Cracking Associative Passwords

  • Kirsi Helkala
  • Nils Kalstad Svendsen
  • Per Thorsheim
  • Anders Wiehe
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7617)


Users are required and expected to generate and remember numerous good passwords, a challenge that is next to impossible without a systematic approach to the task. Associative passwords in combination with guidelines for the construction of ’Word’, ’Mixed’, and ’Non-word’ passwords has been validated as an effective approach to creating strong, memorable passwords. The strength of associative passwords has previously been assessed by entropy-based metrics. This paper evaluates the strength of a set of collected associative passwords using a variety of password-cracking techniques. Analysis of the cracking sessions shows that current techniques for cracking passwords are not effective against associative passwords.


Personal Factor Authentication Scheme Mother Tongue Association Element Primary Association 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Aspell dictionnaries (May 15, 2012),
  2. 2.
    best64.rule (May 13, 2012),
  3. 3. (May 13, 2012),
  4. 4.
    hashcat (May 13, 2012),
  5. 5.
    Online md5 cracker (May 18, 2012),
  6. 6.
    Rule based attacks (May 13, 2012),
  7. 7.
    Time-memory trade off and password cracking research (May 18, 2012),
  8. 8.
    Adams, A., Sasse, M.A.: Users are not the enemy. Commun. ACM 42, 40–46 (1999)CrossRefGoogle Scholar
  9. 9.
    AuthSecu. Décryptez votre hash md5par sébastien fontaine (May 18, 2012),
  10. 10.
    Bishop, M., Klein, D.V.: Improving system security via proactive password checking. Computers & Security Journal 14(3), 233–249 (1995)CrossRefGoogle Scholar
  11. 11.
    Bonneau, J., Herley, C., van Oorschot, P.C., Stajano, F.: The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In: 2012 IEEE Symposium on Security and Privacy (May 2012)Google Scholar
  12. 12.
    Bonneau, J., Preibusch, S.: The password thicket: technical and market failures in human authentication on the web. In: WEIS 2010: Proc. of the Ninth Workshop on the Economics of Information Security, Boston, USA (June 2010)Google Scholar
  13. 13.
    Burr, W., Dodson, D., Perlner, R., Polk, W., Gupta, S., Nabbus, E.: NIST Special Publication 800-63-1 Electronic Authentication Guideline. Technical report, National Institute of Standards and Technology (2008)Google Scholar
  14. 14.
    Helkala, K., Snekkenes, E.: Password Generation and Search Space Reduction. Journal of Computers 4(7), 663–669 (2009)CrossRefGoogle Scholar
  15. 15.
    Helkala, K.: An Educational Tool for Password Quality Measurements. In: Proc. of NISK, pp. 69–80. Tapir Akademisk Forlag (2008)Google Scholar
  16. 16.
    Helkala, K.: Password Education Based on Guidelines Tailored to Different Password Categories. Journal of Computers 6(5) (2011)Google Scholar
  17. 17.
    Helkala, K., Svendsen, N.K.: The Security and Memorability of Passwords Generated by Using an Association Element and a Personal Factor. In: Laud, P. (ed.) NordSec 2011. LNCS, vol. 7161, pp. 114–130. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  18. 18.
    Hellman, M.: A cryptanalytic time-memory trade-off. IEEE Transactions on Information Theory 26(4), 401–406 (1980)MathSciNetzbMATHCrossRefGoogle Scholar
  19. 19.
    Hopper, N.J., Blum, M.: Secure Human Identification Protocols. In: Proc. of the 7th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology, pp. 52–66. Springer, London (2001)Google Scholar
  20. 20.
    Ives, B., Walsh, K.R., Schneider, H.: The domino effect of password reuse. Commun. ACM 47, 75–78 (2004)CrossRefGoogle Scholar
  21. 21.
    Kuhn, B.T., Garrison, C.: A survey of passwords from 2007 to 2009. In: 2009 Information Security Curriculum Development Conference, InfoSecCD 2009, pp. 91–94. ACM, New York (2009)CrossRefGoogle Scholar
  22. 22.
    Kuo, C., Romanosky, S., Cranor, L.F.: Human Selection of Mnemonic Phrase-Based Passwords. In: Proc. of 2nd Symposium on Usable Privacy and Security, pp. 67–78. ACM Press (2006)Google Scholar
  23. 23.
    Li, X.-Y., Teng, S.-H.: Practical Human-Machine Identification over Insecure Channels. Journal of Combinatorial Optimization 3(4), 347–361 (1999)MathSciNetzbMATHCrossRefGoogle Scholar
  24. 24.
    Matsumoto, T.: Human-Computer Cryptography: An Attempt. In: Proc. of the 3rd ACM Conference on Computer and Communications Security, pp. 68–75 (1996)Google Scholar
  25. 25.
    McCumber, J.: Information Systems Security: A Comprehensive Model. In: Proc. Ninth International Computer Security Symposium (1993)Google Scholar
  26. 26.
    Oechslin, P.: Making a Faster Cryptanalytic Time-Memory Trade-Off. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 617–630. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  27. 27.
    Openwall. Free rainbow tables (May 18, 2012),
  28. 28.
    Openwall. John the Ripper password cracker (May 18, 2012),
  29. 29.
    Ragan, S.: Report: Analysis of the Stratfor Password List (May 31, 2012),
  30. 30.
    Sasse, M.A., Brostoff, S., Weirich, D.: Transforming the “Weakest Link” - Human/Computer Interaction Approach to Usable and Effective Security. BT Technol. 19, 122–131 (2001)CrossRefGoogle Scholar
  31. 31.
    Smith, R.E.: The Strong Password Dilemma. Addison-Wesley (2002)Google Scholar
  32. 32.
    Stottmeister, C.: How to crack md5 passwords online (May 18, 2012),
  33. 33.
    Thorsheim, P.: Security nirvana blog: Challenge recieved (May 2012),
  34. 34.
    Verheul, E.R.: Selecting Secure Passwords. In: Abe, M. (ed.) CT-RSA 2007. LNCS, vol. 4377, pp. 49–66. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  35. 35.
    Villarrubia, C., Fernandez-Medina, E., Piattini, M.: Quality of Password Management Policy. In: The First International Conference on Availability, Reliability and Security, ARES 2006, p. 7 (April 2006)Google Scholar
  36. 36.
    Weinshall, D.: Cognitive Authentication Schemes Safe Against Spyware (Short Paper). In: Proc. of the 2006 IEEE Symposium on Security and Privacy (S&P 2006), pp. 295–300 (2006)Google Scholar
  37. 37.
    Weir, C.M.: Using Probabilistic Techniques to Aid in Password Cracking Attacks. PhD thesis, Florida State University (2010)Google Scholar
  38. 38.
    Wikipedia. Leet (May 20, 2012),
  39. 39.
    Yan, J., Blackwell, A., Anderson, R., Grant, A.: Password Memorability and Security: Empirical Results. IEEE Security & Privacy 2(5), 25–31 (2004)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Kirsi Helkala
    • 1
  • Nils Kalstad Svendsen
    • 1
  • Per Thorsheim
    • 2
  • Anders Wiehe
    • 1
  1. 1.Gjøvik University CollegeNorway
  2. 2.EVRY ConsultingNorway

Personalised recommendations