PASSWORD CRACKING BASED ON LEARNED PATTERNS FROM DISCLOSED PASSWORDS

Password-based authentication systems are still the most commonly used mechanism for protecting sensitive information despite being vulnerable to dictionary based attacks. To guard against such attacks, many organizations enforce complicated password-creation rules and require that passwords include numeric and special characters. This study demonstrates that as long as passwords are not difficult to remember, they remain vulnerable to “smart dictionary” attacks. In this study, a password analysis platform is developed to formally analyze commonly used passwords and identify frequently used password patterns and their associated probabilities. Based upon these patterns, we establish a model consisting of a Training set, a Dictionary set and a Testing set (TDT model) to generate probabilistic passwords sorted in decreasing order. The model can be used to dramatically reduce the size of the password space to be searched. Simulation results show that the number of passwords cracked using the TDT model is 1.43 and 2.5 times higher compared with the John-the-Ripper attack and Brute-force attack, respectively. We also design a hybrid password cracking system combining different attacks to verify the effectiveness of the proposed method. After applying the TDT model, the number of passwords cracked increased by up to 273%.

[1]  Jeffrey D. Ullman,et al.  Introduction to Automata Theory, Languages and Computation , 1979 .

[2]  Geoffrey J. Noer,et al.  Cygwin32: a free win32 porting layer for UNIX® applications , 1998 .

[3]  Philippe Oechslin,et al.  Making a Faster Cryptanalytic Time-Memory Trade-Off , 2003, CRYPTO.

[4]  J. Yan,et al.  Password memorability and security: empirical results , 2004, IEEE Security & Privacy Magazine.

[5]  Stéphanie Delaune,et al.  A theory of dictionary attacks and its complexity , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[6]  Vitaly Shmatikov,et al.  Fast dictionary attacks on passwords using time-space tradeoff , 2005, CCS '05.

[7]  Olivier Billet,et al.  Cryptanalysis of Rainbow , 2006, SCN.

[8]  R.V. Yampolskiy Analyzing User Password Selection Behavior for Reduction of Password Space , 2006, Proceedings 40th Annual 2006 International Carnahan Conference on Security Technology.

[9]  Sudhir Aggarwal,et al.  Password Cracking Using Probabilistic Context-Free Grammars , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[10]  Vrizlynn L. L. Thing,et al.  A novel time-memory trade-off method for password recovery , 2009 .

[11]  Haichang Gao,et al.  Design and Analysis of a Graphical Password Scheme , 2009, 2009 Fourth International Conference on Innovative Computing, Information and Control (ICICIC).

[12]  Sudhir Aggarmal,et al.  Using probabilistic techniques to aid in password cracking attacks , 2010 .

[13]  Michael K. Reiter,et al.  The security of modern password expiration: an algorithmic framework and empirical analysis , 2010, CCS '10.

[14]  Claude Castelluccia,et al.  Adaptive Password-Strength Meters from Markov Models , 2012, NDSS.

[15]  Lujo Bauer,et al.  Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms , 2012, 2012 IEEE Symposium on Security and Privacy.