Abstract
The persistence of the single password as a method of authentication has driven both the efforts of system administrators to nudge users to choose stronger, safer passwords and elevated the sophistication of the password cracking methods chosen by their adversaries. In this constantly moving landscape, the use of wordlists to create smarter password cracking candidates begs the question of whether there is a way to assess which is better. In this paper, we present a novel modular framework to measure the quality of input wordlists according to several interconnecting metrics. Furthermore, we have conducted a preliminary analysis where we assess different input wordlists to showcase the framework’s evaluation process.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
The salt is a random string (typically 3 to 5 random characters) that is concatenated to the password before hashing it. Identical passwords therefore have a different hash.
- 2.
- 3.
- 4.
- 5.
- 6.
References
Burr, W.E., Dodson, D.F., Polk, W.T.: NIST special publication 800–63 - electronic authentication guideline. Technical report, National Institute for Standards and Technology (2004)
Castelluccia, C., Dürmuth, M., Perito, D.: Adaptive password-strength meters from Markov models. In: NDSS (2012)
Du, X., et al.: SoK: exploring the state of the art and the future potential of artificial intelligence in digital forensic investigation. In: Proceedings of the 15th International Conference on Availability, Reliability and Security. Association of Computing Machinery (2020)
Dürmuth, M., Angelstorf, F., Castelluccia, C., Perito, D., Chaabane, A.: OMEN: faster password guessing using an ordered Markov enumerator. In: Piessens, F., Caballero, J., Bielova, N. (eds.) ESSoS 2015. LNCS, vol. 8978, pp. 119–132. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-15618-7_10
Galbally, J., Coisel, I., Sanchez, I.: A new multimodal approach for password strength estimation-part I: theory and algorithms. IEEE Trans. Inf. Forensics Secur. 12(12), 2829–2844 (2017)
Haque, T., Wright, M., Scielzo, S.: Hierarchy of users’ web passwords: perceptions, practices and susceptibilities. Int. J. Hum Comput Stud. 72(12), 860–874 (2014)
Hitaj, B., Gasti, P., Ateniese, G., Perez-Cruz, F.: PassGAN: a deep learning approach for password guessing. In: Deng, R.H., Gauthier-Umaña, V., Ochoa, M., Yung, M. (eds.) ACNS 2019. LNCS, vol. 11464, pp. 217–237. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-21568-2_11
Houshmand, S., Aggarwal, S.: Building better passwords using probabilistic techniques. In: Proceedings of the 28th Annual Computer Security Applications Conference, ACSAC 2012, pp. 109–118. Association for Computing Machinery, New York (2012)
Kanta, A., Coisel, I., Scanlon, M.: A survey exploring open source intelligence for smarter password cracking. Forensic Sci. Int. Digit. Investig. 35, 301075 (2020)
Kanta, A., Coisel, I., Scanlon, M.: Smarter password guessing techniques leveraging contextual information and OSINT. In: 2020 International Conference on Cyber Security and Protection of Digital Services (Cyber Security), pp. 1–2. IEEE (2020)
Kanta, A., Coray, S., Coisel, I., Scanlon, M.: How Viable is Password Cracking in Digital Forensic Investigation? Analyzing the Guessability of over 3.9 Billion Real-World Accounts. Forensic Science International: Digital Investigation, July 2021
Kuo, C., Romanosky, S., Cranor, L.F.: Human selection of mnemonic phrase-based passwords. In: Proceedings of the Second Symposium on Usable Privacy and Security, SOUPS 2006, pp. 67–78. Association for Computing Machinery, New York (2006)
Liu, Z., Hong, Y., Pi, D.: A large-scale study of web password habits of Chinese network users. JSW 9(2), 293–297 (2014)
Melicher, W., et al.: Fast, lean, and accurate: modeling password guessability using neural networks. In: Proceedings of the 25th USENIX Conference on Security Symposium, SEC 2016, pp. 175–191. USENIX Association, USA (2016)
Oechslin, P.: Making a faster cryptanalytic time-memory trade-off. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 617–630. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_36
Shay, R., et al.: Designing password policies for strength and usability. ACM Trans. Inf. Syst. Secur. 18(4), 1–34 (2016)
Ur, B., et al.: Design and evaluation of a data-driven password meter. In: Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems, CHI 2017, pp. 3775–3786. Association for Computing Machinery, New York (2017)
Ur, B., et al.: “I added ‘!’ at the end to make it secure”: observing password creation in the lab. In: Eleventh Symposium on Usable Privacy and Security (SOUPS 2015), pp. 123–140 (2015)
von Zezschwitz, E., De Luca, A., Hussmann, H.: Survival of the shortest: a retrospective analysis of influencing factors on password composition. In: Kotzé, P., Marsden, G., Lindgaard, G., Wesson, J., Winckler, M. (eds.) INTERACT 2013. LNCS, vol. 8119, pp. 460–467. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40477-1_28
Wang, D., He, D., Cheng, H., Wang, P.: FuzzyPSM: a new password strength meter using fuzzy probabilistic context-free grammars. In: 2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 595–606 (2016)
Wang, D., Cheng, H., Wang, P., Huang, X., Jian, G.: Zipf’s law in passwords. IEEE Trans. Inf. Forensics Secur. 12(11), 2776–2791 (2017)
Wang, D., Wang, P., He, D., Tian, Y.: Birthday, name and bifacial-security: understanding passwords of Chinese web users. In: 28th USENIX Security Symposium (USENIX Security 2019), pp. 1537–1555. USENIX Association, Santa Clara, August 2019
Wang, D., Zhang, Z., Wang, P., Yan, J., Huang, X.: Targeted online password guessing: an underestimated threat. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS 2016, pp. 1242–1254. Association for Computing Machinery, New York (2016)
Wash, R., Rader, E., Berman, R., Wellmer, Z.: Understanding password choices: how frequently entered passwords are re-used across websites. In: Twelfth Symposium on Usable Privacy and Security (SOUPS 2016), pp. 175–188. USENIX Association, Denver, June 2016
Weir, M., Aggarwal, S., De Medeiros, B., Glodek, B.: Password cracking using probabilistic context-free grammars. In: 2009 30th IEEE Symposium on Security and Privacy, pp. 391–405. IEEE (2009)
Wheeler, D.L.: zxcvbn: low-budget password strength estimation. In: 25th USENIX Security Symposium (USENIX Security 2016), pp. 157–173 (2016)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Kanta, A., Coisel, I., Scanlon, M. (2022). PCWQ: A Framework for Evaluating Password Cracking Wordlist Quality. In: Gladyshev, P., Goel, S., James, J., Markowsky, G., Johnson, D. (eds) Digital Forensics and Cyber Crime. ICDF2C 2021. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 441. Springer, Cham. https://doi.org/10.1007/978-3-031-06365-7_10
Download citation
DOI: https://doi.org/10.1007/978-3-031-06365-7_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-06364-0
Online ISBN: 978-3-031-06365-7
eBook Packages: Computer ScienceComputer Science (R0)