Analysis of Country and Regional User Password Characteristics in Dictionary Attacks

Kurasaki, Shodai; Kanaoka, Akira

doi:10.1007/978-3-031-35822-7_42

Shodai Kurasaki⁸ &
Akira Kanaoka⁸

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14045))

Included in the following conference series:

International Conference on Human-Computer Interaction

812 Accesses

Abstract

The degree to which passwords are robust to guessing has become one of the fundamental interests in password research. For example, a method has been proposed to calculate the robustness of password guessing as a password’s strength and provide feedback. Measuring guessing robustness has been studied from several perspectives, but most studies are based on password datasets from US and European users. On the other hand, several studies have shown that the characteristics of passwords differ between countries and regions. However, there needs to be a more extensive analysis of guess-robustness due to differences in these data sets. In this study, a large password dataset was used to analyze the password characteristics of countries and regions from the perspective of guess-robustness. The results revealed differences in guess-robustness between countries and regions, as well as differences in guess-robustness given by the datasets used in the dictionary.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 89.00; Price excludes VAT (USA)

Softcover Book: USD 119.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

Tan, J., et al.: Practical recommendations for stronger, more usable passwords combining minimum-strength, minimum-length, and blocklist requirements. ACM (CCS 2020) (2020)
Google Scholar
Mori, K., et al.: Comparative analysis of three language spheres: are linguistic and cultural differences reflected in password selection habits? IEICE Trans. Inf. Sys. (2020)
Google Scholar
Weir, M., et al.: Testing metrics for password creation policies by attacking large sets of revealed passwords. In: Proceedings of the 17th ACM Conference on Computer and Communications Security (2010)
Google Scholar
Zhang, Y., Monrose, F., Reiter, M.K.: The security of modern password expiration: an algorithmic framework and empirical analysis. In: Proceedings of the 17th ACM Conference on Computer and Communications Security (2010)
Google Scholar
Kelley, P.G., et al.: Guess again (and again and again): measuring password strength by simulating password-cracking algorithms. In: 2012 IEEE Symposium on Security and Privacy. IEEE (2012)
Google Scholar
Ur, B., et al.: How does your password measure up? The effect of strength meters on password creation. In: 21st USENIX Security Symposium (USENIX Security 2012) (2012)
Google Scholar
Wheeler, D.L.: zxcvbn: low-budget password strength estimation. In: 25th USENIX Security Symposium (USENIX Security 2016) (2016)
Google Scholar
Dell’Amico, M., Michiardi, P., Roudier, Y.: Password strength: an empirical analysis. In: 2010 Proceedings IEEE INFOCOM. IEEE (2010)
Google Scholar
Castelluccia, C., Dürmuth, M., Perito, D.: Adaptive password-strength meters from Markov models. In: NDSS (2012)
Google Scholar
Ur, B., et al.: Measuring real-world accuracies and biases in modeling password guessability. In: 24th USENIX Security Symposium (USENIX Security 2015) (2015)
Google Scholar
Golla, M., Dürmuth, M.: On the accuracy of password strength meters. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (2018)
Google Scholar
Pasquini, D., et al.: Reducing bias in modeling real-world password strength via deep learning and dynamic dictionaries. In: 30th USENIX Security Symposium (USENIX Security 2021) (2021)
Google Scholar
Li, Z., Han, W., Xu, W.: A large-scale empirical analysis of Chinese web passwords. In: Proc. 23rd USENIX Security Symposium, pp. 559–574 (2014)
Google Scholar
Luku, I.: 1.4 billion user credentials found on the dark web. IT governance. https://www.itgovernanceusa.com/blog/1-4-billion-user-credentials-list-found-in-the-dark-web. Accessed 23 May 2022
JPNIC: Domain name type. https://www.nic.ad.jp/ja/dom/types.html. Accessed 09 Feb 2023

Download references

Acknowledgements

This work was supported by JST, CREST Grant Number JPMJCR22M4, Japan.

Author information

Authors and Affiliations

Toho University, Miyama 2-2-1, Funabashi, Chiba, 274-8510, Japan
Shodai Kurasaki & Akira Kanaoka

Authors

Shodai Kurasaki
View author publications
You can also search for this author in PubMed Google Scholar
Akira Kanaoka
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Akira Kanaoka .

Editor information

Editors and Affiliations

San Jose State University, San Jose, CA, USA
Abbas Moallem

Appendices

Appendix

A List of TLDs Excluded from Evaluation in this Study

Table 15. List of TLDs excluded from evaluation in this study

Full size table

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Kurasaki, S., Kanaoka, A. (2023). Analysis of Country and Regional User Password Characteristics in Dictionary Attacks. In: Moallem, A. (eds) HCI for Cybersecurity, Privacy and Trust. HCII 2023. Lecture Notes in Computer Science, vol 14045. Springer, Cham. https://doi.org/10.1007/978-3-031-35822-7_42

Download citation

DOI: https://doi.org/10.1007/978-3-031-35822-7_42
Published: 09 July 2023
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-35821-0
Online ISBN: 978-3-031-35822-7
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics