Youjin Shin
ABSTRACT
In the past, there have been several studies in analyzing password strength and structures. However, there are still many unknown questions to understand what really makes passwords both memorable and strong. In this work, we aim to answer some of these questions by analyzing password dataset through the lenses of data science and machine learning perspectives. We use memorable 3,260 password dataset collected from prior IRB-approved user studies over 3 years and classify passwords into three strength groups using online and offline attack limits. Then, we apply a tensor decomposition to analyze password dataset by constructing a 3rd-order tensor with passwords' syntactic and semantic features. In particular, we used PARAFAC2 tensor decomposition to uncover the main characteristics and features that affect password strength. We quantitatively identified the underlying factors that are more frequently observed in strong and memorable passwords. We hope that our finding can validate widely accepted advice for creating strong passwords and provide useful insights to design a better password suggestion system.
- J. B. Kruskal. Three-way arrays: rank and uniqueness of trilinear decompositions, with application to arithmetic complexity and statistics. Linear Algebra and Its Applications 18, 2 (J. B. Kruskal), 95-138.Google Scholar
- Evrim Acar, Seyit A Çamtepe, Mukkai S Krishnamoorthy, and Bülent Yener. 2005. Modeling and multiway analysis of chatroom tensors. In International Conference on Intelligence and Security Informatics. Springer, 256-268. Google ScholarDigital Library
- Evrim Acar, Seyit A Camtepe, and Bülent Yener. 2006. Collective sampling and analysis of high order tensors for chatroom communications. In International Conference on Intelligence and Security Informatics. Springer, 213-224. Google ScholarDigital Library
- Evrim Acar and Bülent Yener. 2009. Unsupervised multiway data analysis: A literature survey. IEEE transactions on knowledge and data engineering 21, 1(2009), 6-20. Google ScholarDigital Library
- Charlotte Møller Andersen and R Bro. 2003. Practical aspects of PARAFAC modeling of fluorescence excitation-emission data. Journal of Chemometrics: A Journal of the Chemometrics Society 17, 4(2003), 200-215.Google ScholarCross Ref
- Carl J Appellof and Ernest R Davidson. 1981. Strategies for analyzing data from video fluorometric monitoring of liquid chromatographic effluents. Analytical Chemistry 53, 13 (1981), 2053-2056.Google ScholarCross Ref
- Joseph Bonneau. 2012. The science of guessing: analyzing an anonymized corpus of 70 million passwords. In Security and Privacy (SP), 2012 IEEE Symposium on. IEEE, 538-552. Google ScholarDigital Library
- J Douglas Carroll and Jih-Jie Chang. 1970. Analysis of individual differences in multidimensional scaling via an N-way generalization of ”Eckart-Young” decomposition. Psychometrika 35, 3 (1970), 283-319.Google ScholarCross Ref
- Claude Castelluccia, Markus Dürmuth, and Daniele Perito. 2012. Adaptive Password-Strength Meters from Markov Models.. In NDSS.Google Scholar
- Hsien-Cheng Chou, Hung-Chang Lee, Hwan-Jeu Yu, Fei-Pei Lai, Kuo-Hsuan Huang, Chih-Wen Hsueh, 2013. Password cracking based on learned patterns from disclosed passwords. IJICIC 9, 2 (2013), 821-839.Google Scholar
- Andrzej Cichocki, Danilo Mandic, Lieven De Lathauwer, Guoxu Zhou, Qibin Zhao, Cesar Caiafa, and Huy Anh Phan. 2015. Tensor decompositions for signal processing applications: From two-way to multiway component analysis. IEEE Signal Processing Magazine 32, 2 (2015), 145-163.Google ScholarCross Ref
- Lieven De Lathauwer and Joos Vandewalle. 2004. Dimensionality reduction in higher-order signal processing and rank-(R1, R2,..., RN) reduction in multilinear algebra. Linear Algebra Appl. 391(2004), 31-55.Google ScholarCross Ref
- Matteo Dell'Amico and Maurizio Filippone. 2015. Monte Carlo Strength Evaluation: Fast and Reliable Password Checking. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM, 158-169. Google ScholarDigital Library
- Dinei Flor≖ncio, Cormac Herley, and Paul C Van Oorschot. 2016. Pushing on string: The'don't care'region of password strength. Commun. ACM 59, 11 (2016), 66-74. Google ScholarDigital Library
- Wolfgang Hackbusch. 2012. Tensor spaces and numerical tensor calculus. Vol. 42. Springer Science & Business Media.Google Scholar
- Richard A Harshman. 1970. Foundations of the PARAFAC procedure: Models and conditions for an “explanatory” multimodal factor analysis. (1970).Google Scholar
- Frank L Hitchcock. 1927. The expression of a tensor or a polyadic as a sum of products. Journal of Mathematics and Physics 6, 1-4 (1927), 164-189.Google ScholarCross Ref
- Frank L Hitchcock. 1928. Multiple invariants and generalized rank of a p-way matrix or tensor. Journal of Mathematics and Physics 7, 1-4 (1928), 39-79.Google ScholarCross Ref
- Markus Jakobsson and Mayank Dhiman. 2013. The benefits of understanding passwords. In Mobile Authentication. Springer, 5-24.Google Scholar
- Henk AL Kiers. 2000. Towards a standardized notation and terminology in multiway analysis. Journal of Chemometrics: A Journal of the Chemometrics Society 14, 3(2000), 105-122.Google ScholarCross Ref
- Tamara G Kolda and Brett W Bader. 2009. Tensor decompositions and applications. SIAM review 51, 3 (2009), 455-500. Google ScholarDigital Library
- J. B. Kruskal. 1989. Multiway Data Analysis. North-Holland Publishing Co., Amsterdam, The Netherlands, The Netherlands, Chapter Rank, Decomposition, and Uniqueness for 3-way and N-way Arrays, 7-18. http://dl.acm.org/citation.cfm?id=120565.120567 Google ScholarDigital Library
- Arvind Narayanan and Vitaly Shmatikov. 2005. Fast dictionary attacks on passwords using time-space tradeoff. In Proceedings of the 12th ACM conference on Computer and communications security. ACM, 364-372. Google ScholarDigital Library
- Evangelos E Papalexakis, Christos Faloutsos, and Nicholas D Sidiropoulos. 2017. Tensors for data mining and data fusion: Models, applications, and scalable algorithms. ACM Transactions on Intelligent Systems and Technology (TIST) 8, 2(2017), 16. Google ScholarDigital Library
- Ashwini Rao, Birendra Jha, and Gananand Kini. 2013. Effect of grammar on security of long passwords. In Proceedings of the third ACM conference on Data and application security and privacy. ACM, 317-324. Google ScholarDigital Library
- Paul Rayson, Dawn Archer, Scott Piao, and Anthony M McEnery. 2004. The UCREL semantic analysis system.(2004).Google Scholar
- Ledyard R Tucker. 1963. Implications of factor analysis of three-way matrices for measurement of change. Problems in measuring change 15 (1963), 122-137.Google Scholar
- Ledyard R Tucker. 1964. The extension of factor analysis to three-dimensional matrices. Contributions to mathematical psychology 110119 (1964).Google Scholar
- Ledyard R Tucker. 1966. Some mathematical notes on three-mode factor analysis. Psychometrika 31, 3 (1966), 279-311.Google ScholarCross Ref
- Blase Ur, Fumiko Noma, Jonathan Bees, Sean M Segreti, Richard Shay, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2015. “I added '!' at the end to make it secure”: Observing password creation in the lab. In Proc. SOUPS. Google ScholarDigital Library
- M Alex O Vasilescu and Demetri Terzopoulos. 2002. Multilinear analysis of image ensembles: Tensorfaces. In European Conference on Computer Vision. Springer, 447-460. Google ScholarDigital Library
- M Alex O Vasilescu and Demetri Terzopoulos. 2002. Multilinear image analysis for facial recognition. In Pattern Recognition, 2002. Proceedings. 16th International Conference on, Vol. 2. IEEE, 511-514.Google ScholarCross Ref
- Rafael Veras, Christopher Collins, and Julie Thorpe. 2014. On the semantic patterns of passwords and their security impact. In Network and Distributed System Security Symposium (NDSS'14).Google ScholarCross Ref
- Matt Weir, Sudhir Aggarwal, Breno De Medeiros, and Bill Glodek. 2009. Password cracking using probabilistic context-free grammars. In Security and Privacy, 2009 30th IEEE Symposium on. IEEE, 391-405. Google ScholarDigital Library
- Simon Woo, Elsi Kaiser, Ron Artstein, and Jelena Mirkovic. 2016. Life-experience passwords (leps). In Proceedings of the 32nd Annual Conference on Computer Security Applications. ACM, 113-126. Google ScholarDigital Library
- Simon S Woo and Jelena Mirkovic. 2018. GuidedPass: Helping Users to Create Strong and Memorable Passwords. In International Symposium on Research in Attacks, Intrusions, and Defenses. Springer, 250-270.Google ScholarCross Ref
Recommendations
A Password Manager that Doesn't Remember Passwords
NSPW '14: Proceedings of the 2014 New Security Paradigms WorkshopThe problems with passwords are well-known: secure passwords are difficult to remember, users have too many passwords, and users have difficulty matching their passwords to accounts. Password managers and cued graphical passwords are two password ...
Comments