Abstract
Passwords often include dictionary words or meaningful strings. Figuring out these words or strings may significantly reduce the number of password guessing. The wordlists used by password cracking software, such as Hashcat, typically include the words from various dictionaries and leaked plain passwords. Is it really necessary to put all dictionary words and leaked passwords into the wordlist? In this work, we use Mac system dictionary and rockyou.com leak as two sample wordlists to check the substrings of over 600 million leaked passwords from different websites. We find only a small portion of words from these two wordlists are used by the leaked passwords. More specifically, about 90,000 out of 235,886 Mac dictionary words and about six millions out of 13 millions rockyou.com unique passwords are used by the leaked passwords. In addition to that, we find that a small portion of unique passwords are shared by a large portion of accounts.
This work is supported by ELSA high performance computing cluster at The College of New Jersey. ELSA is funded by National Science Foundation grant OAC-1828163.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Google Says Not To Worry About 5 Million ‘Gmail Passwords’ Leaked. https://www.forbes.com/sites/kashmirhill/2014/09/11/google-says-not-to-worry-about-5-million-gmail-passwords-leaked/#307f08f07a8d
Selena, L.: Every single Yahoo account was hacked - 3 billion in all (2017). http://money.cnn.com/2017/10/03/technology/business/yahoo-breach-3-billion-accounts/index.html
Jeremi, M.G.: How LinkedIn’s password sloppiness hurts us all (2016). https://arstechnica.com/information-technology/2016/06/how-linkedins-password-sloppiness-hurts-us-all/
Dan, G.: 6.6 million plaintext passwords exposed as site gets hacked to the bone (2016). https://arstechnica.com/information-technology/2016/09/plaintext-passwords-and-wealth-of-other-data-for-6-6-million-people-go-public/
Hashcat. https://hashcat.net/wiki/
John the Ripper password cracker. https://www.openwall.com/john/
Cain and Abel (software). https://en.wikipedia.org/wiki/Cain_and_Abel_
Brute Force Attack. https://www.owasp.org/index.php/Brute_force_attack
Tatli, E.I.: Cracking more password hashes with patterns. IEEE Trans. Inf. Forensics Secur. 10(8), 1656–1665 (2015)
https://wiki.skullsecurity.org/Passwords#Password_dictionaries
Weir, M., Aggarwal, S., De Medeiros, B., Glodek, B.: Password cracking using probabilistic context-free grammars. In: 30th IEEE Symposium on Security and Privacy, pp. 391–405 (2009). https://doi.org/10.1109/SP.2009.8
Veras, R., Collins, C., Thorpe, J.: On the semantic patterns of passwords and their security impact. In: Proceedings of the Network Distribution System Security Symposium (2014)
Xu, R., Chen, X., Wang, X., Shi, J.: An in-depth study of digits in passwords for Chinese websites. In: IEEE Third International Conference on Data Science in Cyberspace (DSC), Guangzhou, pp. 588-595 (2018). https://doi.org/10.1109/DSC.2018.00094
Melicher, W., Ur, B., Segreti, S.M., Komanduri, S., Bauer, L., Christin, N., Cranor, L.F.: Fast, lean, and accurate: modeling password guessability using neural networks. In: USENIX Security Symposium (2016)
Bonneau, J.: The science of guessing: analyzing an anonymized corpus of 70 million passwords. In: IEEE Symposium on Security and Privacy, pp. 538–552 (2012)
Malone, D., Maher, K.: Investigating the distribution of password choices. In: Proceedings of the 21st International Conference on World Wide Web (WWW 2012), pp. 301-310 (2012)
Han, G., Yu, Y., Li, X., Chen, K., Li, H.: Characterizing the semantics of passwords: the role of pinyin for Chinese Netizens. Comput. Stan. Interfaces 54(Part 1), 20–28 (2017)
Morris, R., Thompson, K.: Password Security: A Case History 22(11), 594–597 (1979)
Kumar, M.: Collection of 1.4 Billion Plain-Text Leaked Passwords Found Circulating Online. https://thehackernews.com/2017/12/data-breach-password-list.html
CrackStation’s Password Cracking Dictionary. https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm
Aho, A., Corasick, M.: Efficient string matching: an aid to bibliographic search. Commun. ACM 18(6), 333–340 (1975). https://doi.org/10.1145/360825.360855
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 The Editor(s) (if applicable) and The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Li, J. et al. (2020). Common Passwords and Common Words in Passwords. In: Rocha, Á., Adeli, H., Reis, L., Costanzo, S., Orovic, I., Moreira, F. (eds) Trends and Innovations in Information Systems and Technologies. WorldCIST 2020. Advances in Intelligent Systems and Computing, vol 1160. Springer, Cham. https://doi.org/10.1007/978-3-030-45691-7_77
Download citation
DOI: https://doi.org/10.1007/978-3-030-45691-7_77
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-45690-0
Online ISBN: 978-3-030-45691-7
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)