Advertisement

Attack on Students’ Passwords, Findings and Recommendations

  • Przemysław RodwaldEmail author
Conference paper
Part of the Advances in Intelligent Systems and Computing book series (AISC, volume 987)

Abstract

Passwords are still the most widespread method of authentication. It is well known and very common for users to create weak passwords. We decided to check the strength of passwords of real systems by cracking MD5 hashes. The results have dismayed us given that 94,94% of passwords were cracked within just a few days. In order to understand the results of cracking better, we asked students about their password conventions, and the strength of selected passwords. We report herein on the most interesting findings as well as their recommendations.

Keywords

Passwords Cracking passwords Computer security 

Notes

Acknowledgments

We have obtained approval for this research from the Rector of the Polish Naval Academy in Gdynia. The author wishes to thank Pawel Wierciszewski, a student, for his help in conducting this survey among students from PNA.

References

  1. 1.
    Dimock, M.: Defining generations: Where Millennials end and post-Millennials begin (2018). http://pewrsr.ch/2GRbL5N. Accessed 13 Jan 2019
  2. 2.
    Bonneau, J., Herley, C., Van Oorschot, P.C., Stajano, F.: Passwords and the evolution of imperfect authentication. Commun. ACM 58(7), 78–87 (2015)CrossRefGoogle Scholar
  3. 3.
    Reilly, M.: Google Has a Plan to Kill Off Passwords (2016). https://www.technologyreview.com/s/601575/. Accessed 13 Jan 2019
  4. 4.
    Bishop, M., Klein, D.V.: Improving system security via proactive password checking. Comput. Secur. 14(3), 233–249 (1995)CrossRefGoogle Scholar
  5. 5.
    Kimmel, J.: What is Your Password? (2015). http://youtu.be/opRMrEfAIiI. Accessed 13 Jan 2019
  6. 6.
    Pugh, C., Abbasian, R., Papadopoulos, H.: Automatic strong passwords and security code AutoFill. In: WWDC 2018 (2018). https://developer.apple.com/videos/play/wwdc2018/204/. Accessed 13 Jan 2019
  7. 7.
    Rodwald, P., Biernacik, B.: Password protection in IT systems. Bull. Mil. Univ. Technol. 67(3), 73–92 (2018).  https://doi.org/10.5604/01.3001.0011.8036CrossRefGoogle Scholar
  8. 8.
    Vigilante.pw. https://vigilante.pw. Accessed 13 Jan 2019
  9. 9.
    Rodwald, P.: Choosing a password breaking strategy with imposed time restrictions. Bull. Mil. Univ. Technol. 68(1) (2019, accepted to print)CrossRefGoogle Scholar
  10. 10.
    Picolet, J.: Netmux LLC: Hash Crack: Password Cracking Manual (2017)Google Scholar
  11. 11.
    Password braking PNA (2016). http://www.rodwald.pl/blog/1142/password-braking-pna-2016. Accessed 13 Jan 2019
  12. 12.
    Survey PNA (2018). http://www.rodwald.pl/blog/1136/survey-pna-2018. Accessed 13 Jan 2019
  13. 13.
    Inglesant, P.G., Sasse, M.A.: The true cost of unusable password policies: password use in the wild. ACM (2010).  https://doi.org/10.1145/1753326.1753384
  14. 14.
    Shay, R., Komanduri, S., Kelley, P.G., Leon, P.G., Mazurek, M.L., Bauer, L., Christin, N., Cranor, L.F.: Encountering stronger password requirements: user attitudes and behaviors. In: Proceedings of the Sixth Symposium on Usable Privacy and Security, p. 2. ACM (2010).  https://doi.org/10.1145/1837110.1837113
  15. 15.
    Dell’Amico, M., Michiardi, P., Roudier, Y.: Password strength: an empirical analysis. In: 2010 Proceedings IEEE INFOCOM, pp. 1–9 (2010)Google Scholar
  16. 16.
    Weir, M., Aggarwal, S., Collins, M., Stern, H.: Testing metrics for password creation policies by attacking large sets of revealed passwords. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, pp. 162–175. ACM (2010)Google Scholar
  17. 17.
    Bonneau, J.: The science of guessing: analyzing an anonymized corpus of 70 million passwords. In: 2012 IEEE Symposium on Security and Privacy, pp. 538–552 (2012).  https://doi.org/10.1109/sp.2012.49
  18. 18.
    Komanduri, S., Shay, R., Kelley, P.G., Mazurek, M.L., Bauer, L., Christin, N., Cranor, L.F., Egelman, S.: Of passwords and people: measuring the effect of password-composition policies. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 2595–2604. ACM (2011)Google Scholar
  19. 19.
    Mayer, P., Kirchner, J., Volkamer, M.: A second look at password composition policies in the wild: comparing samples from 2010 and 2016. In: Thirteenth Symposium on Usable Privacy and Security, pp. 13–28 (2017)Google Scholar
  20. 20.
    Nvidia Gigabyte RTX 2080 TI Hashcat Benchmarks. https://gist.github.com/codeandsec/1c1f2c7bd81abba6fa9736b061944675. Accessed 13 Jan 2019
  21. 21.
    Consumer survey: password habits (2012). http://www.csid.com/wp-content/uploads/2012/09/CS_PasswordSurvey_FullReport_FINAL.pdf. Accessed 13 Jan 2019
  22. 22.
    Naiakshina, A., Danilova, A., Tiefenau, C., Smith, M.: Deception task design in developer password studies: exploring a student sample. In: Fourteenth Symposium on Usable Privacy and Security, pp. 297–313 (2018)Google Scholar
  23. 23.
    Naiakshina, A., Danilova, A., Gerlitz, E., von Zezschwitz, E., Smith, M.: If you want, I can store the encrypted password. A Password-Storage Field Study with Freelance Developers (2019)Google Scholar
  24. 24.
    Vance, A., Eargle, D., Ouimet, K., Straub, D.: Enhancing password security through interactive fear appeals: a web-based field experiment. In: 2013 46th Hawaii International Conference on System Sciences (HICSS), pp. 2988–2997. IEEE (2013)Google Scholar
  25. 25.
    Gamified password change. https://www.edug.pl/password.php?form=game&lang=en. Accessed 13 Jan 2019

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  1. 1.Polish Naval AcademyGdyniaPoland

Personalised recommendations