On the Privacy Impacts of Publicly Leaked Password Databases

Regularly, hackers steal data sets containing user identifiers and passwords. Often these data sets become publicly available. The most prominent and important leaks use bad password protection mechanisms, e.g. rely on unsalted password hashes, despite longtime known recommendations. The accumulation of leaked password data sets allows the research community to study the problems of password strength estimation, password breaking and to conduct usability and usage studies. The impact of these leaks in terms of privacy has not been studied.

[1]  Claude Castelluccia,et al.  Adaptive Password-Strength Meters from Markov Models , 2012, NDSS.

[2]  Vitaly Shmatikov,et al.  Fast dictionary attacks on passwords using time-space tradeoff , 2005, CCS '05.

[3]  Joseph Bonneau,et al.  It's Not Stealing If You Need It: A Panel on the Ethics of Performing Research Using Public Data of Illicit Origin , 2012, Financial Cryptography Workshops.

[4]  Hugo Krawczyk,et al.  Strengthening Digital Signatures Via Randomized Hashing , 2006, CRYPTO.

[5]  Ping Wang,et al.  On the Implications of Zipf's Law in Passwords , 2016, ESORICS.

[6]  Philippe Oechslin,et al.  Making a Faster Cryptanalytic Time-Memory Trade-Off , 2003, CRYPTO.

[7]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[8]  Claude Castelluccia,et al.  How Unique and Traceable Are Usernames? , 2011, PETS.

[9]  Dawn Xiaodong Song,et al.  On the Feasibility of Internet-Scale Author Identification , 2012, 2012 IEEE Symposium on Security and Privacy.

[10]  Vitaly Shmatikov,et al.  De-anonymizing Social Networks , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[11]  Gene Tsudik,et al.  Exploring Linkability of User Reviews , 2012, ESORICS.

[12]  Joseph Bonneau,et al.  The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords , 2012, 2012 IEEE Symposium on Security and Privacy.

[13]  Pradeep Ravikumar,et al.  A Comparison of String Distance Metrics for Name-Matching Tasks , 2003, IIWeb.

[14]  Lujo Bauer,et al.  Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms , 2012, 2012 IEEE Symposium on Security and Privacy.

[15]  Blase Ur,et al.  Measuring password guessability for an entire university , 2013, CCS.

[16]  Sudhir Aggarwal,et al.  Password Cracking Using Probabilistic Context-Free Grammars , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[17]  M. Newman Power laws, Pareto distributions and Zipf's law , 2005 .

[18]  David Malone,et al.  Investigating the distribution of password choices , 2011, WWW.

[19]  Vitaly Shmatikov,et al.  Robust De-anonymization of Large Sparse Datasets , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[20]  Joseph Bonneau Statistical Metrics for Individual Password Strength , 2012, Security Protocols Workshop.

[21]  Sébastien Gambs,et al.  A comparative privacy analysis of geosocial networks , 2011, SPRINGL '11.

[22]  Stuart E. Schechter,et al.  Popularity Is Everything: A New Approach to Protecting Passwords from Statistical-Guessing Attacks , 2010, HotSec.

[23]  Nikita Borisov,et al.  The Tangled Web of Password Reuse , 2014, NDSS.

[24]  Blase Ur,et al.  How Does Your Password Measure Up? The Effect of Strength Meters on Password Creation , 2012, USENIX Security Symposium.

[25]  Peter Nijkamp,et al.  Accessibility of Cities in the Digital Economy , 2004, cond-mat/0412004.

[26]  Pietro Michiardi,et al.  Password Strength: An Empirical Analysis , 2010, 2010 Proceedings IEEE INFOCOM.