Advertisement

Unrevealed Patterns in Password Databases Part One: Analyses of Cleartext Passwords

  • Norbert Tihanyi
  • Attila Kovács
  • Gergely Vargha
  • Ádám Lénárt
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9393)

Abstract

In this paper we present a regression based analyses of cleartext passwords moving towards an efficient password cracking methodology. Hundreds of available databases were examined and it was observed that they had similar behavior regardless of their size: password length distribution, entropy, letter frequencies form similar characteristics in each database. Exploiting these characteristics a huge amount of cleartext passwords were analyzed in order to be able to design more sophisticated brute-force attack methods. New patterns are exposed by analyzing millions of cleartext passwords.

Keywords

Password analyzing Patterns Cracking method 

Notes

Acknowledgment

We would like to thank the opportunity to the Hungarian NSA to grant access to unpublished Hungaraian databases that can not be found on the internet. Databases are originated from different vulnerability assessments and security hardening projects conducted by the National Security Authority of Hungary. For this project only truncated databases were provided. It means that databases do not contain any additional personal information about users, so it cannot be determined to whom the password belongs to. Password analysis and publication of this article is made with the authorization of the Hungarian NSA.

References

  1. 1.
  2. 2.
  3. 3.
  4. 4.
  5. 5.
  6. 6.
  7. 7.
  8. 8.
  9. 9.
  10. 10.
  11. 11.
  12. 12.
  13. 13.
  14. 14.
  15. 15.
    Florencio, D., Herley, C.: A large-scale study of web password habits. In: Proceedings of the 16th International Conference on World Wide Web, Association for Computing Machinery, Banff, Alberta, Canada, pp. 657–666 (2007)Google Scholar
  16. 16.
    Shay, R., Komanduri, S., Kelley, P.G., Leon, P.G., Mazurek, M.L., Bauer, L., Christin, N., Cranor, L.F.: Encountering stronger password requirements: user attitudes and behaviors. In: SOUPS 2010: Proceedings of the 6th Symposium on Usable Privacy and Security. ACM (2010)Google Scholar
  17. 17.
    Kelley, P.G., Komanduri, S., Mazurek, M.L., Shay, R., Vidas, T., Bauer, L., Christin, N., Cranor, L.F., Lopez, J.: Guess again (and again and again): measuring password strength by simulating password-cracking algorithms. Carnegie Mellon University, Technical report CMU-CyLab-11-008 (2011)Google Scholar
  18. 18.
    A brief analysis of 40 000 leaked MySpace passwords, blog post. http://www.the-interweb.com/serendipity/index.php?/archives/94-A-brief-analysis-of-40,000-leaked-MySpace-passwords.html. Accessed 23 October 2014
  19. 19.
    Bonneau, J.: The science of guessing: analyzing an anonymized corpus of 70 million passwords. In: 2012 IEEE Symposium on Security and Privacy, San Francisco, CA (2012)Google Scholar
  20. 20.
    Weir, M., Aggarwal, S., Collins, M., Stern, H.: Testing metrics for password creation policies by attacking large sets of revealed passwords. In: ACM Conference on Computer and Communications Security, pp. 162–175 (2010)Google Scholar
  21. 21.
    Dell Amico, M., Michiardi, P., Roudier, Y.: Password strength: an empirical analysis. In: Proceedings of the 29th Conference on Information Communications, San Diego, pp. 983–991 (2010)Google Scholar
  22. 22.
    Tihanyi, N.: Comparison of two hungarian password databases. Pollack Periodica 8(2), 179–186 (2013)CrossRefGoogle Scholar
  23. 23.
    Bonneau, J.: Statistical metrics for individual password strength. In: SP 2012 Proceedings of the 20th International Conference on Security Protocols, University of Cambridge, UK, pp. 76–86 (2012)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Norbert Tihanyi
    • 1
    • 2
    • 3
  • Attila Kovács
    • 2
  • Gergely Vargha
    • 1
    • 3
  • Ádám Lénárt
    • 1
    • 3
  1. 1.HUNGUARD Ltd.BudapestHungary
  2. 2.Department of Computer AlgebraEötvös Loránd UniversityBudapestHungary
  3. 3.National Security Authority of HungaryCyber Defence Management AuthorityBudapestHungary

Personalised recommendations