Abstract
The degree to which passwords are robust to guessing has become one of the fundamental interests in password research. For example, a method has been proposed to calculate the robustness of password guessing as a password’s strength and provide feedback. Measuring guessing robustness has been studied from several perspectives, but most studies are based on password datasets from US and European users. On the other hand, several studies have shown that the characteristics of passwords differ between countries and regions. However, there needs to be a more extensive analysis of guess-robustness due to differences in these data sets. In this study, a large password dataset was used to analyze the password characteristics of countries and regions from the perspective of guess-robustness. The results revealed differences in guess-robustness between countries and regions, as well as differences in guess-robustness given by the datasets used in the dictionary.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Tan, J., et al.: Practical recommendations for stronger, more usable passwords combining minimum-strength, minimum-length, and blocklist requirements. ACM (CCS 2020) (2020)
Mori, K., et al.: Comparative analysis of three language spheres: are linguistic and cultural differences reflected in password selection habits? IEICE Trans. Inf. Sys. (2020)
Weir, M., et al.: Testing metrics for password creation policies by attacking large sets of revealed passwords. In: Proceedings of the 17th ACM Conference on Computer and Communications Security (2010)
Zhang, Y., Monrose, F., Reiter, M.K.: The security of modern password expiration: an algorithmic framework and empirical analysis. In: Proceedings of the 17th ACM Conference on Computer and Communications Security (2010)
Kelley, P.G., et al.: Guess again (and again and again): measuring password strength by simulating password-cracking algorithms. In: 2012 IEEE Symposium on Security and Privacy. IEEE (2012)
Ur, B., et al.: How does your password measure up? The effect of strength meters on password creation. In: 21st USENIX Security Symposium (USENIX Security 2012) (2012)
Wheeler, D.L.: zxcvbn: low-budget password strength estimation. In: 25th USENIX Security Symposium (USENIX Security 2016) (2016)
Dell’Amico, M., Michiardi, P., Roudier, Y.: Password strength: an empirical analysis. In: 2010 Proceedings IEEE INFOCOM. IEEE (2010)
Castelluccia, C., DĂĽrmuth, M., Perito, D.: Adaptive password-strength meters from Markov models. In: NDSS (2012)
Ur, B., et al.: Measuring real-world accuracies and biases in modeling password guessability. In: 24th USENIX Security Symposium (USENIX Security 2015) (2015)
Golla, M., DĂĽrmuth, M.: On the accuracy of password strength meters. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (2018)
Pasquini, D., et al.: Reducing bias in modeling real-world password strength via deep learning and dynamic dictionaries. In: 30th USENIX Security Symposium (USENIX Security 2021) (2021)
Li, Z., Han, W., Xu, W.: A large-scale empirical analysis of Chinese web passwords. In: Proc. 23rd USENIX Security Symposium, pp. 559–574 (2014)
Luku, I.: 1.4 billion user credentials found on the dark web. IT governance. https://www.itgovernanceusa.com/blog/1-4-billion-user-credentials-list-found-in-the-dark-web. Accessed 23 May 2022
JPNIC: Domain name type. https://www.nic.ad.jp/ja/dom/types.html. Accessed 09 Feb 2023
Acknowledgements
This work was supported by JST, CREST Grant Number JPMJCR22M4, Japan.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
Appendix
A List of TLDs Excluded from Evaluation in this Study
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Kurasaki, S., Kanaoka, A. (2023). Analysis of Country and Regional User Password Characteristics in Dictionary Attacks. In: Moallem, A. (eds) HCI for Cybersecurity, Privacy and Trust. HCII 2023. Lecture Notes in Computer Science, vol 14045. Springer, Cham. https://doi.org/10.1007/978-3-031-35822-7_42
Download citation
DOI: https://doi.org/10.1007/978-3-031-35822-7_42
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-35821-0
Online ISBN: 978-3-031-35822-7
eBook Packages: Computer ScienceComputer Science (R0)