Next Gen PCFG Password Cracking

Passwords continue to remain an important authentication technique. The probabilistic context-free grammar-based password cracking system of Weir et al. was an important addition to dictionary-based password cracking approaches. In this paper, we show how to substantially improve upon this system by systematically adding keyboard patterns and multiword patterns (two or more words in the alphabetic part of a password) to the context-free grammars used in the probabilistic password cracking. Our results on cracking multiple data sets show that by learning these new classes of patterns, we can achieve up to 22% improvement over the original system. In this paper, we also define metrics to help analyze and improve attack dictionaries. Using our approach to improving the dictionary, we achieve an additional improvement of ~33% by increasing the coverage of a standard attack dictionary. Combining both approaches, we can achieve a 55% improvement over the previous system. Our tests were done over fairly long password guessing sessions (up to 85 billion) and thus show the uniform effectiveness of our techniques for long cracking sessions.

[1]  Heinrich Hußmann,et al.  PassShape: stroke based shape passwords , 2007, OZCHI '07.

[2]  Sudhir Aggarwal,et al.  Testing metrics for password creation policies by attacking large sets of revealed passwords , 2010, CCS '10.

[3]  Julie Thorpe,et al.  On Semantic Patterns of Passwords and their Security Impact , 2014, NDSS.

[4]  J. Peto,et al.  Asymptotically Efficient Rank Invariant Test Procedures , 1972 .

[5]  Daniel Klein,et al.  Foiling the cracker: A survey of, and improvements to, password security , 1992 .

[6]  Barbara S. Chaparro,et al.  Password Security: What Users Know and What They Actually Do , 2006 .

[7]  Claude Castelluccia,et al.  Adaptive Password-Strength Meters from Markov Models , 2012, NDSS.

[8]  Joseph Bonneau,et al.  The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords , 2012, 2012 IEEE Symposium on Security and Privacy.

[9]  Lujo Bauer,et al.  Encountering stronger password requirements: user attitudes and behaviors , 2010, SOUPS.

[10]  Christopher Krügel,et al.  Your botnet is my botnet: analysis of a botnet takeover , 2009, CCS.

[11]  Ninghui Li,et al.  A Study of Probabilistic Password Models , 2014, 2014 IEEE Symposium on Security and Privacy.

[12]  D. Cox Regression Models and Life-Tables , 1972 .

[13]  Lujo Bauer,et al.  Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms , 2012, 2012 IEEE Symposium on Security and Privacy.

[14]  Blase Ur,et al.  Can long passwords be secure and usable? , 2014, CHI.

[15]  Michael K. Reiter,et al.  The security of modern password expiration: an algorithmic framework and empirical analysis , 2010, CCS '10.

[16]  Lorrie Faith Cranor,et al.  Human selection of mnemonic phrase-based passwords , 2006, SOUPS '06.

[17]  Pietro Michiardi,et al.  Password Strength: An Empirical Analysis , 2010, 2010 Proceedings IEEE INFOCOM.

[18]  Blase Ur,et al.  Measuring password guessability for an entire university , 2013, CCS.

[19]  David S. Johnson,et al.  Computers and Intractability: A Guide to the Theory of NP-Completeness , 1978 .

[20]  Sudhir Aggarwal,et al.  Building better passwords using probabilistic techniques , 2012, ACSAC '12.

[21]  Jeff Boleng,et al.  Visualizing Keyboard Pattern Passwords , 2009, 2009 6th International Workshop on Visualization for Cyber Security.

[22]  J. Yan,et al.  Password memorability and security: empirical results , 2004, IEEE Security & Privacy Magazine.

[23]  Joseph Bonneau,et al.  Linguistic Properties of Multi-word Passphrases , 2012, Financial Cryptography Workshops.

[24]  Sudhir Aggarwal,et al.  Password Cracking Using Probabilistic Context-Free Grammars , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[25]  Vitaly Shmatikov,et al.  Fast dictionary attacks on passwords using time-space tradeoff , 2005, CCS '05.

[26]  Stuart E. Schechter,et al.  Popularity Is Everything: A New Approach to Protecting Passwords from Statistical-Guessing Attacks , 2010, HotSec.