Passwords are a fundamental security vulnerability in many systems. Several researchers have investigated the tradeoff between password memorability versus resiliency to cracking and have looked at alternative systems such as graphical passwords and biometrics. To create stronger passwords, many systems enforce rules regarding the required length and types of characters passwords must contain. Another suggested approach is to use passphrases to combat dictionary attacks. One common “trick” used to remember passwords that conform to complex rules is to select a pattern of keys on the keyboard. While appearing random, the pattern is easy to remember. The purpose of this research was to investigate how often patterns are used, whether patterns could be classified into common categories, and whether those categories could be used to attack and defeat pattern-based passwords. Visualization techniques were used to collect data and assist in pattern categorization. The approach successfully identified two out of eleven passwords in a real-world password file that were not discovered with a traditional dictionary attack. This paper will present the approach used to collect and categorize patterns, and describe the resulting attack method that successfully identified passwords in a live system.
[1]
Cormac Herley,et al.
A large-scale study of web password habits
,
2007,
WWW '07.
[2]
Heinrich Hußmann,et al.
PassShape: stroke based shape passwords
,
2007,
OZCHI '07.
[3]
Lorrie Faith Cranor,et al.
Human selection of mnemonic phrase-based passwords
,
2006,
SOUPS '06.
[4]
J. Yan,et al.
Password memorability and security: empirical results
,
2004,
IEEE Security & Privacy Magazine.
[5]
J. Bengtsson.
Parallel Password Cracker: A Feasibility Study of Using Linux Clustering Technique in Computer Forensics
,
2007,
Second International Workshop on Digital Forensics and Incident Analysis (WDFIA 2007).