OMEN: Faster Password Guessing Using an Ordered Markov Enumerator

Passwords are widely used for user authentication, and will likely remain in use in the foreseeable future, despite several weaknesses. One important weakness is that human-generated passwords are far from being random, which makes them susceptible to guessing attacks. Understanding the adversaries capabilities for guessing attacks is a fundamental necessity for estimating their impact and advising countermeasures.

[1]  Lujo Bauer,et al.  Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms , 2012, 2012 IEEE Symposium on Security and Privacy.

[2]  Gershon Kedem,et al.  Brute Force Attack on UNIX Passwords with SIMD Computer , 1999, USENIX Security Symposium.

[3]  Wenyuan Xu,et al.  A Large-Scale Empirical Analysis of Chinese Web Passwords , 2014, USENIX Security Symposium.

[4]  Lujo Bauer,et al.  Of passwords and people: measuring the effect of password-composition policies , 2011, CHI.

[5]  Joseph Bonneau,et al.  The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords , 2012, 2012 IEEE Symposium on Security and Privacy.

[6]  Matt Bishop,et al.  Improving system security via proactive password checking , 1995, Comput. Secur..

[7]  Ken Thompson,et al.  Password security: a case history , 1979, CACM.

[8]  Sudhir Aggarwal,et al.  Testing metrics for password creation policies by attacking large sets of revealed passwords , 2010, CCS '10.

[9]  Eugene H. Spafford,et al.  OPUS: Preventing weak password choices , 1992, Comput. Secur..

[10]  Vitaly Shmatikov,et al.  Fast dictionary attacks on passwords using time-space tradeoff , 2005, CCS '05.

[11]  Joseph Bonneau,et al.  It's Not Stealing If You Need It: A Panel on the Ethics of Performing Research Using Public Data of Illicit Origin , 2012, Financial Cryptography Workshops.

[12]  David Mazières,et al.  A future-adaptive password scheme , 1999 .

[13]  Sudhir Aggarwal,et al.  Password Cracking Using Probabilistic Context-Free Grammars , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[14]  Eugene H. Spafford,et al.  Observing Reusable Password Choices , 1992 .

[15]  Claude Castelluccia,et al.  Adaptive Password-Strength Meters from Markov Models , 2012, NDSS.

[16]  Pietro Michiardi,et al.  Password Strength: An Empirical Analysis , 2010, 2010 Proceedings IEEE INFOCOM.

[17]  Ray A. Perlner,et al.  Electronic Authentication Guideline: Recommendations of the National Institute of Standards and Technology (Special Publication 800-63-1) , 2012 .

[18]  Frank Stajano,et al.  The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes , 2012, 2012 IEEE Symposium on Security and Privacy.

[19]  Ninghui Li,et al.  A Study of Probabilistic Password Models , 2014, 2014 IEEE Symposium on Security and Privacy.

[20]  Daniel Klein,et al.  Foiling the cracker: A survey of, and improvements to, password security , 1992 .

[21]  Stuart E. Schechter,et al.  Popularity Is Everything: A New Approach to Protecting Passwords from Statistical-Guessing Attacks , 2010, HotSec.