487 research outputs found
Password Cracking and Countermeasures in Computer Security: A Survey
With the rapid development of internet technologies, social networks, and
other related areas, user authentication becomes more and more important to
protect the data of the users. Password authentication is one of the widely
used methods to achieve authentication for legal users and defense against
intruders. There have been many password cracking methods developed during the
past years, and people have been designing the countermeasures against password
cracking all the time. However, we find that the survey work on the password
cracking research has not been done very much. This paper is mainly to give a
brief review of the password cracking methods, import technologies of password
cracking, and the countermeasures against password cracking that are usually
designed at two stages including the password design stage (e.g. user
education, dynamic password, use of tokens, computer generations) and after the
design (e.g. reactive password checking, proactive password checking, password
encryption, access control). The main objective of this work is offering the
abecedarian IT security professionals and the common audiences with some
knowledge about the computer security and password cracking, and promoting the
development of this area.Comment: add copyright to the tables to the original authors, add
acknowledgement to helpe
PassGAN: A Deep Learning Approach for Password Guessing
State-of-the-art password guessing tools, such as HashCat and John the
Ripper, enable users to check billions of passwords per second against password
hashes. In addition to performing straightforward dictionary attacks, these
tools can expand password dictionaries using password generation rules, such as
concatenation of words (e.g., "password123456") and leet speak (e.g.,
"password" becomes "p4s5w0rd"). Although these rules work well in practice,
expanding them to model further passwords is a laborious task that requires
specialized expertise. To address this issue, in this paper we introduce
PassGAN, a novel approach that replaces human-generated password rules with
theory-grounded machine learning algorithms. Instead of relying on manual
password analysis, PassGAN uses a Generative Adversarial Network (GAN) to
autonomously learn the distribution of real passwords from actual password
leaks, and to generate high-quality password guesses. Our experiments show that
this approach is very promising. When we evaluated PassGAN on two large
password datasets, we were able to surpass rule-based and state-of-the-art
machine learning password guessing tools. However, in contrast with the other
tools, PassGAN achieved this result without any a-priori knowledge on passwords
or common password structures. Additionally, when we combined the output of
PassGAN with the output of HashCat, we were able to match 51%-73% more
passwords than with HashCat alone. This is remarkable, because it shows that
PassGAN can autonomously extract a considerable number of password properties
that current state-of-the art rules do not encode.Comment: This is an extended version of the paper which appeared in NeurIPS
2018 Workshop on Security in Machine Learning (SecML'18), see
https://github.com/secml2018/secml2018.github.io/raw/master/PASSGAN_SECML2018.pd
Analysis of real-world passwords for social media sites
Textual passwords have dominated all other entity authentication mechanisms since they were introduced in the early 1960’s. Despite an inherent weakness against social engineering, keylogging, shoulder surfing, dictionary, and brute-force attacks, password authentication continues to grow as the Internet expands. Existing research on password authentication proves that dictionary attacks are successful because users make poor choices when creating passwords. To make passwords easier to remember, users select character strings that are shorter in length and contain memorable content, like personal identity information, common words found in a dictionary, backward spellings of common words, recognizable sequences, and easily guessed mnemonic phrases.
A number of these studies identify weaknesses found in passwords on social media sites [1] [2] [3] [4] [5]. However, this body of work fails to explore whether users choose more secure passwords on accounts that protect their professional online identity than they choose on accounts that are used for personal entertainment. In this study, we first cracked passwords from the over 6.4 million unsalted, SHA-1 hashed passwords stolen from the professional, social media site, LinkedIn. Next, we analyzed the length, character set composition, and entropy score of the passwords recovered. Then, we compared our results to the analysis of passwords performed by Weir, et al. on the RockYou! dataset to determine whether professionals protecting their online presence chose wiser passwords than social media site users who play online games.
In our analysis we found that the users of the professional, social media site, LinkedIn, chose more secure passwords than the users of the social media gaming site, RockYou!. LinkedIn passwords contained a greater percentage of numbers, special characters, and uppercase letters than RockYou!. We also found that the LinkedIn passwords utilized special characters more frequently, but RockYou! passwords applied special character less predictably
- …