Abstract
Users are required and expected to generate and remember numerous good passwords, a challenge that is next to impossible without a systematic approach to the task. Associative passwords in combination with guidelines for the construction of ’Word’, ’Mixed’, and ’Non-word’ passwords has been validated as an effective approach to creating strong, memorable passwords. The strength of associative passwords has previously been assessed by entropy-based metrics. This paper evaluates the strength of a set of collected associative passwords using a variety of password-cracking techniques. Analysis of the cracking sessions shows that current techniques for cracking passwords are not effective against associative passwords.
Keywords
- Personal Factor
- Authentication Scheme
- Mother Tongue
- Association Element
- Primary Association
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
This is a preview of subscription content, access via your institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Aspell dictionnaries (May 15, 2012), ftp://ftp.gnu.org/gnu/aspell/dict/0index.html
best64.rule (May 13, 2012), http://beeeer.org/best64/
findmyhash.py (May 13, 2012), http://code.google.com/p/findmyhash/
hashcat (May 13, 2012), http://hashcat.net/oclhashcat-plus/
Online md5 cracker (May 18, 2012), http://www.cmd5.org/
Rule based attacks (May 13, 2012), http://hashcat.net/wiki/rule_based_attack
Time-memory trade off and password cracking research (May 18, 2012), http://www.tmto.org/pages/passwordtools/hashcracker/
Adams, A., Sasse, M.A.: Users are not the enemy. Commun. ACM 42, 40–46 (1999)
AuthSecu. Décryptez votre hash md5par sébastien fontaine (May 18, 2012), http://authsecu.com/decrypter-dechiffrer-cracker-hash-md5/decrypter-dechiffrer-cracker-hash-md5.php
Bishop, M., Klein, D.V.: Improving system security via proactive password checking. Computers & Security Journal 14(3), 233–249 (1995)
Bonneau, J., Herley, C., van Oorschot, P.C., Stajano, F.: The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In: 2012 IEEE Symposium on Security and Privacy (May 2012)
Bonneau, J., Preibusch, S.: The password thicket: technical and market failures in human authentication on the web. In: WEIS 2010: Proc. of the Ninth Workshop on the Economics of Information Security, Boston, USA (June 2010)
Burr, W., Dodson, D., Perlner, R., Polk, W., Gupta, S., Nabbus, E.: NIST Special Publication 800-63-1 Electronic Authentication Guideline. Technical report, National Institute of Standards and Technology (2008)
Helkala, K., Snekkenes, E.: Password Generation and Search Space Reduction. Journal of Computers 4(7), 663–669 (2009)
Helkala, K.: An Educational Tool for Password Quality Measurements. In: Proc. of NISK, pp. 69–80. Tapir Akademisk Forlag (2008)
Helkala, K.: Password Education Based on Guidelines Tailored to Different Password Categories. Journal of Computers 6(5) (2011)
Helkala, K., Svendsen, N.K.: The Security and Memorability of Passwords Generated by Using an Association Element and a Personal Factor. In: Laud, P. (ed.) NordSec 2011. LNCS, vol. 7161, pp. 114–130. Springer, Heidelberg (2012)
Hellman, M.: A cryptanalytic time-memory trade-off. IEEE Transactions on Information Theory 26(4), 401–406 (1980)
Hopper, N.J., Blum, M.: Secure Human Identification Protocols. In: Proc. of the 7th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology, pp. 52–66. Springer, London (2001)
Ives, B., Walsh, K.R., Schneider, H.: The domino effect of password reuse. Commun. ACM 47, 75–78 (2004)
Kuhn, B.T., Garrison, C.: A survey of passwords from 2007 to 2009. In: 2009 Information Security Curriculum Development Conference, InfoSecCD 2009, pp. 91–94. ACM, New York (2009)
Kuo, C., Romanosky, S., Cranor, L.F.: Human Selection of Mnemonic Phrase-Based Passwords. In: Proc. of 2nd Symposium on Usable Privacy and Security, pp. 67–78. ACM Press (2006)
Li, X.-Y., Teng, S.-H.: Practical Human-Machine Identification over Insecure Channels. Journal of Combinatorial Optimization 3(4), 347–361 (1999)
Matsumoto, T.: Human-Computer Cryptography: An Attempt. In: Proc. of the 3rd ACM Conference on Computer and Communications Security, pp. 68–75 (1996)
McCumber, J.: Information Systems Security: A Comprehensive Model. In: Proc. Ninth International Computer Security Symposium (1993)
Oechslin, P.: Making a Faster Cryptanalytic Time-Memory Trade-Off. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 617–630. Springer, Heidelberg (2003)
Openwall. Free rainbow tables (May 18, 2012), http://www.freerainbowtables.com/en/tables2/
Openwall. John the Ripper password cracker (May 18, 2012), http://www.openwall.com/john/
Ragan, S.: Report: Analysis of the Stratfor Password List (May 31, 2012), http://www.thetechherald.com/articles/Report-Analysis-of-the-Stratfor-Password-List
Sasse, M.A., Brostoff, S., Weirich, D.: Transforming the “Weakest Link” - Human/Computer Interaction Approach to Usable and Effective Security. BT Technol. 19, 122–131 (2001)
Smith, R.E.: The Strong Password Dilemma. Addison-Wesley (2002)
Stottmeister, C.: How to crack md5 passwords online (May 18, 2012), http://www.stottmeister.com/blog/2009/04/14/how-to-crack-md5-passwords/
Thorsheim, P.: Security nirvana blog: Challenge recieved (May 2012), http://securitynirvana.blogspot.com/2012/05/challenge-received.html
Verheul, E.R.: Selecting Secure Passwords. In: Abe, M. (ed.) CT-RSA 2007. LNCS, vol. 4377, pp. 49–66. Springer, Heidelberg (2006)
Villarrubia, C., Fernandez-Medina, E., Piattini, M.: Quality of Password Management Policy. In: The First International Conference on Availability, Reliability and Security, ARES 2006, p. 7 (April 2006)
Weinshall, D.: Cognitive Authentication Schemes Safe Against Spyware (Short Paper). In: Proc. of the 2006 IEEE Symposium on Security and Privacy (S&P 2006), pp. 295–300 (2006)
Weir, C.M.: Using Probabilistic Techniques to Aid in Password Cracking Attacks. PhD thesis, Florida State University (2010)
Wikipedia. Leet (May 20, 2012), http://en.wikipedia.org/wiki/Leet
Yan, J., Blackwell, A., Anderson, R., Grant, A.: Password Memorability and Security: Empirical Results. IEEE Security & Privacy 2(5), 25–31 (2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Helkala, K., Svendsen, N.K., Thorsheim, P., Wiehe, A. (2012). Cracking Associative Passwords. In: Jøsang, A., Carlsson, B. (eds) Secure IT Systems. NordSec 2012. Lecture Notes in Computer Science, vol 7617. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-34210-3_11
Download citation
DOI: https://doi.org/10.1007/978-3-642-34210-3_11
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-34209-7
Online ISBN: 978-3-642-34210-3
eBook Packages: Computer ScienceComputer Science (R0)
