Abstract
Password authentication is vulnerable to dictionary attacks. Password strength measurement helps users to choose hard-to-guess passwords and enhance the security of systems based on password authentication. Although there are many password strength metrics and tools, none of them produces an objective measurement with inconsistent policies and different dictionaries. In this work, we analyzed the password policies and checkers of top 100 popular websites that are selected from Alexa rankings. The checkers are inconsistent and thus they may label the same password as different strength labels, because each checker is sensitive to its configuration, e.g., the algorithm used and the training data. Attackers are empowered to exploit the above vulnerabilities to crack the protected systems more easily. As such, single metrics or local training data are not enough to build a robust and secure password checker. Based on these observations, we proposed Hybritus that integrates different websites’ strategies and views into a global and robust model of the attackers with multiple layer perceptron (MLP) neural networks. Our data set is comprised of more than 3.3 million passwords taken from the leaked, transformed and randomly generated dictionaries. The data set were sent to 10 website checkers to get the feedbacks on the strength of passwords labeled as strong, medium and weak. Then we used the features of passwords generated by term frequency-inverse document frequency to train and test Hybritus. The experimental results show that the accuracy of passwords strength checking can be as high as 97.7% and over 94% even if it was trained with only ten thousand passwords. User study shows that Hybritus is usable as well as secure.
Similar content being viewed by others
References
Gorman L. Comparing passwords, tokens, and biometrics for user authentication. Proceedings of the IEEE, 2003, 91(12): 2021–2040
Shen C, Chen Y, Guan X, Maxion R. Pattern-growth based mining mouse-interaction behavior for an active user authentication system. IEEE Transactions on Dependable and Secure Computing, 2017, DOI:https://doi.org/10.1109/TDSC.2017.2771295
Shen C, Li Y, Chen Y, Guan X, Roy R. Performance analysis of multimotion sensor behavior for active smartphone authentication. IEEE Transactions on Information Forensics and Security, 2018, 13(1): 48–62
Shen C, Chen Y, Guan X. Performance evaluation of implicit smart-phones authentication via sensor-behavior analysis. Information Sciences, 2018, (430-431): 538–553
Herley C, Van Oorschot P. A research agenda acknowledging the persistence of passwords. IEEE Security & Privacy, 2012, 10(1): 28–36
Das A, Bonneau J, Caesar M, Borisov N, Wang X. The tangled web of password reuse. The Network and Distributed System Security Symposium, 2014, 14: 23–26
Burr W E, Dodson D F, Newton E M, Perlner R A, Polk W T, Gupta S, Nabbus E A. Electronic authentication guideline-special publication. 800-63-Version 1.0.2. Recommendations of the National Institute of Standards of Technology (NIST), 2006
Komanduri S, Shay R, Kelley P, Mazurek M, Bauer L, Christin N, Cranor L, Egelman S. Of passwords and people: measuring the effect of password-composition policies. In: Proceedings of the International Conference on Human Factors in Computing Systems. 2011, 2595–2604
Weir M, Aggarwal S, Collins M, Stern H. Testing metrics for password creation policies by attacking large sets of revealed passwords. In: Proceedings of the 17th ACM Conference on Computer and Communications Security. 2010: 162–175
Ma W, Campbell J, Tran D, Kleeman D. Password entropy and password quality. In: Proceedings of the 4th International Conference on Network and System Security. 2010, 583–587
De Carnavalet X D C, Mannan M. From very weak to very strong: analyzing password-strength meters. The Network and Distributed System Security Symposium, 2014, 14: 23–26
Bonneau J, Herley C, Oorschot P C, Frank Stajano. The quest to replace passwords: a framework for comparative evaluation of Web authentication schemes. In: Proceedings of IEEE Symposium on Security and Privacy. 2010, 553–567
Inglesant P, Sasse M. The true cost of unusable password policies: password use in the wild. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. 2010, 383–392
Schaffer K. Are password requirements too difficult? Computer, 2011, 44(12): 90–92
Shay R, Kelley P G, Leon P G, Mazurek M L, Christin N, Cranor L F. Encountering stronger password requirements: user attitudes and behaviors categories and subject descriptors. In: Proceedings of the 6th Symposium on Usable Privacy and Security. 2010, 2
Grawemeyer B, Johnson H. Using and managing multiple passwords: a week to a view. Interacting with Computers, 2011, 23(3): 256–267
Amico M D, Michiardi P, Roudier Y, Antipolis S. Password strength: an empirical analysis. In: Proceedings of the 29th IEEE International Conference on Computer Communications. 2010, 983–991
Jakobsson M, Dhiman M. The Benefits of Understanding Passwords. Springer Briefs in Computer Science, Springer, New York, NY, 2013
Veras R, Thorpe J, Collins C. Visualizing semantics in passwords: the role of dates. In: Proceedings of the 9th International Symposium on Visualization for Cyber Security. 2012, 88–95
Florêncio D, Herley C, Van Oorschot P C. An administrator’s guide to internet password research. In: Proceedings of the 28th Large Installation System Administration Conference. 2014, 44–61
Gautam T, Jain A. Analysis of brute force attack using TG — Dataset. In: Proceedings of SAI Intelligent Systems Conference. 2015, 984–988
Kelley P G, Komanduri S, Mazurek M L, Shay R, Vidas T, Bauer L, Chnstin N, Cranor L F, López J. Guess again (and again and again): measuring password strength by simulating password-cracking algorithms. In: Proceedings of IEEE Symposium on Security and Privacy. 2012, 523–537
Li Z, Han W, Xu W. A large-scale empirical analysis of Chinese Web passwords. In: Proceedings of the 23rd USENIX Security Symposium. 2014, 559–574
Bonneau J. The science of guessing: analyzing an anonymized corpus of 70 million passwords. In: Proceedings of the IEEE Symposium on Security and Privacy. 2012, 538–552
Florencio D, Herley C. Where do security policies come from? In: Proceedings of the 6th Symposium on Usable Privacy and Security. 2010, 10
Wang D, Wang P. The emperor’s new password creation policies. In: Proceedings of European Symposium on Research in Computer Security. 2015
Wang W, Liu J, Pitsilis G, Zhang X. Abstracting massive data for lightweight intrusion detection in computer networks. Information Science, 2018, 433: 417–430
Castelluccia C, Dürmuth M, Perito D. Adaptive password-strength meters from Markov models. In: Proceedings of the 19th Annual Network and Distributed System Security Symposium. 2012
Weir M, Aggarwal S, De Medeiros B, Glodek B. Password cracking using probabilistic context-free grammars. In: Proceedings of the 30th IEEE Symposium on Security and Privacy. 2009, 391–405
Wang D. fuzzy PSM: a new password strength meter using fuzzy probabilistic context-free grammars. In: Proceedings of the 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks. 2016, 595–606
Shay R, Bauer L, Christin N, Cranor L F, Forget A, Komanduri S, Mazurek M L, Melicher W, Segreti S M, Ur B. A spoonful of sugar? The impact of guidance and feedback on password-creation behavior. In: Proceedings of the 33rd ACM Conference on Human Factors in Computing Systems. 2015, 2903–2912
Bonneau J, Preibusch S. The password thicket: technical and market failures in human authentication on the Web. In: Proceedings of the Workshop on the Economics of Information Security. 2010
Wang W, Guyet T, Quiniou R, Cordier M, Masseglia F, Zhang X. Autonomic intrusion detection: adaptively detecting anomalies over unlabeled audit data streams in computer networks. Knowledge-Based Systems, 2014, 70(11): 103–117
Wang W, He Y, Liu J, Gombault S. Constructing important features from massive network traffic for lightweight intrusion detection. IET Information Security, 2015, 9(6): 374–379
Wang W, Guan X, Zhang X. Processing of massive audit data streams for real-time anomaly intrusion detection. Computer Communications, 2008, 31(1): 58–72
Wang X, Wang W, He Y, Liu J, Han Z, Zhang X. Characterizing android apps’ behavior for effective detection of malapps at large scale. Future Generation Computer Systems, 2017, 75: 30–45
Wang W, Wang X, Feng D, Liu J, Han Z, Zhang X. Exploring permission-induced risk in android applications for malicious application detection. IEEE Transactions on Information Forensics and Security, 2014, 9(11): 1869–1882
Su D, Liu J, Wang X, Wang X. Detecting android locker-ransomware on Chinese social networks. IEEE Access, 2019, 7: 20381–20393
Wang W, Li Y, Wang X, Liu J, Zhang X. Detecting android malicious apps and categorizing benign apps with ensemble of classifiers. Future Generation Computer Systems, 2018, 78: 987–994
Wang W, Gao Z, Zhao M, Li Y, Liu J, Zhang X. DroidEnsemble: detecting android malicious applications with ensemble of string and structural static features. IEEE Access, 2018, 6: 31798–31807
Wang W, Zhao M, Gao Z, Xu G, Li Y, Xian H, Zhang X. Constructing features for detecting android malicious applications: issues, taxonomy and directions. IEEE Access, 2019, 7: 67602–67631
Wang W, Zhao M, Wang J. Effective android malware detection with a hybrid model based on deep autoencoder and convolutional neural network. Journal of Ambient Intelligence and Humanized Computing, 2018, 1–9
Liu X, Liu J, Zhu S, Wang W, Zhang X. Privacy risk analysis and mitigation of analytics libraries in the android ecosystem. IEEE Transactions on Mobile Computing. 2019, DOI:https://doi.org/10.1109/TMC.2019.2903186
Zhang C, Liu C, Zhang X, Almpanidis G. An up-to-date comparison of state-of-the-art classification algorithms. Expert System Applications, 2017, 82: 128–150
Ciaramella A, Arco P D, De Santis A, Galdi C, Tagliaferri R. Neural network techniques for proactive password checking. IEEE Transactions on Dependable and Secure Computing, 2006, 3(4): 327–339
Sibai F N, Shehhi A, Shehhi S, Shehhi B, Salami N. Secure password detection with artificial neural networks. In: Proceedings of International Conference on Innovations in Information Technology. 2008, 628–632
Shay R, Komanduri S, Durity A L, Huh P, Mazurek M L, Segreti S M, Ur B, Bauer L, Christin N, Cranor L F. Designing password policies for strength and usability. ACM Transactions on Information and System Security, 2016, 18(4): 13
Acknowledgements
The work reported in this paper was supported in part by National Key R&D Program of China (2017YFC0820100, 2017YFB0802805), and in part by the National Natural Science Foundation of China (Grant No. U1736114).
Author information
Authors and Affiliations
Corresponding author
Additional information
Yongzhong He is currently associate professor in the Beijing Key Laboratory of Security and Privacy in Intelligent Transportation, Beijing Jiaotong University, China. He earned his PhD degree in computer scicence from Chinese Academy of Sciences, China in 2006. He has authored or co-authored over 30 peer-reviewed papers in various journals and international conferences. His main research interests include system security, mobile and big data security.
Endalew Elsabeth Alem received BSc degree in computer science from Addis Ababa University, Ethiopia in 2010, and the MSc degree in computer science from School of Computer and Information Technology, Beijing Jiaotong University, China in 2017. Her main research interests include computer and network security.
Wei Wang is currently a full professor in the School of Computer and Information Technology, Beijing Jiaotong University, China. He earned his PhD degree in control science and engineering from Xi’an Jiaotong University, China in 2006. He was a postdoctoral researcher in University of Trento, Italy, from 2005–2006. He was a postdoctoral researcher in TELECOM Bretagne and in INRIA, France, from 2007–2008. He visited INRIA, ETH, NTNU, CNR, and New York University Polytechnic. He has authored or co-authored over 80 peer-reviewed papers in various journals and international conferences. He is an Editorial member for Computers & Security and a Young AE of Frontiers of Computer Science Journal. His main research interests include mobile, computer and network security.
Electronic Supplementary Material
Rights and permissions
About this article
Cite this article
He, Y., Alem, E.E. & Wang, W. Hybritus: a password strength checker by ensemble learning from the query feedbacks of websites. Front. Comput. Sci. 14, 143802 (2020). https://doi.org/10.1007/s11704-019-7342-y
Received:
Accepted:
Published:
DOI: https://doi.org/10.1007/s11704-019-7342-y