On Practical Aspects of PCFG Password Cracking

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11559)


When users choose passwords to secure their computers, data, or Internet service accounts, they tend to create passwords that are easy to remember. Probabilistic methods for password cracking profit from this fact, and allow the attackers and forensic investigators to guess user passwords more precisely. In this paper, we present our additions to a technique based on probabilistic context-free grammars. By modification of existing principles, we show how to guess more passwords for the same time, and how to reduce the total number of guesses without significant impact on success rate.


Password Cracking Security Grammar 



The research presented in this paper is supported by “Integrated platform for analysis of digital data from security incidents” project, no. VI20172020062 granted by Ministry of the Interior of the Czech Republic and “ICT tools, methods and technologies for smart cities” project, no. FIT-S-17-3964 granted by Brno University of Technology. The work is also supported by Ministry of Education, Youth and Sports of the Czech Republic from the National Programme of Sustainability (NPU II) project “IT4Innovations excellence in science” LQ1602.


  1. 1.
    Bishop, M., Klein, D.V.: Improving system security via proactive password checking. Comput. Secur. 14(3), 233–249 (1995)CrossRefGoogle Scholar
  2. 2.
    Bonneau, J.: The science of guessing: analyzing an anonymized corpus of 70 million passwords. In: 2012 IEEE Symposium on Security and Privacy, pp. 538–552, May 2012.
  3. 3.
    Das, A., Bonneau, J., Caesar, M., Borisov, N., Wang, X.: The tangled web of password reuse. In: NDSS 2014, pp. 23–26 (2014)Google Scholar
  4. 4.
    Florencio, D., Herley, C.: A large-scale study of web password habits. In: Proceedings of the 16th International Conference on World Wide Web, WWW 2007, pp. 657–666. ACM, New York (2007).
  5. 5.
    Ginsburg, S.: The Mathematical Theory of Context Free Languages. McGraw-Hill Book Company, New York (1966)zbMATHGoogle Scholar
  6. 6.
    Houshmand, S., Aggarwal, S.: Using personal information in targeted grammar-based probabilistic password attacks. Advances in Digital Forensics XIII. IAICT, vol. 511, pp. 285–303. Springer, Cham (2017). Scholar
  7. 7.
    Houshmand, S., Aggarwal, S., Flood, R.: Next gen PCFG password cracking. IEEE Trans. Inf. Forensics Secur. 10(8), 1776–1791 (2015)CrossRefGoogle Scholar
  8. 8.
    Kelley, P.G., et al.: Guess again (and again and again): measuring password strength by simulating password-cracking algorithms. In: 2012 IEEE Symposium on Security and Privacy (SP), pp. 523–537. IEEE (2012)Google Scholar
  9. 9.
    Ma, J., Yang, W., Luo, M., Li, N.: A study of probabilistic password models. In: 2014 IEEE Symposium on Security and Privacy, pp. 689–704 (2014).
  10. 10.
    Narayanan, A., Shmatikov, V.: Fast dictionary attacks on passwords using time-space tradeoff. In: Proceedings of the 12th ACM Conference on Computer and Communications Security, CCS 2005, pp. 364–372. ACM, New York (2005).
  11. 11.
    Proctor, R.W., Lien, M.C., Vu, K.P.L., Schultz, E.E., Salvendy, G.: Improving computer security for authentication of users: influence of proactive password restrictions. Behav. Res. Methods Instrum. Comput. 34(2), 163–169 (2002)CrossRefGoogle Scholar
  12. 12.
    Veras, R., Collins, C., Thorpe, J.: On semantic patterns of passwords and their security impact. In: NDSS (2014)Google Scholar
  13. 13.
    Vu, K.P.L., Proctor, R.W., Bhargav-Spantzel, A., Tai, B.L.B., Cook, J., Schultz, E.E.: Improving password security and memorability to protect personal and organizational information. Int. J. Hum.-Comput. Stud. 65(8), 744–757 (2007). Scholar
  14. 14.
    Weir, C.M.: Using probabilistic techniques to aid in password cracking attacks. Ph.D. thesis, Florida State University (2010)Google Scholar
  15. 15.
    Weir, M., Aggarwal, S., de Medeiros, B., Glodek, B.: Password cracking using probabilistic context-free grammars. In: 2009 30th IEEE Symposium on Security and Privacy, pp. 391–405 (2009).

Copyright information

© IFIP International Federation for Information Processing 2019

Authors and Affiliations

  1. 1.Faculty of Information TechnologyBrno University of TechnologyBrnoCzech Republic

Personalised recommendations