Cracking Associative Passwords

Users are required and expected to generate and remember numerous good passwords, a challenge that is next to impossible without a systematic approach to the task. Associative passwords in combination with guidelines for the construction of 'Word', 'Mixed', and 'Non-word' passwords has been validated as an effective approach to creating strong, memorable passwords. The strength of associative passwords has previously been assessed by entropy-based metrics. This paper evaluates the strength of a set of collected associative passwords using a variety of password-cracking techniques. Analysis of the cracking sessions shows that current techniques for cracking passwords are not effective against associative passwords.

[1]  Martin E. Hellman,et al.  A cryptanalytic time-memory trade-off , 1980, IEEE Trans. Inf. Theory.

[2]  Joseph Bonneau,et al.  The Password Thicket: Technical and Market Failures in Human Authentication on the Web , 2010, WEIS.

[3]  Peeter Laud Information Security Technology for Applications , 2011, Lecture Notes in Computer Science.

[4]  Nils Kalstad Svendsen,et al.  The Security and Memorability of Passwords Generated by Using an Association Element and a Personal Factor , 2011, NordSec.

[5]  Sudhir Aggarmal,et al.  Using probabilistic techniques to aid in password cracking attacks , 2010 .

[6]  Lorrie Faith Cranor,et al.  Human selection of mnemonic phrase-based passwords , 2006, SOUPS '06.

[7]  Dan Boneh,et al.  Advances in Cryptology - CRYPTO 2003 , 2003, Lecture Notes in Computer Science.

[8]  J. Yan,et al.  Password memorability and security: empirical results , 2004, IEEE Security & Privacy Magazine.

[9]  Philippe Oechslin,et al.  Making a Faster Cryptanalytic Time-Memory Trade-Off , 2003, CRYPTO.

[10]  Xiang-Yang Li,et al.  Practical Human-Machine Identification over Insecure Channels , 1999, J. Comb. Optim..

[11]  Eric R. Verheul,et al.  Selecting Secure Passwords , 2007, CT-RSA.

[12]  Manuel Blum,et al.  Secure Human Identification Protocols , 2001, ASIACRYPT.

[13]  Ray A. Perlner,et al.  Electronic Authentication Guideline: Recommendations of the National Institute of Standards and Technology (Special Publication 800-63-1) , 2012 .

[14]  Tsutomu Matsumoto,et al.  Human-computer cryptography: an attempt , 1998, CCS '96.

[15]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[16]  Masayuki Abe Topics in Cryptology - CT-RSA 2007, The Cryptographers' Track at the RSA Conference 2007, San Francisco, CA, USA, February 5-9, 2007, Proceedings , 2006, CT-RSA.

[17]  Helmut Schneider,et al.  The domino effect of password reuse , 2004, CACM.

[18]  Matt Bishop,et al.  Improving system security via proactive password checking , 1995, Comput. Secur..

[19]  Einar Snekkenes,et al.  Password Generation and Search Space Reduction , 2009, J. Comput..

[20]  Mario Piattini,et al.  Quality of password management policy , 2006, First International Conference on Availability, Reliability and Security (ARES'06).

[21]  Sacha Brostoff,et al.  Transforming the ‘Weakest Link’ — a Human/Computer Interaction Approach to Usable and Effective Security , 2001 .

[22]  Chlotia Garrison,et al.  A survey of passwords from 2007 to 2009 , 2009 .

[23]  Kirsi Helkala Password Education Based on Guidelines Tailored to Different Password Categories , 2011, J. Comput..

[24]  Daphna Weinshall,et al.  Cognitive authentication schemes safe against spyware , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[25]  Frank Stajano,et al.  The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes , 2012, 2012 IEEE Symposium on Security and Privacy.