Understanding Offline Password-Cracking Methods: A Large-Scale Empirical Study

Researchers proposed several data-driven methods to efficiently guess user-chosen passwords for password strength metering or password recovery in the past decades. However, these methods are usually evaluated under ad hoc scenarios with limited data sets. Thus, this motivates us to conduct a systematic and comparative investigation with a very large-scale data corpus for such state-of-the-art cracking methods. In this paper, we present the large-scale empirical study on password-cracking methods proposed by the academic community since 2005, leveraging about 220 million plaintext passwords leaked from 12 popular websites during the past decade. Specifically, we conduct our empirical evaluation in two cracking scenarios, i.e., cracking under extensive-knowledge and limited-knowledge. The evaluation concludes that no cracking method may outperform others from all aspects in these offline scenarios. The actual cracking performance is determined by multiple factors, including the underlying model principle along with dataset attributes such as length and structure characteristics. Then, we perform further evaluation by analyzing the set of cracked passwords in each targeting dataset. We get some interesting observations that make sense of many cracking behaviors and come up with some suggestions on how to choose a more effective password-cracking method under these two offline cracking scenarios.

[1]  AndersonRoss,et al.  Password Memorability and Security , 2004, S&P 2004.

[2]  Fernando Pérez-Cruz,et al.  PassGAN: A Deep Learning Approach for Password Guessing , 2017, ACNS.

[3]  Sudhir Aggarwal,et al.  Testing metrics for password creation policies by attacking large sets of revealed passwords , 2010, CCS '10.

[4]  Julie Thorpe,et al.  On Semantic Patterns of Passwords and their Security Impact , 2014, NDSS.

[5]  Joseph Bonneau,et al.  The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords , 2012, 2012 IEEE Symposium on Security and Privacy.

[6]  Ryan Riley,et al.  Your culture is in your password: An analysis of a demographically-diverse password dataset , 2018, Comput. Secur..

[7]  Yuan Cheng,et al.  An Empirical Analysis on the Usability and Security of Passwords , 2020, 2020 IEEE 21st International Conference on Information Reuse and Integration for Data Science (IRI).

[8]  Samson Zhou,et al.  On the Economics of Offline Password Cracking , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[9]  Daniel Lowe Wheeler zxcvbn: Low-Budget Password Strength Estimation , 2016, USENIX Security Symposium.

[10]  Paul C. van Oorschot,et al.  An Administrator's Guide to Internet Password Research , 2014, LISA.

[11]  Vitaly Shmatikov,et al.  Fast dictionary attacks on passwords using time-space tradeoff , 2005, CCS '05.

[12]  Ken Thompson,et al.  Password security: a case history , 1979, CACM.

[13]  Shouling Ji,et al.  Password correlation: Quantification, evaluation and application , 2017, IEEE INFOCOM 2017 - IEEE Conference on Computer Communications.

[14]  Aaron C. Courville,et al.  Improved Training of Wasserstein GANs , 2017, NIPS.

[15]  Sudhir Aggarwal,et al.  Next Gen PCFG Password Cracking , 2015, IEEE Transactions on Information Forensics and Security.

[16]  Junjie Zhang,et al.  TransPCFG: Transferring the Grammars From Short Passwords to Guess Long Passwords Effectively , 2021, IEEE Transactions on Information Forensics and Security.

[17]  Lujo Bauer,et al.  Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms , 2012, 2012 IEEE Symposium on Security and Privacy.

[18]  Ian J. Goodfellow,et al.  NIPS 2016 Tutorial: Generative Adversarial Networks , 2016, ArXiv.

[19]  Ping Wang,et al.  Zipf’s Law in Passwords , 2017, IEEE Transactions on Information Forensics and Security.

[20]  Frank Stajano,et al.  The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes , 2012, 2012 IEEE Symposium on Security and Privacy.

[21]  Frank Stajano,et al.  Passwords and the evolution of imperfect authentication , 2015, Commun. ACM.

[22]  Blase Ur,et al.  How Does Your Password Measure Up? The Effect of Strength Meters on Password Creation , 2012, USENIX Security Symposium.

[23]  Ninghui Li,et al.  A Study of Probabilistic Password Models , 2014, 2014 IEEE Symposium on Security and Privacy.

[24]  Mohammad Mannan,et al.  From Very Weak to Very Strong: Analyzing Password-Strength Meters , 2014, NDSS.

[25]  Jianping Zeng,et al.  Empirical study on lexical sentiment in passwords from Chinese websites , 2019, Comput. Secur..

[26]  Nikita Borisov,et al.  The Tangled Web of Password Reuse , 2014, NDSS.

[27]  Lei Zhang,et al.  An empirical study of mnemonic password creation tips , 2019, Comput. Secur..

[28]  Mitsuaki Akiyama,et al.  Comparative Analysis of Three Language Spheres: Are Linguistic and Cultural Differences Reflected in Password Selection Habits? , 2019, 2019 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW).

[29]  Anupam Datta,et al.  CASH: A Cost Asymmetric Secure Hash Algorithm for Optimal Password Protection , 2015, 2016 IEEE 29th Computer Security Foundations Symposium (CSF).

[30]  Blase Ur,et al.  Fast, Lean, and Accurate: Modeling Password Guessability Using Neural Networks , 2016, USENIX Annual Technical Conference.

[31]  Blase Ur,et al.  Measuring Real-World Accuracies and Biases in Modeling Password Guessability , 2015, USENIX Security Symposium.

[32]  Sudhir Aggarwal,et al.  Password Cracking Using Probabilistic Context-Free Grammars , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[33]  Wenyuan Xu,et al.  Shadow Attacks Based on Password Reuses: A Quantitative Empirical Analysis , 2018, IEEE Transactions on Dependable and Secure Computing.

[34]  Michael K. Reiter,et al.  The security of modern password expiration: an algorithmic framework and empirical analysis , 2010, CCS '10.

[35]  Shouling Ji,et al.  Zero-Sum Password Cracking Game: A Large-Scale Empirical Study on the Crackability, Correlation, and Security of Passwords , 2017, IEEE Transactions on Dependable and Secure Computing.

[36]  Pietro Michiardi,et al.  Password Strength: An Empirical Analysis , 2010, 2010 Proceedings IEEE INFOCOM.

[37]  Blase Ur,et al.  Measuring password guessability for an entire university , 2013, CCS.

[38]  Wenyuan Xu,et al.  A Large-Scale Empirical Analysis of Chinese Web Passwords , 2014, USENIX Security Symposium.

[39]  Claude Castelluccia,et al.  OMEN: Faster Password Guessing Using an Ordered Markov Enumerator , 2015, ESSoS.

[40]  Debiao He,et al.  Birthday, Name and Bifacial-security: Understanding Passwords of Chinese Web Users , 2019, USENIX Security Symposium.