Birthday, Name and Bifacial-security: Understanding Passwords of Chinese Web Users

Much attention has been paid to passwords chosen by English speaking users, yet only a few studies have examined how non-English speaking users select passwords. In this paper, we perform an extensive, empirical analysis of 73.1 million real-world Chinese web passwords in comparison with 33.2 million English counterparts. We highlight a number of interesting structural and semantic characteristics in Chinese passwords. We further evaluate the security of these passwords by employing two state-of-the-art cracking techniques. In particular, our cracking results reveal the bifacialsecurity nature of Chinese passwords. They are weaker against online guessing attacks (i.e., when the allowed guess number is small, 1∼104) than English passwords. But out of the remaining Chinese passwords, they are stronger against offline guessing attacks (i.e., when the guess number is large, >105) than their English counterparts. This reconciles two conflicting claims about the strength of Chinese passwords made by Bonneau (IEEE S&P’12) and Li et al. (Usenix Security’14 and IEEE TIFS’16). At 107 guesses, the success rate of our improved PCFG-based attack against the Chinese datasets is 33.2%∼49.8%, indicating that our attack can crack 92% to 188% more passwords than the state of the art. We also discuss the implications of our findings for password policies, strength meters and cracking.

[1]  Blase Ur,et al.  Do Users' Perceptions of Password Security Match Reality? , 2016, CHI.

[2]  Ryan Riley,et al.  Your culture is in your password: An analysis of a demographically-diverse password dataset , 2018, Comput. Secur..

[3]  Mohammad Mannan,et al.  From Very Weak to Very Strong: Analyzing Password-Strength Meters , 2014, NDSS.

[4]  Daniel Lowe Wheeler zxcvbn: Low-Budget Password Strength Estimation , 2016, USENIX Security Symposium.

[5]  Samson Zhou,et al.  On the Economics of Offline Password Cracking , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[6]  Paul C. van Oorschot,et al.  Password Portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts , 2014, USENIX Security Symposium.

[7]  Maximilian Golla,et al.  On the Accuracy of Password Strength Meters , 2018, CCS.

[8]  Daniel Klein,et al.  Foiling the cracker: A survey of, and improvements to, password security , 1992 .

[9]  Sudhir Aggarwal,et al.  Password Cracking Using Probabilistic Context-Free Grammars , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[10]  Huang Xiaoming Research on Keyboard Layout for Chinese Pinyin IME , 2010 .

[11]  Joseph Bonneau,et al.  Guessing human-chosen secrets , 2012 .

[12]  Ping Wang,et al.  The Emperor's New Password Creation Policies , 2015, IACR Cryptol. ePrint Arch..

[13]  Zhiqiang Lin,et al.  A Measurement Study of Authentication Rate-Limiting Mechanisms of Modern Websites , 2018, ACSAC.

[14]  Maurizio Filippone,et al.  Monte Carlo Strength Evaluation: Fast and Reliable Password Checking , 2015, CCS.

[15]  William A. Gale,et al.  Good-Turing Smoothing Without Tears , 2001 .

[16]  Elizabeth Stobert,et al.  The Password Life Cycle , 2018, ACM Trans. Priv. Secur..

[17]  Ray A. Perlner,et al.  Digital Identity Guidelines: Authentication and Lifecycle Management , 2017 .

[18]  Steven Furnell,et al.  Evaluating the effect of guidance and feedback upon password compliance , 2017 .

[19]  Wenyuan Xu,et al.  A Large-Scale Empirical Analysis of Chinese Web Passwords , 2014, USENIX Security Symposium.

[20]  Julie Thorpe,et al.  Visualizing semantics in passwords: the role of dates , 2012, VizSec '12.

[21]  Joseph Bonneau,et al.  The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords , 2012, 2012 IEEE Symposium on Security and Privacy.

[22]  Alan S. Brown,et al.  Generating and remembering passwords , 2004 .

[23]  Chris Kanich,et al.  Leveraging Semantic Transformation to Investigate Password Habits and Their Causes , 2018, CHI.

[24]  Claude Castelluccia,et al.  Adaptive Password-Strength Meters from Markov Models , 2012, NDSS.

[25]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[26]  Rob Johnson,et al.  The password allocation problem: strategies for reusing passwords effectively , 2013, WPES.

[27]  Ping Wang,et al.  fuzzyPSM: A New Password Strength Meter Using Fuzzy Probabilistic Context-Free Grammars , 2016, 2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[28]  Sakshi Jain,et al.  Who Are You? A Statistical Approach to Measuring User Authenticity , 2016, NDSS.

[29]  J. Yan,et al.  Password memorability and security: empirical results , 2004, IEEE Security & Privacy Magazine.

[30]  Vitaly Shmatikov,et al.  Fast dictionary attacks on passwords using time-space tradeoff , 2005, CCS '05.

[31]  Nikita Borisov,et al.  The Tangled Web of Password Reuse , 2014, NDSS.

[32]  Blase Ur,et al.  How Does Your Password Measure Up? The Effect of Strength Meters on Password Creation , 2012, USENIX Security Symposium.

[33]  Joseph Bonneau,et al.  Differentially Private Password Frequency Lists , 2016, NDSS.

[34]  Ken Thompson,et al.  Password security: a case history , 1979, CACM.

[35]  Frank Stajano,et al.  The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes , 2012, 2012 IEEE Symposium on Security and Privacy.

[36]  Konstantin Beznosov,et al.  Does my password go up to eleven?: the impact of password meters on password selection , 2013, CHI.

[37]  Ninghui Li,et al.  A Study of Probabilistic Password Models , 2014, 2014 IEEE Symposium on Security and Privacy.

[38]  Lujo Bauer,et al.  Let's Go in for a Closer Look: Observing Passwords in Their Natural Habitat , 2017, CCS.

[39]  Markus Jakobsson,et al.  The Benefits of Understanding Passwords , 2012, HotSec.

[40]  Sudhir Aggarwal,et al.  Testing metrics for password creation policies by attacking large sets of revealed passwords , 2010, CCS '10.

[41]  Wenyuan Xu,et al.  Regional Patterns and Vulnerability Analysis of Chinese Web Passwords , 2016, IEEE Transactions on Information Forensics and Security.

[42]  Gang Wang,et al.  The Next Domino to Fall: Empirical Analysis of User Passwords across Online Services , 2018, CODASPY.

[43]  Blase Ur,et al.  Measuring password guessability for an entire university , 2013, CCS.

[44]  Blase Ur,et al.  Designing Password Policies for Strength and Usability , 2016, ACM Trans. Inf. Syst. Secur..

[45]  Ping Wang,et al.  Zipf’s Law in Passwords , 2017, IEEE Transactions on Information Forensics and Security.

[46]  Frank Stajano,et al.  Passwords and the evolution of imperfect authentication , 2015, Commun. ACM.

[47]  Ping Wang,et al.  Targeted Online Password Guessing: An Underestimated Threat , 2016, CCS.

[48]  Sherman S. M. Chow,et al.  Simple Password-Hardened Encryption Services , 2018, USENIX Security Symposium.

[49]  Bruce L. Riddle,et al.  Passwords in use in a university timesharing environment , 1989, Comput. Secur..

[50]  Blase Ur,et al.  Fast, Lean, and Accurate: Modeling Password Guessability Using Neural Networks , 2016, USENIX Annual Technical Conference.