Abstract
Passwords are still the most used method of user authentication in the usage of information systems, and they have an important role in practical security. Despite the fact that researchers have discovered various vulnerabilities in the usage of passwords, this authentication method is still frequently used. The main issue with passwords is their quality or strength, i.e., how hard they can be guessed by an attacker, and there are various password strength metrics have been proposed so far. In this paper, we propose a new metric for password strength that takes into account the risk of dictionary attacks. We create datasets from leaked password lists and regard them as Markov information sources. Then we calculate the password self-information and compare it to the threshold value we specified to determine the password strength. With this numerical value, we can know how risky a password has against dictionary attacks, and can easily compare the strength of several passwords. Through experimental results, we show that our method is very effective, does not require huge computational resources, and can effectively help users create stronger passwords.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Blueleaks. https://ddosecrets.com/wiki/BlueLeaks
Bishop, M., Klein, D.V.: Improving system security via proactive password checking. Comput. Secur. 14(3), 233–249 (1995)
Burr, W., Dodson, D.F., Newton, E., Perlner, R., Polk, W., Gupta, S., Nabbus, E.: NIST special publication 800–63-2 electronic authentication guideline. Comput. Secur. Div. Inf. Technol. Lab. Nat. Inst. Stan. Technol. (2013)
de Carné de Carnavalet, X., Mannan, M.: From very weak to very strong: analyzing password-strength meters. In: 21st Annual Network and Distributed System Security Symposium, NDSS 2014, San Diego, California, USA, February 23–26 2014. The Internet Society (2014)
de Carné de Carnavalet, X., Mannan, M.: A large-scale evaluation of high-impact password strength meters. ACM Trans. Inf. Syst. Secur. 18(1), 1:1–1:32 (2015)
Das, A., Bonneau, J., Caesar, M., Borisov, N., Wang, X.: The tangled web of password reuse. In: 21st Annual Network and Distributed System Security Symposium, NDSS 2014, San Diego, California, USA, February 23–26, 2014. The Internet Society (2014)
Han, W., Li, Z., Ni, M., Gu, G., Xu, W.: Shadow attacks based on password reuses: a quantitative empirical analysis. IEEE Trans. Dependable Secur. Comput. 15(2), 309–320 (2018)
Hu, G.: On password strength: a survey and analysis. In: Lee, R. (ed.) SNPD 2017. SCI, vol. 721, pp. 165–186. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-62048-0_12
Levenshtein, V.I., et al.: Binary codes capable of correcting deletions, insertions, and reversals. In: Soviet Physics Doklady, vol. 10, pp. 707–710. Soviet Union (1966)
LUFTTOOLS: Random password generation site. https://www.luft.co.jp/cgi/en/
Ma, W., Campbell, J., Tran, D., Kleeman, D.: A conceptual framework for assessing password quality. Int. J. Comput. Sci. Netw. Secur. 7(1), 179–185 (2007)
Miessler, D.: Leaked passwords - 1. https://github.com/danielmiessler/SecLists/tree/master/Passwords/Leaked-Databases
Miessler, D.: Leaked passwords - 2. https://github.com/danielmiessler/SecLists/blob/master/Passwords/dutch_passwordlist.txt
Miessler, D.: Leaked passwords - 3. https://github.com/danielmiessler/SecLists/tree/master/Passwords/Common-Credentials
Mikalauskas, E.: Rockyou 2021: largest password compilation of all time leaked online with 8.4 billion entries. https://cybernews.com/security/rockyou2021-alltime-largest-password-compilation-leaked/
Nam, J., Paik, J., Kang, H., Kim, U., Won, D.: An off-line dictionary attack on a simple three-party key exchange protocol. IEEE Commun. Lett. 13(3), 205–207 (2009)
Oechslin, P.: Making a faster cryptanalytic time-memory trade-off. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 617–630. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_36
Pukelsheim, F.: The three sigma rule. Am. Stat. 48(2), 88–91 (1994)
Shannon, C.E.: A mathematical theory of communication. Bell Syst. Tech. J. 27(3), 379–423 (1948)
Whitney, L.: Billions of passwords leaked online from past data breaches. https://www.techrepublic.com/article/billions-of-passwords-leaked-online-from-past-data-breaches/
Woods, N., Siponen, M.T.: Improving password memorability, while not inconveniencing the user. Int. J. Hum Comput Stud. 128, 61–71 (2019)
Woollacott, E.: Cybersecurity incident at ubisoft disrupts operations, forces company-wide password reset. http://portswigger.net/daily-swig/cybersecurity-incident-at-ubisoft-disrupts-operations-forces-company-wide-password-reset
Yan, J.J., Blackwell, A.F., Anderson, R.J., Grant, A.: Password memorability and security: empirical results. IEEE Secur. Priv. 2(5), 25–31 (2004)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 Springer Nature Switzerland AG
About this paper
Cite this paper
Le Thanh Thai, B., Tanaka, H. (2023). A Novel Metric for Password Security Risk Against Dictionary Attacks. In: You, I., Youn, TY. (eds) Information Security Applications. WISA 2022. Lecture Notes in Computer Science, vol 13720. Springer, Cham. https://doi.org/10.1007/978-3-031-25659-2_21
Download citation
DOI: https://doi.org/10.1007/978-3-031-25659-2_21
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-25658-5
Online ISBN: 978-3-031-25659-2
eBook Packages: Computer ScienceComputer Science (R0)