Skip to main content
SpringerLink
Log in

Understanding user passwords through password prefix and postfix (P3) graph analysis and visualization

  • Regular contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

While other authentication methods exist, passwords are still the dominant way for user authentication and system security. Over the years, passwords have become long and complex thanks to security policy and awareness. However, the security of user passwords remains unclear. Therefore, understanding users passwords is vital to improve the strength of passwords and system security in general. In this paper, we investigate one specific pattern, i.e., the prefix and postfix of user passwords. To facilitate password prefix and postfix (P3) analysis, we propose both hierarchical segmentation / optimization algorithms and password prefix/postfix graphs (P3G) construction and P3G visualizations. Through case study over real-world user passwords, we demonstrate P3 analysis and visualization are effective in identifying unique patterns for different user categories. The results suggest strong correlations between prefix/postfix and their context in user passwords.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14

Similar content being viewed by others

References

  1. Aydin, K., Bateni, M., Mirrokni, V.: Distributed balanced partitioning via linear embedding. In: Ninth ACM International Conference on Web Search and Data Mining, pp. 387–396. San Francisco CA (2016)

  2. Bentley, R.A., Hahn, M.W., Shennan, S.J.: Random drift and culture change. Proc. R. Soc. London B: Biol. Sci. 271(1547), 1443–1450 (2004)

    Article  Google Scholar 

  3. Bonneau, J.: The science of guessing: analyzing an anonymized corpus of 70 million passwords. In: IEEE Symposium on Security and Privacy (SP), pp. 538–552. San Francisco CA (2012)

  4. Bonneau, J., Preibusch, S., Anderson, R.: A birthday present every eleven wallets? The security of customer-chosen banking pins. Financ. Cryptogr. Data Secur. 7397, 25–40 (2012a)

    Article  Google Scholar 

  5. Bonneau, J., Preibusch, S., Anderson, R.: A birthday present every eleven wallets? the security of customer-chosen banking pins. In: Proceedings of the 16th International Conference on Financial Cryptography and Data Security, Bonaire, pp 25–40 (2012b)

  6. Brown, A.S., Bracken, E., Zoccoli, S., Douglas, K.: Generating and remembering passwords. Appl. Cognit. Psychol. 18(6), 641–651 (2004)

    Article  Google Scholar 

  7. Brunner, E., Wyon, O.: The Mediator: A Study of the Central Doctrine of the Christian Faith, vol. 3. James Clarke & Co, Plainview (1934)

    Google Scholar 

  8. i Cancho, R.F., Solé, R.V.: The small world of human language. Proc. R. Soc. London B: Biol. Sci. 268(1482), 2261–2265 (2001)

    Article  Google Scholar 

  9. Hc, Chou, Hc, Lee, Cw, Hsueh, Fp, Lai: Password cracking based on special keyboard patterns. Int. J. Innov. Comput. Inf. Control 8(1A), 387–402 (2012)

    Google Scholar 

  10. Cubrilovic, N.: Rockyou hack: From bad to worse. https://techcruHrBnch.com/2009/12/14/rockyou-hack-security-myspace-facebook-HrBpasswords/ (2009)

  11. Davis, D., Monrose, F., Reiter, M.K.: On user choice in graphical password schemes. In: Proceedings of the 13th conference on USENIX Security Symposium (SSYM’04), pp 151–164. San Diego, CA (2004)

  12. Dell’Amico, M., Michiardi, P., Roudier, Y.: Password strength: An empirical analysis. In: Proceedings of the IEEE Conference on Computer Communications (INFOCOM), pp 1–9. San Diego, CA (2010)

  13. Egelman, S., Sotirakopoulos, A., Muslukhov, I., Beznosov, K., Herley, C.: Does my password go up to eleven?: the impact of password meters on password selection. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI), pp 2379–2388. Paris, France (2013)

  14. Herley, C., van Oorschot, P.: A research agenda acknowledging the persistence of passwords. IEEE Sec. Priv. 10(1), 28–36 (2012)

    Article  Google Scholar 

  15. Jakobsson, M., Dhiman, M.: Proceedings of the 7th usenix conference on hot topics in security (hotsec’12). In: The benefits of understanding passwords, p 10. Bellevue, WA (2012)

  16. Li, Y., Wang, H., Sun, K.: A study of personal information in human-chosen passwords and its security implications. In: The 35th Annual IEEE International Conference on Computer Communications (INFOCOM). San Francisco, CA (2016)

  17. Rao, A., Jha, B., Kini, G.: Effect of grammar on security of long passwords. In: Proceedings of the third ACM conference on Data and application security and privacy, pp 317–324. San Antonio, Texas (2013)

  18. Schweitzer, D., Boleng, J., Hughes, C., Murphy, L.: Visualizing keyboard pattern passwords. In: 6th International Workshop on Visualization for Cyber Security (VizSec’09), pp. 69–73. Atlantic City, NJ (2009)

  19. Segaran, T., Hammerbacher, J.: Beautiful Data: The Stories Behind Elegant Data Solutions, O’Reilly Media, p 386. ISBN 9780596157111 (2009)

  20. Shay, R., Komanduri, S., Durity, A.L., Huh, P.S., Mazurek, M.L., Segreti, S.M., Ur, B., Bauer, L., Christin, N., Cranor, L.F.: Can long passwords be secure and usable? In: Proceedings of the 32nd annual ACM conference on Human factors in computing systems, pp 2927–2936. Toronto, Canada (2014)

  21. Shi, L., Liao, Q., Tong, H., Hu, Y., Zhao, Y., Lin, C.: Hierarchical focus+context heterogeneous network visualization. In: Proceedings of the IEEE Pacific Visualization Symposium (PacificVis), pp 89–96. Yokohama, Japan (2014)

  22. Veras, R., Thorpe, J., Collins, C.: Visualizing semantics in passwords: The role of dates. In: Proceedings of the Ninth International Symposium on Visualization for Cyber Security (VizSec’12)), pp 88–95. Seattle, WA (2012)

  23. Veras, R., Collins, C., Thorpe, J.: On semantic patterns of passwords and their security impact. In: Network and Distributed System Security (NDSS) Symposium. San Diego, CA (2014)

  24. Wang, D., Zhang, Z., Wang, P., Yan, J., Huang, X.: Targeted online password guessing: An underestimated threat. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS), pp 1242–1254. Vienna, Austria (2016)

  25. Weir, M., Aggawal, S., Collins, M., Stern, H.: Testing metrics for password creation policies by attacking large sets of revealed passwords. In: Proceedings of the 17th ACM conference on Computer and communications security (CCS ’10), pp 162–175. Chicago, IL (2010)

  26. Yang, W., Li, N., Chowdhury, O., Xiong, A., Proctor, R.W.: An empirical study of mnemonic sentence-based password generation strategies. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS), pp 1216–1229. Vienna, Austria (2016)

  27. Yeganova, L., Smith, L., Wilbur, W.J.: Identification of related gene/protein names based on an hmm of name variations. Comput. Biol. Chem. 28(2), 97–107 (2004)

    Article  MATH  Google Scholar 

  28. Yu, X., Liao, Q.: User password repetitive patterns analysis and visualization. Inf. Comput. Secur. 24(1), 93–115 (2016)

    Article  MathSciNet  Google Scholar 

  29. Zheng, Z., Cheng, H., Zhang, Z., Zhao, Y., Wang, P.: An alternative method for understanding user-chosen passwords. Secur. Commun. Netw. 2018, 6160125 (2018)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, Central Michigan University, Mount Pleasant, MI, 48859, USA

    Xiaoying Yu & Qi Liao

Authors
  1. Xiaoying Yu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Qi Liao
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Qi Liao.

Ethics declarations

Conflict of Interest

Authors declare that they have no conflict of interest.

Ethical approval

This article does not contain any studies with human participants or animals performed by any of the authors.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Yu, X., Liao, Q. Understanding user passwords through password prefix and postfix (P3) graph analysis and visualization. Int. J. Inf. Secur. 18, 647–663 (2019). https://doi.org/10.1007/s10207-019-00432-3

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-019-00432-3

Keywords

Search

Navigation