Skip to main content
SpringerLink
Log in

Hybritus: a password strength checker by ensemble learning from the query feedbacks of websites

  • Research Article
  • Published:
Frontiers of Computer Science Aims and scope Submit manuscript

Abstract

Password authentication is vulnerable to dictionary attacks. Password strength measurement helps users to choose hard-to-guess passwords and enhance the security of systems based on password authentication. Although there are many password strength metrics and tools, none of them produces an objective measurement with inconsistent policies and different dictionaries. In this work, we analyzed the password policies and checkers of top 100 popular websites that are selected from Alexa rankings. The checkers are inconsistent and thus they may label the same password as different strength labels, because each checker is sensitive to its configuration, e.g., the algorithm used and the training data. Attackers are empowered to exploit the above vulnerabilities to crack the protected systems more easily. As such, single metrics or local training data are not enough to build a robust and secure password checker. Based on these observations, we proposed Hybritus that integrates different websites’ strategies and views into a global and robust model of the attackers with multiple layer perceptron (MLP) neural networks. Our data set is comprised of more than 3.3 million passwords taken from the leaked, transformed and randomly generated dictionaries. The data set were sent to 10 website checkers to get the feedbacks on the strength of passwords labeled as strong, medium and weak. Then we used the features of passwords generated by term frequency-inverse document frequency to train and test Hybritus. The experimental results show that the accuracy of passwords strength checking can be as high as 97.7% and over 94% even if it was trained with only ten thousand passwords. User study shows that Hybritus is usable as well as secure.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Gorman L. Comparing passwords, tokens, and biometrics for user authentication. Proceedings of the IEEE, 2003, 91(12): 2021–2040

    Article  Google Scholar 

  2. Shen C, Chen Y, Guan X, Maxion R. Pattern-growth based mining mouse-interaction behavior for an active user authentication system. IEEE Transactions on Dependable and Secure Computing, 2017, DOI:https://doi.org/10.1109/TDSC.2017.2771295

  3. Shen C, Li Y, Chen Y, Guan X, Roy R. Performance analysis of multimotion sensor behavior for active smartphone authentication. IEEE Transactions on Information Forensics and Security, 2018, 13(1): 48–62

    Article  Google Scholar 

  4. Shen C, Chen Y, Guan X. Performance evaluation of implicit smart-phones authentication via sensor-behavior analysis. Information Sciences, 2018, (430-431): 538–553

    Article  Google Scholar 

  5. Herley C, Van Oorschot P. A research agenda acknowledging the persistence of passwords. IEEE Security & Privacy, 2012, 10(1): 28–36

    Article  Google Scholar 

  6. Das A, Bonneau J, Caesar M, Borisov N, Wang X. The tangled web of password reuse. The Network and Distributed System Security Symposium, 2014, 14: 23–26

    Google Scholar 

  7. Burr W E, Dodson D F, Newton E M, Perlner R A, Polk W T, Gupta S, Nabbus E A. Electronic authentication guideline-special publication. 800-63-Version 1.0.2. Recommendations of the National Institute of Standards of Technology (NIST), 2006

  8. Komanduri S, Shay R, Kelley P, Mazurek M, Bauer L, Christin N, Cranor L, Egelman S. Of passwords and people: measuring the effect of password-composition policies. In: Proceedings of the International Conference on Human Factors in Computing Systems. 2011, 2595–2604

  9. Weir M, Aggarwal S, Collins M, Stern H. Testing metrics for password creation policies by attacking large sets of revealed passwords. In: Proceedings of the 17th ACM Conference on Computer and Communications Security. 2010: 162–175

  10. Ma W, Campbell J, Tran D, Kleeman D. Password entropy and password quality. In: Proceedings of the 4th International Conference on Network and System Security. 2010, 583–587

  11. De Carnavalet X D C, Mannan M. From very weak to very strong: analyzing password-strength meters. The Network and Distributed System Security Symposium, 2014, 14: 23–26

    Google Scholar 

  12. Bonneau J, Herley C, Oorschot P C, Frank Stajano. The quest to replace passwords: a framework for comparative evaluation of Web authentication schemes. In: Proceedings of IEEE Symposium on Security and Privacy. 2010, 553–567

  13. Inglesant P, Sasse M. The true cost of unusable password policies: password use in the wild. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. 2010, 383–392

  14. Schaffer K. Are password requirements too difficult? Computer, 2011, 44(12): 90–92

    Article  Google Scholar 

  15. Shay R, Kelley P G, Leon P G, Mazurek M L, Christin N, Cranor L F. Encountering stronger password requirements: user attitudes and behaviors categories and subject descriptors. In: Proceedings of the 6th Symposium on Usable Privacy and Security. 2010, 2

  16. Grawemeyer B, Johnson H. Using and managing multiple passwords: a week to a view. Interacting with Computers, 2011, 23(3): 256–267

    Article  Google Scholar 

  17. Amico M D, Michiardi P, Roudier Y, Antipolis S. Password strength: an empirical analysis. In: Proceedings of the 29th IEEE International Conference on Computer Communications. 2010, 983–991

  18. Jakobsson M, Dhiman M. The Benefits of Understanding Passwords. Springer Briefs in Computer Science, Springer, New York, NY, 2013

    Book  Google Scholar 

  19. Veras R, Thorpe J, Collins C. Visualizing semantics in passwords: the role of dates. In: Proceedings of the 9th International Symposium on Visualization for Cyber Security. 2012, 88–95

  20. Florêncio D, Herley C, Van Oorschot P C. An administrator’s guide to internet password research. In: Proceedings of the 28th Large Installation System Administration Conference. 2014, 44–61

  21. Gautam T, Jain A. Analysis of brute force attack using TG — Dataset. In: Proceedings of SAI Intelligent Systems Conference. 2015, 984–988

  22. Kelley P G, Komanduri S, Mazurek M L, Shay R, Vidas T, Bauer L, Chnstin N, Cranor L F, López J. Guess again (and again and again): measuring password strength by simulating password-cracking algorithms. In: Proceedings of IEEE Symposium on Security and Privacy. 2012, 523–537

  23. Li Z, Han W, Xu W. A large-scale empirical analysis of Chinese Web passwords. In: Proceedings of the 23rd USENIX Security Symposium. 2014, 559–574

  24. Bonneau J. The science of guessing: analyzing an anonymized corpus of 70 million passwords. In: Proceedings of the IEEE Symposium on Security and Privacy. 2012, 538–552

  25. Florencio D, Herley C. Where do security policies come from? In: Proceedings of the 6th Symposium on Usable Privacy and Security. 2010, 10

  26. Wang D, Wang P. The emperor’s new password creation policies. In: Proceedings of European Symposium on Research in Computer Security. 2015

    Chapter  Google Scholar 

  27. Wang W, Liu J, Pitsilis G, Zhang X. Abstracting massive data for lightweight intrusion detection in computer networks. Information Science, 2018, 433: 417–430

    Article  MathSciNet  Google Scholar 

  28. Castelluccia C, Dürmuth M, Perito D. Adaptive password-strength meters from Markov models. In: Proceedings of the 19th Annual Network and Distributed System Security Symposium. 2012

  29. Weir M, Aggarwal S, De Medeiros B, Glodek B. Password cracking using probabilistic context-free grammars. In: Proceedings of the 30th IEEE Symposium on Security and Privacy. 2009, 391–405

  30. Wang D. fuzzy PSM: a new password strength meter using fuzzy probabilistic context-free grammars. In: Proceedings of the 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks. 2016, 595–606

  31. Shay R, Bauer L, Christin N, Cranor L F, Forget A, Komanduri S, Mazurek M L, Melicher W, Segreti S M, Ur B. A spoonful of sugar? The impact of guidance and feedback on password-creation behavior. In: Proceedings of the 33rd ACM Conference on Human Factors in Computing Systems. 2015, 2903–2912

  32. Bonneau J, Preibusch S. The password thicket: technical and market failures in human authentication on the Web. In: Proceedings of the Workshop on the Economics of Information Security. 2010

  33. Wang W, Guyet T, Quiniou R, Cordier M, Masseglia F, Zhang X. Autonomic intrusion detection: adaptively detecting anomalies over unlabeled audit data streams in computer networks. Knowledge-Based Systems, 2014, 70(11): 103–117

    Article  Google Scholar 

  34. Wang W, He Y, Liu J, Gombault S. Constructing important features from massive network traffic for lightweight intrusion detection. IET Information Security, 2015, 9(6): 374–379

    Article  Google Scholar 

  35. Wang W, Guan X, Zhang X. Processing of massive audit data streams for real-time anomaly intrusion detection. Computer Communications, 2008, 31(1): 58–72

    Article  Google Scholar 

  36. Wang X, Wang W, He Y, Liu J, Han Z, Zhang X. Characterizing android apps’ behavior for effective detection of malapps at large scale. Future Generation Computer Systems, 2017, 75: 30–45

    Article  Google Scholar 

  37. Wang W, Wang X, Feng D, Liu J, Han Z, Zhang X. Exploring permission-induced risk in android applications for malicious application detection. IEEE Transactions on Information Forensics and Security, 2014, 9(11): 1869–1882

    Article  Google Scholar 

  38. Su D, Liu J, Wang X, Wang X. Detecting android locker-ransomware on Chinese social networks. IEEE Access, 2019, 7: 20381–20393

    Article  Google Scholar 

  39. Wang W, Li Y, Wang X, Liu J, Zhang X. Detecting android malicious apps and categorizing benign apps with ensemble of classifiers. Future Generation Computer Systems, 2018, 78: 987–994

    Article  Google Scholar 

  40. Wang W, Gao Z, Zhao M, Li Y, Liu J, Zhang X. DroidEnsemble: detecting android malicious applications with ensemble of string and structural static features. IEEE Access, 2018, 6: 31798–31807

    Google Scholar 

  41. Wang W, Zhao M, Gao Z, Xu G, Li Y, Xian H, Zhang X. Constructing features for detecting android malicious applications: issues, taxonomy and directions. IEEE Access, 2019, 7: 67602–67631

    Article  Google Scholar 

  42. Wang W, Zhao M, Wang J. Effective android malware detection with a hybrid model based on deep autoencoder and convolutional neural network. Journal of Ambient Intelligence and Humanized Computing, 2018, 1–9

  43. Liu X, Liu J, Zhu S, Wang W, Zhang X. Privacy risk analysis and mitigation of analytics libraries in the android ecosystem. IEEE Transactions on Mobile Computing. 2019, DOI:https://doi.org/10.1109/TMC.2019.2903186

  44. Zhang C, Liu C, Zhang X, Almpanidis G. An up-to-date comparison of state-of-the-art classification algorithms. Expert System Applications, 2017, 82: 128–150

    Article  Google Scholar 

  45. Ciaramella A, Arco P D, De Santis A, Galdi C, Tagliaferri R. Neural network techniques for proactive password checking. IEEE Transactions on Dependable and Secure Computing, 2006, 3(4): 327–339

    Article  Google Scholar 

  46. Sibai F N, Shehhi A, Shehhi S, Shehhi B, Salami N. Secure password detection with artificial neural networks. In: Proceedings of International Conference on Innovations in Information Technology. 2008, 628–632

  47. Shay R, Komanduri S, Durity A L, Huh P, Mazurek M L, Segreti S M, Ur B, Bauer L, Christin N, Cranor L F. Designing password policies for strength and usability. ACM Transactions on Information and System Security, 2016, 18(4): 13

    Article  Google Scholar 

Download references

Acknowledgements

The work reported in this paper was supported in part by National Key R&D Program of China (2017YFC0820100, 2017YFB0802805), and in part by the National Natural Science Foundation of China (Grant No. U1736114).

Author information

Authors and Affiliations

  1. Beijing Key Laboratory of Security and Privacy in Intelligent Transportation, Beijing Jiaotong University, Beijing, 100044, China

    Yongzhong He, Endalew Elsabeth Alem & Wei Wang

Authors
  1. Yongzhong He
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Endalew Elsabeth Alem
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Wei Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Wei Wang.

Additional information

Yongzhong He is currently associate professor in the Beijing Key Laboratory of Security and Privacy in Intelligent Transportation, Beijing Jiaotong University, China. He earned his PhD degree in computer scicence from Chinese Academy of Sciences, China in 2006. He has authored or co-authored over 30 peer-reviewed papers in various journals and international conferences. His main research interests include system security, mobile and big data security.

Endalew Elsabeth Alem received BSc degree in computer science from Addis Ababa University, Ethiopia in 2010, and the MSc degree in computer science from School of Computer and Information Technology, Beijing Jiaotong University, China in 2017. Her main research interests include computer and network security.

Wei Wang is currently a full professor in the School of Computer and Information Technology, Beijing Jiaotong University, China. He earned his PhD degree in control science and engineering from Xi’an Jiaotong University, China in 2006. He was a postdoctoral researcher in University of Trento, Italy, from 2005–2006. He was a postdoctoral researcher in TELECOM Bretagne and in INRIA, France, from 2007–2008. He visited INRIA, ETH, NTNU, CNR, and New York University Polytechnic. He has authored or co-authored over 80 peer-reviewed papers in various journals and international conferences. He is an Editorial member for Computers & Security and a Young AE of Frontiers of Computer Science Journal. His main research interests include mobile, computer and network security.

Electronic Supplementary Material

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

He, Y., Alem, E.E. & Wang, W. Hybritus: a password strength checker by ensemble learning from the query feedbacks of websites. Front. Comput. Sci. 14, 143802 (2020). https://doi.org/10.1007/s11704-019-7342-y

Download citation

  • Received:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s11704-019-7342-y

Keywords

Search

Navigation