265,259 research outputs found
Password Cracking and Countermeasures in Computer Security: A Survey
With the rapid development of internet technologies, social networks, and
other related areas, user authentication becomes more and more important to
protect the data of the users. Password authentication is one of the widely
used methods to achieve authentication for legal users and defense against
intruders. There have been many password cracking methods developed during the
past years, and people have been designing the countermeasures against password
cracking all the time. However, we find that the survey work on the password
cracking research has not been done very much. This paper is mainly to give a
brief review of the password cracking methods, import technologies of password
cracking, and the countermeasures against password cracking that are usually
designed at two stages including the password design stage (e.g. user
education, dynamic password, use of tokens, computer generations) and after the
design (e.g. reactive password checking, proactive password checking, password
encryption, access control). The main objective of this work is offering the
abecedarian IT security professionals and the common audiences with some
knowledge about the computer security and password cracking, and promoting the
development of this area.Comment: add copyright to the tables to the original authors, add
acknowledgement to helpe
PassGAN: A Deep Learning Approach for Password Guessing
State-of-the-art password guessing tools, such as HashCat and John the
Ripper, enable users to check billions of passwords per second against password
hashes. In addition to performing straightforward dictionary attacks, these
tools can expand password dictionaries using password generation rules, such as
concatenation of words (e.g., "password123456") and leet speak (e.g.,
"password" becomes "p4s5w0rd"). Although these rules work well in practice,
expanding them to model further passwords is a laborious task that requires
specialized expertise. To address this issue, in this paper we introduce
PassGAN, a novel approach that replaces human-generated password rules with
theory-grounded machine learning algorithms. Instead of relying on manual
password analysis, PassGAN uses a Generative Adversarial Network (GAN) to
autonomously learn the distribution of real passwords from actual password
leaks, and to generate high-quality password guesses. Our experiments show that
this approach is very promising. When we evaluated PassGAN on two large
password datasets, we were able to surpass rule-based and state-of-the-art
machine learning password guessing tools. However, in contrast with the other
tools, PassGAN achieved this result without any a-priori knowledge on passwords
or common password structures. Additionally, when we combined the output of
PassGAN with the output of HashCat, we were able to match 51%-73% more
passwords than with HashCat alone. This is remarkable, because it shows that
PassGAN can autonomously extract a considerable number of password properties
that current state-of-the art rules do not encode.Comment: This is an extended version of the paper which appeared in NeurIPS
2018 Workshop on Security in Machine Learning (SecML'18), see
https://github.com/secml2018/secml2018.github.io/raw/master/PASSGAN_SECML2018.pd
The true cost of unusable password policies: password use in the wild
HCI research published 10 years ago pointed out that many users cannot cope with the number and complexity of passwords, and resort to insecure workarounds as a consequence. We present a study which re-examined password policies and password practice in the workplace today. 32 staff members in two organisations kept a password diary for 1 week, which produced a sample of 196 passwords. The diary was followed by an interview which covered details of each password, in its context of use. We find that users are in general concerned to maintain security, but that existing security policies are too inflexible to match their capabilities, and the tasks and contexts in which they operate. As a result, these password policies can place demands on users which impact negatively on their productivity and, ultimately, that of the organisation. We conclude that, rather than focussing password policies on maximizing password strength and enforcing frequency alone, policies should be designed using HCI principles to help the user to set an appropriately strong password in a specific context of use
Forensically-Sound Analysis of Security Risks of using Local Password Managers
Password managers have been developed to address the human challenges associated with password security, i.e., to solve usability issues in a secure way. They offer, e.g., features to create strong passwords, to manage the increasing number of passwords a typical user has, and to auto-fill passwords, sparing users the hassle of not only remembering but also typing them. Previous studies have focused mainly on the security analysis of cloud-based and browser-based password managers; security of local password managers remains mostly under-explored. This paper takes a forensic approach and reports on a case study of three popular local password managers: KeePass (v2.28), Password Safe (v3.35.1) and RoboForm (v7.9.12). Results revealed that either the master password or the content of the password database could be found unencrypted in Temp folders, Page files or Recycle bin, even after the applications had been closed. Therefore, an attacker or malware with temporary access to the computer on which the password managers were running may be able to steal sensitive information, even though these password managers are meant to keep the databases encrypted and protected at all times
Interpretable Probabilistic Password Strength Meters via Deep Learning
Probabilistic password strength meters have been proved to be the most
accurate tools to measure password strength. Unfortunately, by construction,
they are limited to solely produce an opaque security estimation that fails to
fully support the user during the password composition. In the present work, we
move the first steps towards cracking the intelligibility barrier of this
compelling class of meters. We show that probabilistic password meters
inherently own the capability of describing the latent relation occurring
between password strength and password structure. In our approach, the security
contribution of each character composing a password is disentangled and used to
provide explicit fine-grained feedback for the user. Furthermore, unlike
existing heuristic constructions, our method is free from any human bias, and,
more importantly, its feedback has a clear probabilistic interpretation. In our
contribution: (1) we formulate the theoretical foundations of interpretable
probabilistic password strength meters; (2) we describe how they can be
implemented via an efficient and lightweight deep learning framework suitable
for client-side operability.Comment: An abridged version of this paper appears in the proceedings of the
25th European Symposium on Research in Computer Security (ESORICS) 202
- …