characteristics. Then, we perform further evaluation by analyzing the set of cracked passwords in each targeting dataset. We get some interesting observations that make sense of many cracking behaviors and come up with some suggestions on how to choose a more effective password-cracking method under these two offline cracking scenarios.

Proceedings ArticleDOI
06 Jun 2021
TL;DR: Wang et al. as mentioned in this paper proposed a word extraction approach for passwords, and further presented an improved Probabilistic Context Free Grammars (PCFG) model, called WordPCFG, which can precisely extract semantic segments from passwords based on cohesion and freedom of words.
Abstract: Probabilistic context-free grammars (PCFGs) have been pro-posed to capture password distributions, and further been used in password guessing attacks and password strength meters. However, current PCFGs suffer from the limitation of inaccurate segmentation of password, which leads to misestimation of password probability and thus seriously affects their performance. In this paper, we propose a word extraction approach for passwords, and further present an improved PCFG model, called WordPCFG. The WordPCFG using word extraction method can precisely extract semantic segments (called word) from passwords based on cohesion and freedom of words. We evaluate our WordPCFG on six large-scale datasets, showing that WordPCFG cracks 83.04%–95.47% passwords and obtains 12.96%–71.84% improvement over the state-of-the-art PCFGs.

Journal ArticleDOI
TL;DR: This is the first time passwords are analyzed based on different user groups from the perspective of user groups in different countries and web-based services, and shows that geographical factors and types of website services play a significant role in password creation.
Abstract: In this article, we analyze password characteristics from the perspective of user groups in different countries and web-based services. We collect a dataset from the Chinese railway website www.12306.cn. which contains data from four provinces, Hubei, Zhejiang, Inner Mongolia and Xinjiang. Additionally, we select datasets from two English based Internet applications, Faithwrit-er and Facebook. We analyze these six datasets based on several common indicators, including popular passwords, password structure and letter distribution. The analysis results show that there are remarkable differences in different user groups. The experiments show that geographical factors (embodied in the native language) and types of website services play a significant role in password creation. We further evaluate the security of these passwords by employing two state-of-the-art password cracking techniques. The attack results show that datasets of different provinces and different types of website services have different password strength. To the best of our knowledge, this is the first time passwords are analyzed based on different user groups.

Book ChapterDOI
01 Jan 2021
TL;DR: In this paper, an overview of various graphical authentication systems is presented and various graphical systems shown to be more secure when compared to other authentication systems are proposed.
Abstract: In today’s modern world, security is a major concern. To provide security, the most widely recognized authentication methods are credentials, OTP, LTP, etc, and these methods are more prone to brute-force attack, shoulder surfing attack, and dictionary attack. Shoulder surfing attack (SSA) is a data theft approach used to obtain the personal identification numbers or passwords by looking over the user’s shoulder or by external recording devices and video-capturing devices. Since SSA occurs in a benevolent way, it goes unnoticed most of the time. It is one of the simple and easy methods for hackers to steal one’s sensitive information. The hacker has to simply peek in while the user types in the password without any much effort involved. Therefore, this phenomenon is widely unknown to people all over the world. Textual passwords are a ubiquitous part of digital age. Web applications/mobile applications demand a strong password with at least one capital letter and a special letter. People tend to give easy passwords in order to remember them which can be easily shoulder surfed. To overcome this, graphical password techniques are used to provide a more secure password. In the graphical authentication system, the users click on target images from a challenge set for authentication. Various graphical systems have been proposed over the years which are shown to be more secure when compared to other authentication systems. In this paper, an overview of various graphical authentication systems is presented.

Book ChapterDOI
04 Oct 2021
TL;DR: In this article, Passwords strength estimators are used to help users avoid picking weak passwords by predicting how many attempts a password cracker would need until it finds a given password.
Abstract: Human-chosen passwords are the dominant form of authentication systems. Passwords strength estimators are used to help users avoid picking weak passwords by predicting how many attempts a password cracker would need until it finds a given password.


Book ChapterDOI
17 Sep 2021
TL;DR: In this paper, the authors focus on the characteristics of keyboard patterns, and only those infamous keyboard patterns such as qwerty are recognized, and many potential structures are not specified.
Abstract: Keyboard patterns are widely used in password construction, as they can be easily memorized with the aid of positions on the keyboard. Consequently, keyboard-pattern-based passwords has being the target in many dictionary attack models. However, most of the existing researches relies only on recognition methods defining keyboard pattern structures empirically or even manually. As a result, only those infamous keyboard patterns such as qwerty are recognized and many potential structures are not specified. Besides, there are limited studies focusing on the characteristics of keyboard patterns.

Journal ArticleDOI
TL;DR: In this article, an interactive video game, a cyber shield game, that includes various embedded threat scenarios was developed to improve the employees' cybersecurity awareness by developing an interactive game consisting of four levels, i.e., password complexity level, phishing attack level, social engineering level and physical security level.
Abstract: Information is a critical asset in any organization to achieve its strategic goals. For this, organizations enforce physical, logical, and administrative controls to protect their information from being corrupted, manipulated, or breached. However, an employee with little awareness of cybersecurity threats is an easy target for attackers. Nowadays, companies implement security awareness using policies, procedures, and training sessions, to list a few. Traditional information security awareness sessions have relied heavily on presentation slides and videos. This paper aims to improve the employees’ cybersecurity awareness by developing an interactive video game, a cyber shield game, that includes various embedded threat scenarios. The proposed game consists of four levels. The password complexity level educates players about password threats. The social engineering level aware employees about email attachments and trespass threats. The phishing attack level educates employees about phishing emails and ransomware threats. Finally, the physical security level aware employees about threats to storage and work documents’ disposal. Further, two surveys, pre-game and post-game, are conducted to estimate the players’ knowledge and experience in cybersecurity threats. The proposed security awareness program is applied to ten employees randomly chosen from different organizations. Experimental results indicate that the cyber shield training and awareness program is more interactive than traditional awareness methods. Results also suggest that the proposed awareness program improves the employees’ cybersecurity awareness level by 51.4%.

Proceedings ArticleDOI
30 Jul 2021
TL;DR: In this article, the proposed Password Management via cloud-based web security gets to attain. An efficient Double Layer Password Encryption (DLPE) algorithm to enable the secured password management system.
Abstract: Nowadays , cloud -based technology has been enlarged depends on the human necessities in the world. A lot of technologies is discovered that serve the people in different ways of cloud -based security and best resource allocation. Cloud-based technology is the essential factor to the resources like hardware, software for effective resource utilization . The securing applications enabled security mechanism enables the vital role for cloud -based web security through the secured password. The violation of data by the unauthorized access of users concerns many web developers and application owners . Web security enables the cloud-based password management system that illustrates the data storage and the web passwords access through the "Cloud framework". Web security, End-to-end passwords , and all the browser -based passwords could belong to the analysis of web security . The aim is to enhance system security. Thus, sensitive data are sustained with security and privacy . In this paper , the proposed Password Management via cloud-based web security gets to attain . An efficient Double Layer Password Encryption (DLPE ) algorithm to enable the secured password management system . Text -based passwords continue to be the most popular method of online user identification . They safeguard internet accounts with important assets against harmful attempts on passwords. The security of passwords is dependent on the development of strong passwords and keeping them from being stolen by intruders . The proposed DLPE algorithm perceived the double - layer encryption system as an effective security concern. When the data user accesses the user Login , the OTP generates via mail /SMS , and the original message is encrypted using public key generation. Then the text of data gets doubly encrypted through the cloud framework . The private key is used to decipher the cipher text . If the OTP gets matched , the text is to be decrypted over the text data . When double encryption happens , the detection of data flaws, malicious attacks , application hackers gets reduced and the strong password enabled double-layer encryption attained the secured data access without any malicious attackers . The data integrity , confidentiality enabled password management . The ability to manage a distributed systems policy like the Double Layer Password encryption technique enables password verification for the data used to highly secure the data or information.

Journal ArticleDOI
TL;DR: Using an extended form of protection motivation theory (PMT) (Rogers, 1983), this paper found that even if teenage computer users believe they are susceptible to being hacked, or that being hacked would be detrimental, it has no bearing on their password choices.
Abstract: What drives teenagers to comply with computer password guidelines? Using an extended form of protection motivation theory (PMT) (Rogers, 1983), we found that even if teenage computer users believe they are susceptible to being hacked, or that being hacked would be detrimental, it has no bearing on their password choices Other motives outside of PMT also drive teenage security behaviour Personal norms fully mediate the relationship between the perceived severity of threat and compliance intentions such that perceived severity is not sufficient to encourage compliance Teenagers must actually feel obligated to comply While personal norms may encourage compliance, concerns about feeling embarrassed or ashamed if their social media accounts are hacked into actually encourages compliance On the other hand, peer influence, such as the fear of being teased about someone hacking into their account, discourages compliance Our study contributes to understanding early security practices and highlights potential differences between adult and teenage behaviours to consider in future studies For example, our findings suggest that password security guidelines alone will not suffice to ensure teenage compliance; they may need enforced password rules at the authentication level to eliminate any opportunity to violate password rules Our study will benefit children and parents as well as organizations that have changed work practices to enable employees to work from home, but which places children in danger of clicking on malicious links on their parents’ computers To our knowledge, this is the first password security study that applies PMT to examine computer-based security behaviours in teenagers

Proceedings ArticleDOI
30 Jan 2021
TL;DR: In this article, the entropy discrepancy between the passwords entered by the user and an attacker is calculated by accumulating the frequencies of the entered characters, not the password itself, and the experimental results show that even if the user selects a common password, the proposed authentication method can distinguish between legitimate users and attackers effectively and efficiently.
Abstract: User name and password are one of the most commonly used authentication mechanisms in information systems and social networks. Strong passwords are secure, but not easy to memorize; users may choose passwords that are easy to remember as well as easy to be compromised. Therefore, online password guessing attacks becomes a major security threat in information systems and social networks. It is a challenge to provide a reliable user authentication solution that allows legitimate access and prevents password guessing attacks. Our preliminary study observed the fact that legal users know what passwords they have chosen, while attackers can only guess what they are. The proposed solution applies information theory and compares the entropy discrepancy between the passwords entered by the user and attacker. The password entropy is calculated by accumulating the frequencies of the entered characters, not the password itself. The experimental results show that, even if the user selects a common password, the proposed authentication method can distinguish between legitimate users and attackers effectively and efficiently.

Journal ArticleDOI
TL;DR: In this article, the authors investigate the ability of different Markov models to calculate a variety of passwords from different topics, in order to find out whether one Markov model is sufficient for creating a more effective password checker.
Abstract: Recent literature proposes the use of a proactive password checker as method for preventing users from creating easy-to-guess passwords. Markov models can help us create a more effective password checker that would be able to check the probability of a given password to be chosen by an attacker. We investigate the ability of different Markov models to calculate a variety of passwords from different topics, in order to find out whether one Markov model is sufficient for creating a more effective password checker. The results of our study show that multiple models are required in order to be able to do strength calculations for a wide range of passwords. To the best of our knowledge, this is the first password strength study where the effect of the training password datasets on the success of the model is investigated.

Journal ArticleDOI
TL;DR: In this paper, the authors evaluated the effectiveness of different password storage techniques and found that pairing a strong password that has not been exposed in a data breach with the BCRYPT hashing algorithm results in the most robust password security.
Abstract: Recently, there has been a rise in impactful data breaches releasing billions of people’s online accounts and financial data into the public domain. The result is an increased importance of effective cybersecurity measures, especially regarding the storage of user passwords. Strong password storage security means that an actor cannot use the passwords in vectors such as credential-stuffing attacks despite having access to breached data. It will also limit user exposure to threats such as unauthorized account charges or account takeovers. This research evaluates the effectiveness of different password storage techniques. The storage techniques to be tested are: BCRYPT Hashing, SHA-256 Hashing, SHA-256 with Salt, and SHA-256 with MD5 Chaining. Following the National Institute of Standards and Technology (NIST) guidelines on password strength, both a weak and robust password will be passed through the stated techniques. Reversal of each of the results will be attempted using Rainbow Tables and dictionary attacks. The study results show that pairing a strong password that has not been exposed in a data breach with the BCRYPT hashing algorithm results in the most robust password security. However, SHA-256 hashing with a salt results in a very similar level of security while maintaining better performance. While plain SHA-256 hashing or chaining multiple hashing algorithms together is theoretically as secure, in practice, they are easily susceptible to simple attacks and thus should not be used in a production environment. Requiring strong password which have not been exposed in previous data breaches was also found to greatly increase security.

Proceedings Article
01 Jan 2021
TL;DR: In this article, the authors use deep neural networks to model the proficiency of adversaries in building attack configurations, and then they introduce dynamic guessing strategies within dictionary attacks, which mimic experts' ability to adapt their guessing strategies on the fly by incorporating knowledge on their targets.
Abstract: Password security hinges on an in-depth understanding of the techniques adopted by attackers. Unfortunately, real-world adversaries resort to pragmatic guessing strategies such as dictionary attacks that are inherently difficult to model in password security studies. In order to be representative of the actual threat, dictionary attacks must be thoughtfully configured and tuned. However, this process requires a domain-knowledge and expertise that cannot be easily replicated. The consequence of inaccurately calibrating dictionary attacks is the unreliability of password security analyses, impaired by a severe measurement bias. In the present work, we introduce a new generation of dictionary attacks that is consistently more resilient to inadequate configurations. Requiring no supervision or domain-knowledge, this technique automatically approximates the advanced guessing strategies adopted by real-world attackers. To achieve this: (1) We use deep neural networks to model the proficiency of adversaries in building attack configurations. (2) Then, we introduce dynamic guessing strategies within dictionary attacks. These mimic experts' ability to adapt their guessing strategies on the fly by incorporating knowledge on their targets. Our techniques enable more robust and sound password strength estimates within dictionary attacks, eventually reducing overestimation in modeling real-world threats in password security. Code available: this https URL

DOI
10 Nov 2021
TL;DR: In this paper, the authors examined if there is a link between personality type and password security among a variety of participants in two groups of participants: SONA and MTurk.
Abstract: For almost every online account, people are required to create a password to protect their information online. Since many people have many accounts, they tend to create insecure passwords and re-use passwords. These insecure passwords are often easy to guess, which can lead to compromised data. It is well-known that every person has a different personality type, which can be determined using personality models such as Big Five and True Colors. This research examines if there is a link between personality type and password security among a variety of participants in two groups of participants: SONA and MTurk. Each participant in both surveys answered questions based on password security and their personality type. Our results show that participants in the MTurk survey were more likely to choose a strong password and to exhibit better security behaviors and knowledge than participants in the SONA survey. This is mostly attributed to the age difference. However, the distribution of the results was similar for both MTurk and SONA. Future surveys on cybersecurity should include both types of demographics for a more generalizable result.

Book ChapterDOI
25 Oct 2021
TL;DR: In this article, the authors explore the feasibility of applying ideas from Bayesian Persuasion to password authentication and introduce password strength signaling as a potential defense against password cracking, where the authentication server stores a signal about the strength of each user password for an offline attacker to find.
Abstract: We introduce password strength signaling as a potential defense against password cracking. Recent breaches have exposed billions of user passwords to the dangerous threat of offline password cracking attacks. An offline attacker can quickly check millions (or sometimes billions/trillions) of password guesses by comparing a candidate password’s hash value with a stolen hash from a breached authentication server. The attacker is limited only by the resources he is willing to invest. We explore the feasibility of applying ideas from Bayesian Persuasion to password authentication. Our key idea is to have the authentication server store a (noisy) signal about the strength of each user password for an offline attacker to find. Surprisingly, we show that the noise distribution for the signal can often be tuned so that a rational (profit-maximizing) attacker will crack fewer passwords. The signaling scheme exploits the fact that password cracking is not a zero-sum game i.e., it is possible for an attacker to increase their profit in a way that also reduces the number of cracked passwords. Thus, a well-defined signaling strategy will encourage the attacker to reduce his guessing costs by cracking fewer passwords. We use an evolutionary algorithm to compute the optimal signaling scheme for the defender. We evaluate our mechanism on several password datasets and show that it can reduce the total number of cracked passwords by up to \(12\%\) (resp. \(5\%\)) of all users in defending against offline (resp. online) attacks. While the results of our empirical analysis are positive we stress that we view the current solution as a proof-of-concept as there are important societal concerns that would need to be considered before adopting our password strength signaling solution.

DOI
10 Nov 2021
TL;DR: In this article, the effect of remotely played out training content on user behavior, i.e., on getting employees to change their password, was investigated. But the results showed that none of the different content formats played out led to significant more password changes.
Abstract: The COVID-19 pandemic forced a number of companies to place their staff into home office. In terms of security awareness measures, this means that content or training can only be played out remotely. Within this work, we report about a security awareness campaign focusing on password security that was carried out at a German mid-size company (2000 employees). We compare the effect of remotely played out training content on user behavior, i.e, on getting employees to change their password. The first content was directly embedded into an e-mail, the second was compiled on an intranet web page, and the third content was embedded into a video. Password changes were observed solely within the IT backend on the basis of events and timestamps generated by the company’s Active Directory service. For the campaign four representative samples (140 employees per sample) among the staff were selected and assigned to the different training contents. A fourth group served as a control group. During a period of 6 weeks, the content was played out two times. Unexpectedly, the measured password change rate observed was very low. Further, compared to the control group’s behavior, none of the different content formats played out led to significant more password changes. Clearly, the campaign failed according to its aim. Based on our observations, we provide several possible explanations for which there is some evidence from the literature.

Patent
18 May 2021
TL;DR: In this article, a system and method for improving password security assigned to a user is described, in which a plurality of keys are arranged and at least one selected from the arranged keys is used to filter original password characters; storing, by a memory unit, the original password and the one-time password generated; determining, by the security server, whether a user's password entered on the hardware display screen was accepted by comparing the entered password with the one time password.
Abstract: A system and method are disclosed to improve password security assigned to a user, the method comprising: a method for performing enhanced security authentication, the method comprises: generating one-time password, by a security server, by filtering original password characters, wherein a security server provides a display on a hardware display screen, in which a plurality of keys are arranged and at least one selected from the arranged keys is used to filter original password characters; storing, by a memory unit, the original password and the one-time password generated; determining, by the security server, whether a user's password entered on the hardware display screen be accepted by comparing the entered password with the one-time password. The system comprises a storage module and a computer program for performing the method.

Journal ArticleDOI
01 May 2021
TL;DR: In this article, the proposed session password scheme would us a "text" session password, in which the password is used only once for each session and, as that session ends, the password no longer provides access.
Abstract: Traditionally people will be using a weak password that has to be often changed can be influenced by a dictionary attack, shoulder surfing, and other methods of password cracking. After the past years, graphical passwords came into existence however; they are not as useful as the traditional password method, since they take more time to authenticate the passcode. As a result, this paper has taken a study of session password strategy in which the password is used only once for each session and, as that session ends, the password no longer provides access. The suggested session password scheme would us a "text" session password. Once upon a time, textual passwords were the most often used technique for authentication. Password are vulnerable to many scenarios, such as shoulder surfing, social engineering attacks, and lazy password selection. Graphical keys are introduced as a way to express very important passwords. Nearly all of the graphical schemes are vulnerable to shoulder pack design. To contend with the downside of being unable to remember passwords, pictures may be used to pair with session passwords for authentication. A session secret of a completely new password can only be used any time a new password is created. During this article, two approaches are expected to become a welcome cure for depression with an in-session approach that is unpredictable to shoulder ache and color. Strategies for Digital Assistants that is suitable for private uses. The proposed system measures the security and usability of the proposed system and displays the assistance of the proposed system to shoulder surfing assault.