Password Guessers Under a Microscope: An In-Depth Analysis to Inform Deployments

Password guessers are instrumental for assessing the strength of passwords. Despite their diversity and abundance, little is known about how different guessers compare to each other. We perform in-depth analyses and comparisons of the guessing abilities and behavior of password guessers. To extend analyses beyond number of passwords cracked, we devise an analytical framework to compare the types of passwords that guessers generate under various conditions (e.g., limited training data, limited number of guesses, and dissimilar training and target data). Our results show that guessers often produce dissimilar guesses, even when trained on the same data. We leverage this result to show that combinations of computationally-cheap guessers are as effective as computationally intensive guessers, but more efficient. Our insights allow us to provide a concrete set of recommendations for system administrators when performing password checking.

[1]  Shouling Ji,et al.  Zero-Sum Password Cracking Game: A Large-Scale Empirical Study on the Crackability, Correlation, and Security of Passwords , 2017, IEEE Transactions on Dependable and Secure Computing.

[2]  Blase Ur,et al.  Measuring Real-World Accuracies and Biases in Modeling Password Guessability , 2015, USENIX Security Symposium.

[3]  Julie Thorpe,et al.  Visualizing semantics in passwords: the role of dates , 2012, VizSec '12.

[4]  Claude Castelluccia,et al.  Adaptive Password-Strength Meters from Markov Models , 2012, NDSS.

[5]  Maximilian Golla,et al.  On the Accuracy of Password Strength Meters , 2018, CCS.

[6]  Thomas Ristenpart,et al.  Beyond Credential Stuffing: Password Similarity Models Using Neural Networks , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[7]  Vitaly Shmatikov,et al.  Fast dictionary attacks on passwords using time-space tradeoff , 2005, CCS '05.

[8]  Maurizio Filippone,et al.  Monte Carlo Strength Evaluation: Fast and Reliable Password Checking , 2015, CCS.

[9]  Fernando Pérez-Cruz,et al.  PassGAN: A Deep Learning Approach for Password Guessing , 2017, ACNS.

[10]  Joseph Bonneau,et al.  The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords , 2012, 2012 IEEE Symposium on Security and Privacy.

[11]  Lujo Bauer,et al.  Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms , 2012, 2012 IEEE Symposium on Security and Privacy.

[12]  Margaret H. Dunham,et al.  Data Mining: Introductory and Advanced Topics , 2002 .

[13]  Nikita Borisov,et al.  The Tangled Web of Password Reuse , 2014, NDSS.

[14]  Ricardo Baeza-Yates,et al.  Information Retrieval: Data Structures and Algorithms , 1992 .

[15]  Cormac Herley,et al.  Where do security policies come from? , 2010, SOUPS.

[16]  Blase Ur,et al.  Fast, Lean, and Accurate: Modeling Password Guessability Using Neural Networks , 2016, USENIX Annual Technical Conference.

[17]  Qixu Liu,et al.  Poster : An Analysis of Targeted Password Guessing Using Neural Networks , 2017 .

[18]  Blase Ur,et al.  How Does Your Password Measure Up? The Effect of Strength Meters on Password Creation , 2012, USENIX Security Symposium.

[19]  Frank Stajano,et al.  The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes , 2012, 2012 IEEE Symposium on Security and Privacy.

[20]  Blase Ur,et al.  Measuring password guessability for an entire university , 2013, CCS.

[21]  Miranda Wei The Password Doesn ’ t Fall Far : How Service Influences Password Choice , 2018 .

[22]  Wanli Ma,et al.  Impact of restrictive composition policy on user password choices , 2011, Behav. Inf. Technol..

[23]  Matt Bishop,et al.  Improving system security via proactive password checking , 1995, Comput. Secur..

[24]  Ping Wang,et al.  Targeted Online Password Guessing: An Underestimated Threat , 2016, CCS.

[25]  Jeff Boleng,et al.  Visualizing Keyboard Pattern Passwords , 2009, 2009 6th International Workshop on Visualization for Cyber Security.

[26]  Claude Castelluccia,et al.  OMEN: Faster Password Guessing Using an Ordered Markov Enumerator , 2015, ESSoS.

[27]  Julie Thorpe,et al.  On Semantic Patterns of Passwords and their Security Impact , 2014, NDSS.

[28]  Daniel Lowe Wheeler zxcvbn: Low-Budget Password Strength Estimation , 2016, USENIX Security Symposium.

[29]  Markus Jakobsson,et al.  The Benefits of Understanding Passwords , 2012, HotSec.

[30]  Sudhir Aggarwal,et al.  Password Cracking Using Probabilistic Context-Free Grammars , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[31]  Sudhir Aggarwal,et al.  Testing metrics for password creation policies by attacking large sets of revealed passwords , 2010, CCS '10.

[32]  M. Angela Sasse,et al.  The true cost of unusable password policies: password use in the wild , 2010, CHI.

[33]  Lujo Bauer,et al.  Of passwords and people: measuring the effect of password-composition policies , 2011, CHI.

[34]  W. Summers,et al.  Password policy: the good, the bad, and the ugly , 2004 .

[35]  Mohammad Mannan,et al.  From Very Weak to Very Strong: Analyzing Password-Strength Meters , 2014, NDSS.

[36]  Blase Ur,et al.  Design and Evaluation of a Data-Driven Password Meter , 2017, CHI.

[37]  Paul C. van Oorschot,et al.  Pushing on string , 2016, Commun. ACM.

[38]  Vern Paxson,et al.  Data Breaches, Phishing, or Malware?: Understanding the Risks of Stolen Credentials , 2017, CCS.

[39]  Pavel Berkhin,et al.  A Survey of Clustering Data Mining Techniques , 2006, Grouping Multidimensional Data.

[40]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[41]  S. Furnell Assessing password guidance and enforcement on leading websites , 2011 .

[42]  L. R. Rasmussen,et al.  In information retrieval: data structures and algorithms , 1992 .

[43]  Shouling Ji,et al.  Password correlation: Quantification, evaluation and application , 2017, IEEE INFOCOM 2017 - IEEE Conference on Computer Communications.

[44]  Sudhir Aggarwal,et al.  Next Gen PCFG Password Cracking , 2015, IEEE Transactions on Information Forensics and Security.

[45]  David Malone,et al.  Investigating the distribution of password choices , 2011, WWW.