Skip to main content
SpringerLink
Log in
Book cover

International Conference on Cryptology and Network Security

CANS 2021: Cryptology and Network Security pp 412–431Cite as

Towards Quantum Large-Scale Password Guessing on Real-World Distributions

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 13099))

Abstract

Password-based authentication is a central tool for end-user security. As part of this, password hashing is used to ensure the security of passwords at rest. If quantum computers become available at sufficient size, they are able to significantly speed up the computation of preimages of hash functions. Using Grover’s algorithm, at most, a square-root speedup can be achieved, and thus it is expected that quantum password guessing also admits a square-root speedup. However, password inputs are not uniformly distributed but highly biased. Moreover, typical password attacks do not only compromise a random user’s password but address a large fraction of all users’ passwords within a database of millions of users.

In this work, we study those quantum large-scale password guessing attacks for the first time. In comparison to classical attacks, we still gain a square-root speedup in the quantum setting when attacking a constant fraction of all passwords, even considering strongly biased password distributions as they appear in real-world password breaches. We verify the accuracy of our theoretical predictions using the LinkedIn leak and derive specific recommendations for password hashing and password security for a quantum computer era.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

  1. Aharonov, D., Ben-Or, M.: Fault-tolerant quantum computation with constant error rate. SIAM J. Comput. 38(4), 1207–1282 (2008)

    Article  MathSciNet  Google Scholar 

  2. Bailey, D.V., Dürmuth, M., Paar, C.: Statistics on password re-use and adaptive strength for financial accounts. In: Abdalla, M., De Prisco, R. (eds.) SCN 2014. LNCS, vol. 8642, pp. 218–235. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-10879-7_13

    Chapter  Google Scholar 

  3. Biryukov, A., Dinu, D., Khovratovich, D., Josefsson, S.: Argon2 Memory-Hard Function for Password Hashing and Proof-of-Work Applications. RFC 9106, RFC Editor, September 2021. https://tools.ietf.org/html/rfc9106

  4. Blocki, J., Harsha, B., Zhou, S.: On the economics of offline password cracking. In: IEEE Symposium on Security and Privacy. SP 2018, pp. 35–53. IEEE, San Francisco, California, USA, May 2018

    Google Scholar 

  5. Boneh, D., Corrigan-Gibbs, H., Schechter, S.: Balloon hashing: a memory-hard function providing provable protection against sequential attacks. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 220–248. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_8

    Chapter  Google Scholar 

  6. Bonneau, J.: The Science of guessing: analyzing an anonymized corpus of 70 million passwords. In: IEEE Symposium on Security and Privacy. SP 2012, pp. 538–552. IEEE, San Jose, California, USA, May 2012

    Google Scholar 

  7. Boyer, M., Brassard, G., Høyer, P., Tapp, A.: Tight bounds on quantum searching. In: Workshop on Physics and Computation. PhysComp 1996, pp. 493–506, Elsevier, Boston, Massachusetts, USA, November 1996

    Google Scholar 

  8. Brassard, G., Høyer, P., Mosca, M., Tapp, A.: Quantum amplitude amplification and estimation. Contemporary Math. 305, 53–74 (2002)

    Article  MathSciNet  Google Scholar 

  9. Brewster, T.: Why You Shouldn’t Panic About Dropbox Leaking 68 Million Passwords, August 2016. https://www.forbes.com/sites/thomasbrewster/2016/08/31/dropbox-hacked-but-its-not-that-bad/, as of 2021/11/20 18:59:40

  10. Campbell, E.T., Terhal, B.M., Vuillot, C.: Roads towards fault-tolerant universal quantum computation. Nature 549(7671), 172–179 (2017)

    Article  Google Scholar 

  11. Cho, A.: IBM Promises 1000-Qubit Quantum Computer by 2023, September 2020. https://www.sciencemag.org/news/2020/09/ibm-promises-1000-qubit-quantum-computer-milestone-2023, as of 2021/11/20 18:59:40

  12. Corrigan-Gibbs, H., Wu, D.J., Boneh, D.: Quantum operating systems. In: Workshop on Hot Topics in Operating Systems. HotOS 2017, pp. 76–81. ACM, Vancouver, British Columbia, Canada, May 2017

    Google Scholar 

  13. Crawford, H., Atkin, S.: Quantum authentication: current and future research directions. In: Who Are You?! Adventures in Authentication Workshop. WAY 2019, pp. 1–5, USENIX, Santa Clara, California, USA, August 2019

    Google Scholar 

  14. Croley (“Chick3nman”), S.: Abusing Password Reuse at Scale: Bcrypt and Beyond, August 2018. https://www.youtube.com/watch?v=5su3_Py8iMQ, as of 2021/11/20 18:59:40

  15. Croley (“Chick3nman”), S.: NVIDIA GeForce RTX 3090 Hashcat Benchmarks, November 2020. https://gist.github.com/Chick3nman/e4fcee00cb6d82874dace72106d73fef, as of 2021/11/20 18:59:40

  16. Das, A., Bonneau, J., Caesar, M., Borisov, N., Wang, X.: The tangled web of password reuse. In: Symposium on Network and Distributed System Security. NDSS 2014, ISOC, San Diego, California, USA, February 2014

    Google Scholar 

  17. Digital Shadows Ltd: From Exposure to Takeover: The 15 Billion Stolen Credentials Allowing Account Takeover, July 2020. https://resources.digitalshadows.com/whitepapers-and-reports/from-exposure-to-takeover, as of 2021/11/20 18:59:40

  18. Florêncio, D., Herley, C.: A large-scale study of web password habits. In: The World Wide Web Conference. WWW 2007, pp. 657–666. ACM, Banff, Alberta, Canada, May 2007

    Google Scholar 

  19. Florêncio, D., Herley, C., Van Oorschot, P.C.: An administrator’s guide to internet password research. In: Large Installation System Administration Conference, pp. 44–61. LISA 2014, USENIX, Seattle, Washington, USA, November 2014

    Google Scholar 

  20. Golla, M., Dürmuth, M.: On the accuracy of password strength meters. In: ACM Conference on Computer and Communications Security. CCS 2018, pp. 1567–1582. ACM, Toronto, Ontario, Canada, October 2018

    Google Scholar 

  21. Golla, M., et al.: What was that site doing with my Facebook password? Designing password-reuse notifications. In: ACM Conference on Computer and Communications Security, pp. 1549–1566. ACM. CCS 2018, Toronto, Ontario, Canada, October 2018

    Google Scholar 

  22. Goodin, D.: Once Seen as Bulletproof, 11 Million+ Ashley Madison Passwords Already Cracked, September 2015. https://arstechnica.com/information-technology/2015/09/once-seen-as-bulletproof-11-million-ashley-madison-passwords-already-cracked/, as of 2021/11/20 18:59:40

  23. Gosney (“epixoip”), J.M.: How LinkedIn’s Password Sloppiness Hurts Us All, June 2016. https://arstechnica.com/information-technology/2016/06/how-linkedins-password-sloppiness-hurts-us-all/, as of 2021/11/20 18:59:40

  24. Grassi, P.A., Fenton, J.L., Burr, W.E.: Digital Identity Guidelines - Authentication and Lifecycle Management: NIST Special Publication 800–63B, Jun 2017

    Google Scholar 

  25. Grover, L.K.: A fast quantum mechanical algorithm for database search. In: ACM Symposium on Theory of Computing. STOC 1996, pp. 212–219. ACM, Philadelphia, Pennsylvania, USA, May 1996

    Google Scholar 

  26. Häner, T., Roetteler, M., Svore, K.M.: Factoring using \(2n+2\) qubits with Toffoli based modular multiplication. Quantum Inf. Comput. 17(7–8), 673–684 (2017)

    MathSciNet  Google Scholar 

  27. Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a ring-based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054868

    Chapter  Google Scholar 

  28. Huh, J.H., Kim, H., Bobba, R.B., Bashir, M.N., Beznosov, K.: On the memorability of system-generated PINs: can chunking help? In: Symposium on Usable Privacy and Security, pp. 197–209. SOUPS 2015, USENIX, Ottawa, Canada, July 2015

    Google Scholar 

  29. Kaplan, M., Leurent, G., Leverrier, A., Naya-Plasencia, M.: Breaking symmetric cryptosystems using quantum period finding. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 207–237. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53008-5_8

    Chapter  Google Scholar 

  30. Kedem, G., Ishihara, Y.: Brute force attack on UNIX passwords with SIMD computer. In: USENIX Security Symposium. SSYM 1999, pp. 93–98, USENIX, Washington, District of Columbia, USA, August 1999

    Google Scholar 

  31. Knill, E., Laflamme, R., Zurek, W.H.: Resilient quantum computation: error models and thresholds. Proc. Royal Soc. A: Math. Phys. Eng. Sci. 454(1969), 365–384 (1998)

    Article  Google Scholar 

  32. Kuwakado, H., Morii, M.: Security on the quantum-type even-Mansour cipher. In: International Symposium on Information Theory and Its Applications. ISITA 2012, pp. 312–316. IEEE, Honolulu, Hawaii, USA, October 2012

    Google Scholar 

  33. Leander, G., May, A.: Grover meets Simon – quantumly attacking the FX-construction. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10625, pp. 161–178. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70697-9_6

    Chapter  Google Scholar 

  34. Liu, E., Nakanishi, A., Golla, M., Cash, D., Ur, B.: reasoning analytically about password-cracking software. In: IEEE Symposium on Security and Privacy. SP 2019, pp. 380–397. IEEE, San Francisco, California, USA, May 2019

    Google Scholar 

  35. Malone, D., Maher, K.: Investigating the distribution of password choices. In: The World Wide Web Conference. WWW 2012, pp. 301–310. ACM, Lyon, France, April 2012

    Google Scholar 

  36. Mirian, A., DeBlasio, J., Savage, S., Voelker, G.M., Thomas, K.: Hack for hire: exploring the emerging market for account hijacking. In: The World Wide Web Conference. WWW 2019, pp. 1279–1289. ACM, San Francisco, California, USA, May 2019

    Google Scholar 

  37. Pal, B., Daniel, T., Chatterjee, R., Ristenpart, T.: Beyond credential stuffing: password similarity models using neural networks. In: IEEE Symposium on Security and Privacy. SP 2019, pp. 866–883. IEEE, San Francisco, California, USA, May 2019

    Google Scholar 

  38. Pearman, S., et al.: Let’s go in for a closer look: observing passwords in their natural habitat. In: ACM Conference on Computer and Communications Security. CCS 2017, pp. 295–310. ACM, Dallas, Texas, USA, Oct 2017

    Google Scholar 

  39. Roetteler, M., Naehrig, M., Svore, K.M., Lauter, K.: Quantum resource estimates for computing elliptic curve discrete logarithms. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10625, pp. 241–270. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70697-9_9

    Chapter  Google Scholar 

  40. Roetteler, M., Svore, K.M.: Quantum computing: codebreaking and beyond. IEEE Secur. Privacy 16(5), 22–36 (2018)

    Article  Google Scholar 

  41. Shay, R., et al.: A spoonful of sugar?: The impact of guidance and feedback on password-creation behavior. In: ACM Conference on Human Factors in Computing Systems. CHI 2015, pp. 2903–2912. ACM, Seoul, Republic of Korea, April 2015

    Google Scholar 

  42. Shay, R., et al.: Can long passwords be secure and usable? In: ACM Conference on Human Factors in Computing Systems. CHI 2014, pp. 2927–2936. ACM, Toronto, Ontario, Canada, April 2014

    Google Scholar 

  43. Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: IEEE Annual Symposium on Foundations of Computer Science. FOCS 1994, pp. 124–134. IEEE, Santa Fe, New Mexico, USA, November 1994

    Google Scholar 

  44. Tan, J., Bauer, L., Christin, N., Cranor, L.F.: Definitive recommendations for stronger, more usable passwords combining minimum-strength, minimum-length, and blacklist requirements. In: ACM Conference on Computer and Communications Security. CCS 2020, pp. 1407–1426. ACM, Virtual Event, USA, November 2020

    Google Scholar 

  45. Ur, B., Bees, J., Segreti, S.M., Bauer, L., Christin, N., Cranor, L.F.: Do users’ perceptions of password security match reality? In: ACM Conference on Human Factors in Computing Systems. CHI 2016, pp. 3748–3760. ACM, Santa Clara, California, USA, May 2016

    Google Scholar 

  46. Ur, B., et al.: “I Added ‘!’ at the end to make it secure”: observing password creation in the lab. In: Symposium on Usable Privacy and Security, pp. 123–140. SOUPS 2015, USENIX, Ottawa, Ontario, Canada, July 2015

    Google Scholar 

  47. Veras, R., Collins, C., Thorpe, J.: On the semantic patterns of passwords and their security impact. In: Symposium on Network and Distributed System Security. NDSS 2014, ISOC, San Diego, California, USA, February 2014

    Google Scholar 

  48. Wang, D., Cheng, H., Wang, P., Huang, X., Jian, G.: Zipf’s law in passwords. IEEE Trans. Inf. Forensics Secur. 12(11), 2776–2791 (2017)

    Article  Google Scholar 

  49. Wang, D., Wang, P.: On the implications of Zipf’s law in passwords. In: Askoxylakis, I., Ioannidis, S., Katsikas, S., Meadows, C. (eds.) ESORICS 2016. LNCS, vol. 9878, pp. 111–131. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45744-4_6

    Chapter  Google Scholar 

  50. Wang, D., Zhang, Z., Wang, P., Yan, J., Huang, X.: Targeted online password guessing: an underestimated threat. In: ACM Conference on Computer and Communications Security. CCS 2016, pp. 1242–1254. ACM, Vienna, Austria, October 2016

    Google Scholar 

  51. Wash, R., Radar, E., Berman, R., Wellmer, Z.: Understanding password choices: how frequently entered passwords are re-used across websites. In: Symposium on Usable Privacy and Security, pp. 175–188. SOUPS 2016, USENIX, Denver, Colorado, USA, July 2016

    Google Scholar 

  52. Yan, J., Blackwell, A., Anderson, R., Grant, A.: Password memorability and security: empirical results. IEEE Secur. Privacy 2(5), 25–31 (2004)

    Article  Google Scholar 

  53. Zipf, G.K.: Human Behavior and the Principle of Least Effort: An Introduction to Human Ecology. Addison-Wesley Press, Cambridge (1949)

    Google Scholar 

  54. Zviran, M., Haga, W.J.: A comparison of password techniques for multilevel authentication mechanisms. Comput. J. 36(3), 227–237 (1993)

    Article  Google Scholar 

Download references

Acknowledgments

This research was supported by the research training group “Human Centered Systems Security” sponsored by the state of North Rhine-Westphalia and funded by the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) under Germany’s Excellence Strategy - EXC 2092 CASA – 390781972.

Author information

Authors and Affiliations

  1. Ruhr University Bochum, Bochum, Germany

    Markus Dürmuth, Philipp Markert, Alexander May & Lars Schlieper

  2. Max Planck Institute for Security and Privacy, Bochum, Germany

    Maximilian Golla

Authors
  1. Markus Dürmuth
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Maximilian Golla
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Philipp Markert
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Alexander May
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Lars Schlieper
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Lars Schlieper .

Editor information

Editors and Affiliations

  1. University of Padua, Padua, Italy

    Mauro Conti

  2. Centrum Wiskunde & Informatica, Amsterdam, The Netherlands

    Marc Stevens

  3. AIT Austrian Institute of Technology, Vienna, Austria

    Stephan Krenn

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Dürmuth, M., Golla, M., Markert, P., May, A., Schlieper, L. (2021). Towards Quantum Large-Scale Password Guessing on Real-World Distributions. In: Conti, M., Stevens, M., Krenn, S. (eds) Cryptology and Network Security. CANS 2021. Lecture Notes in Computer Science(), vol 13099. Springer, Cham. https://doi.org/10.1007/978-3-030-92548-2_22

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-92548-2_22

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-92547-5

  • Online ISBN: 978-3-030-92548-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation