research-article

A Large-Scale Analysis of the Semantic Password Model and Linguistic Patterns in Passwords

Authors:

Christopher Collins,

Julie ThorpeAuthors Info & Claims

ACM Transactions on Privacy and Security (TOPS), Volume 24, Issue 3

Article No.: 20, Pages 1 - 21

https://doi.org/10.1145/3448608

Published: 20 April 2021 Publication History

Abstract

In this article, we present a thorough evaluation of semantic password grammars. We report multifactorial experiments that test the impact of sample size, probability smoothing, and linguistic information on password cracking. The semantic grammars are compared with state-of-the-art probabilistic context-free grammar (PCFG) and neural network models, and tested in cross-validation and A vs. B scenarios. We present results that reveal the contributions of part-of-speech (syntactic) and semantic patterns, and suggest that the former are more consequential to the security of passwords. Our results show that in many cases PCFGs are still competitive models compared to their latest neural network counterparts. In addition, we show that there is little performance gain in training PCFGs with more than 1 million passwords. We present qualitative analyses of four password leaks (Mate1, 000webhost, Comcast, and RockYou) based on trained semantic grammars, and derive graphical models that capture high-level dependencies between token classes. Finally, we confirm the similarity inferences from our qualitative analysis by examining the effectiveness of grammars trained and tested on all pairs of leaks.

References

[1]

[n.d.]. Hashes.org—Shared Community Password Recovery. Retrieved September 28, 2019 from https://hashes.org.

[2]

[n.d.]. LeakedSource Analysis of Mate1.com Hack. Retrieved May 1, 2018 from https://leakedsource.ru/blog/mate1.

[3]

[n.d.]. LinkedIn Revisited—Full 2012 Hash Dump Analysis. Retrieved Septembet 28, 2019 from https://blog.korelogic.com/blog/2016/05/19/linkedin_passwords_2016.

[4]

[n.d.]. Public Database Directory—Public DB Host. Retrieved May 1, 2018 from https://www.databases.today/.

[5]

[n.d.]. StackOverflow—Developer Survey Results 2018. Retreived September28, 2018 from https://insights.stackoverflow.com/survey/2018#demographics.

[6]

Stanley F. Chen and Joshua Goodman. 1999. An empirical study of smoothing techniques for language modeling. Computer Speech & Language 13, 4 (Oct. 1999), 359--393.

Digital Library

[7]

Matteo Dell’Amico and Maurizio Filippone. 2015. Monte Carlo strength evaluation: Fast and reliable password checking. In Proc. 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM, New York, 158--169.

Digital Library

[8]

Roger Garside. 1996. The robust tagging of unrestricted text: The BNC experience. In Using Corpora for Language Research: Studies in the Honour of Geoffrey Leech, J. Thomas and M. Short (Eds.). Longman Publishing Group, 167.

[9]

Briland Hitaj, Paolo Gasti, Giuseppe Ateniese, and Fernando Perez-Cruz. 2019. PassGAN: A deep learning approach for password guessing. In Applied Cryptography and Network Security, Robert H. Deng, Valérie Gauthier-Umaña, Martín Ochoa, and Moti Yung (Eds.). Springer International Publishing, Cham, 217--237.

[10]

Shiva Houshmand, Sudhir Aggarwal, and Randy Flood. 2015. Next Gen PCFG password cracking.IEEE Trans. Information Forensics and Security 10, 8 (Aug. 2015), 1776--1791.

Digital Library

[11]

Shouling Ji, Shukun Yang, Ting Wang, Changchang Liu, Wei-Han Lee, and Raheem Beyah. 2015. Pars: A uniform and open-source password analysis and research system. In Proc. 31st Annual Computer Security Applications Conference ACM, ACM Press, 321--330.

Digital Library

[12]

Saranga Komanduri. 2018. Modeling the Adversary to Evaluate Password Strength With Limited Samples. Ph.D. Dissertation.

[13]

Hang Li and Naoki Abe. 1998. Generalizing case frames using a thesaurus and the MDL principle. Comput. Linguist. 24, 2 (June 1998), 217--244.

[14]

Jerry Ma, Weining Yang, Min Luo, and Ninghui Li. 2014. A study of probabilistic password models. In Proc. IEEE Symposium on Security and Privacy. IEEE, IEEE, 689--704.

Digital Library

[15]

Christopher D. Manning and Hinrich Schütze. 1999. Foundations of Statistical Natural Language Processing. MIT Press.

Digital Library

[16]

William Melicher, Blase Ur, Sean M. Segreti, Saranga Komanduri, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2016. Fast, lean, and accurate: Modeling password guessability using neural networks. In Proc. 25th USENIX Security Symposium. USENIX Association, 175--191.

[17]

George A Miller. 1995. WordNet: A lexical database for English. Commun. ACM 38, 11 (Nov. 1995), 39--41.

Digital Library

[18]

Peter Norvig. 2009. Natural language corpus data. In Beautiful Data, Toby Segaran and Jeff Hammerbacher (Eds.). O’Reilly Media, Chapter 14, 219--242.

[19]

Jorma Rissanen. 1983. A universal prior for integers and estimation by minimum description length. The Annals of Statistics 11, 2 (June 1983), 416--431.

[20]

Blase Ur, Sean M. Segreti, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Saranga Komanduri, Darya Kurilova, Michelle L. Mazurek, William Melicher, and Richard Shay. 2015. Measuring real-world accuracies and biases in modeling password guessability. In Proc. 24th USENIX Security Symposium. USENIX Association, 463--481.

[21]

Rafael Veras, Christopher Collins, and Julie Thorpe. 2014. On semantic patterns of passwords and their security impact. In Proc. NDSS Symposium. Internet Society.

[22]

Miranda Wei, Maximilian Golla, and Blase Ur. 2018. The password doesn’t fall far: How service influences password choice. In Proc. of Who Are You?! Adventures in Authentication Workshop (WAY).

[23]

Matt Weir, Sudhir Aggarwal, Breno De Medeiros, and Bill Glodek. 2009. Password cracking using probabilistic context-free grammars. In Proc. IEEE Symposium on Security and Privacy. IEEE, IEEE, 391--405.

Digital Library

[24]

Zhixiong Zheng, Haibo Cheng, Zijian Zhang, Yiming Zhao, and Ping Wang. 2018. An alternative method for understanding user-chosen passwords. Security and Communication Networks 2018, Article ID 6160125 (2018), 1--12.

Cited By

Atzori MCalò ECaruccio LCirillo SPolese GSolimando G(2024)Evaluating password strength based on information spread on social networks: A combined approach relying on data reconstruction and generative modelsOnline Social Networks and Media10.1016/j.osnem.2024.10027842(100278)Online publication date: Aug-2024
https://doi.org/10.1016/j.osnem.2024.100278
Li HWang YQiu WLi STang P(2024)PassTSL: Modeling Human-Created Passwords Through Two-Stage LearningInformation Security and Privacy10.1007/978-981-97-5101-3_22(404-423)Online publication date: 15-Jul-2024
https://dl.acm.org/doi/10.1007/978-981-97-5101-3_22
Zhou BHe DZhu SZhu SChan SYang X(2024)Password Cracking by Exploiting User Group InformationSecurity and Privacy in Communication Networks10.1007/978-3-031-64948-6_26(514-532)Online publication date: 13-Oct-2024
https://doi.org/10.1007/978-3-031-64948-6_26
Show More Cited By

Index Terms

A Large-Scale Analysis of the Semantic Password Model and Linguistic Patterns in Passwords
1. Security and privacy
  1. Security services
    1. Authentication

Recommendations

Deep Learning vs. Traditional Probabilistic Models: Case Study on Short Inputs for Password Guessing
Algorithms and Architectures for Parallel Processing
Abstract
The paper focuses on the comparative analysis of deep learning algorithms and traditional probabilistic models on strings of short lengths (typically, passwords). The password is one of the dominant methods used in user authentication. Compared to ...
Password Book Large Print: 6x9 Password Organizer with Tabs Printed Alphabetical | Smart Black Design
Pocket Password Book (Password): A discreet internet password organizer

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Privacy and Security

ACM Transactions on Privacy and Security Volume 24, Issue 3

August 2021

286 pages

ISSN:2471-2566

EISSN:2471-2574

DOI:10.1145/3450360

Editor:
Ninghui Li
Purdue University, USA

Issue’s Table of Contents

Copyright © 2021 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 20 April 2021

Accepted: 01 January 2021

Revised: 01 January 2021

Received: 01 February 2019

Published in TOPS Volume 24, Issue 3

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Funding Sources

Canada Research Chairs Program
Natural Sciences and Engineering Research Council of Canada (NSERC)

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

15
Total Citations
View Citations
414
Total Downloads

Downloads (Last 12 months)74
Downloads (Last 6 weeks)10

Reflects downloads up to 15 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Atzori MCalò ECaruccio LCirillo SPolese GSolimando G(2024)Evaluating password strength based on information spread on social networks: A combined approach relying on data reconstruction and generative modelsOnline Social Networks and Media10.1016/j.osnem.2024.10027842(100278)Online publication date: Aug-2024
https://doi.org/10.1016/j.osnem.2024.100278
Li HWang YQiu WLi STang P(2024)PassTSL: Modeling Human-Created Passwords Through Two-Stage LearningInformation Security and Privacy10.1007/978-981-97-5101-3_22(404-423)Online publication date: 15-Jul-2024
https://dl.acm.org/doi/10.1007/978-981-97-5101-3_22
Zhou BHe DZhu SZhu SChan SYang X(2024)Password Cracking by Exploiting User Group InformationSecurity and Privacy in Communication Networks10.1007/978-3-031-64948-6_26(514-532)Online publication date: 13-Oct-2024
https://doi.org/10.1007/978-3-031-64948-6_26
Wang DZou YZhang ZXiu KCalandrino JTroncoso C(2023)Password guessing using random forestProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620292(965-982)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620292
Yu WYin QYin HXiao WChang THe LNi LJi Q(2023)A Systematic Review on Password Guessing TasksEntropy10.3390/e2509130325:9(1303)Online publication date: 7-Sep-2023
https://doi.org/10.3390/e25091303
Parker SYuan HLi S(2023)PassViz: An Interactive Visualisation System for Analysing Leaked Passwords2023 IEEE Symposium on Visualization for Cyber Security (VizSec)10.1109/VizSec60606.2023.00011(33-42)Online publication date: 25-Oct-2023
https://doi.org/10.1109/VizSec60606.2023.00011
Dong LWu TJia WJiang BLi X(2023)Computable Access Control: Embedding Access Control Rules Into Euclidean SpaceIEEE Transactions on Systems, Man, and Cybernetics: Systems10.1109/TSMC.2023.328352753:10(6530-6541)Online publication date: Oct-2023
https://doi.org/10.1109/TSMC.2023.3283527
Vydelingum MMartin M(2023)How Password Strength Becomes a Weak Link for Honeywords2023 11th International Conference in Software Engineering Research and Innovation (CONISOFT)10.1109/CONISOFT58849.2023.00022(99-107)Online publication date: 6-Nov-2023
https://doi.org/10.1109/CONISOFT58849.2023.00022
Lingutla SNety MMartin M(2023)Beyond Chunking: Re-Engineering Password Segmentation for Better Honeywords2023 11th International Conference in Software Engineering Research and Innovation (CONISOFT)10.1109/CONISOFT58849.2023.00021(92-98)Online publication date: 6-Nov-2023
https://doi.org/10.1109/CONISOFT58849.2023.00021
Robles-González AArias-Cabarcos PParra-Arnau J(2023)Privacy-centered authenticationComputers and Security10.1016/j.cose.2023.103353132:COnline publication date: 1-Sep-2023
https://dl.acm.org/doi/10.1016/j.cose.2023.103353
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View Issue’s Table of Contents