Skip to main content

Cracking Associative Passwords

  • Conference paper

Part of the Lecture Notes in Computer Science book series (LNSC,volume 7617)

Abstract

Users are required and expected to generate and remember numerous good passwords, a challenge that is next to impossible without a systematic approach to the task. Associative passwords in combination with guidelines for the construction of ’Word’, ’Mixed’, and ’Non-word’ passwords has been validated as an effective approach to creating strong, memorable passwords. The strength of associative passwords has previously been assessed by entropy-based metrics. This paper evaluates the strength of a set of collected associative passwords using a variety of password-cracking techniques. Analysis of the cracking sessions shows that current techniques for cracking passwords are not effective against associative passwords.

Keywords

  • Personal Factor
  • Authentication Scheme
  • Mother Tongue
  • Association Element
  • Primary Association

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (Canada)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   54.99
Price excludes VAT (Canada)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   72.00
Price excludes VAT (Canada)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Aspell dictionnaries (May 15, 2012), ftp://ftp.gnu.org/gnu/aspell/dict/0index.html

  2. best64.rule (May 13, 2012), http://beeeer.org/best64/

  3. findmyhash.py (May 13, 2012), http://code.google.com/p/findmyhash/

  4. hashcat (May 13, 2012), http://hashcat.net/oclhashcat-plus/

  5. Online md5 cracker (May 18, 2012), http://www.cmd5.org/

  6. Rule based attacks (May 13, 2012), http://hashcat.net/wiki/rule_based_attack

  7. Time-memory trade off and password cracking research (May 18, 2012), http://www.tmto.org/pages/passwordtools/hashcracker/

  8. Adams, A., Sasse, M.A.: Users are not the enemy. Commun. ACM 42, 40–46 (1999)

    CrossRef  Google Scholar 

  9. AuthSecu. Décryptez votre hash md5par sébastien fontaine (May 18, 2012), http://authsecu.com/decrypter-dechiffrer-cracker-hash-md5/decrypter-dechiffrer-cracker-hash-md5.php

  10. Bishop, M., Klein, D.V.: Improving system security via proactive password checking. Computers & Security Journal 14(3), 233–249 (1995)

    CrossRef  Google Scholar 

  11. Bonneau, J., Herley, C., van Oorschot, P.C., Stajano, F.: The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In: 2012 IEEE Symposium on Security and Privacy (May 2012)

    Google Scholar 

  12. Bonneau, J., Preibusch, S.: The password thicket: technical and market failures in human authentication on the web. In: WEIS 2010: Proc. of the Ninth Workshop on the Economics of Information Security, Boston, USA (June 2010)

    Google Scholar 

  13. Burr, W., Dodson, D., Perlner, R., Polk, W., Gupta, S., Nabbus, E.: NIST Special Publication 800-63-1 Electronic Authentication Guideline. Technical report, National Institute of Standards and Technology (2008)

    Google Scholar 

  14. Helkala, K., Snekkenes, E.: Password Generation and Search Space Reduction. Journal of Computers 4(7), 663–669 (2009)

    CrossRef  Google Scholar 

  15. Helkala, K.: An Educational Tool for Password Quality Measurements. In: Proc. of NISK, pp. 69–80. Tapir Akademisk Forlag (2008)

    Google Scholar 

  16. Helkala, K.: Password Education Based on Guidelines Tailored to Different Password Categories. Journal of Computers 6(5) (2011)

    Google Scholar 

  17. Helkala, K., Svendsen, N.K.: The Security and Memorability of Passwords Generated by Using an Association Element and a Personal Factor. In: Laud, P. (ed.) NordSec 2011. LNCS, vol. 7161, pp. 114–130. Springer, Heidelberg (2012)

    CrossRef  Google Scholar 

  18. Hellman, M.: A cryptanalytic time-memory trade-off. IEEE Transactions on Information Theory 26(4), 401–406 (1980)

    CrossRef  MathSciNet  MATH  Google Scholar 

  19. Hopper, N.J., Blum, M.: Secure Human Identification Protocols. In: Proc. of the 7th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology, pp. 52–66. Springer, London (2001)

    Google Scholar 

  20. Ives, B., Walsh, K.R., Schneider, H.: The domino effect of password reuse. Commun. ACM 47, 75–78 (2004)

    CrossRef  Google Scholar 

  21. Kuhn, B.T., Garrison, C.: A survey of passwords from 2007 to 2009. In: 2009 Information Security Curriculum Development Conference, InfoSecCD 2009, pp. 91–94. ACM, New York (2009)

    CrossRef  Google Scholar 

  22. Kuo, C., Romanosky, S., Cranor, L.F.: Human Selection of Mnemonic Phrase-Based Passwords. In: Proc. of 2nd Symposium on Usable Privacy and Security, pp. 67–78. ACM Press (2006)

    Google Scholar 

  23. Li, X.-Y., Teng, S.-H.: Practical Human-Machine Identification over Insecure Channels. Journal of Combinatorial Optimization 3(4), 347–361 (1999)

    CrossRef  MathSciNet  MATH  Google Scholar 

  24. Matsumoto, T.: Human-Computer Cryptography: An Attempt. In: Proc. of the 3rd ACM Conference on Computer and Communications Security, pp. 68–75 (1996)

    Google Scholar 

  25. McCumber, J.: Information Systems Security: A Comprehensive Model. In: Proc. Ninth International Computer Security Symposium (1993)

    Google Scholar 

  26. Oechslin, P.: Making a Faster Cryptanalytic Time-Memory Trade-Off. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 617–630. Springer, Heidelberg (2003)

    CrossRef  Google Scholar 

  27. Openwall. Free rainbow tables (May 18, 2012), http://www.freerainbowtables.com/en/tables2/

  28. Openwall. John the Ripper password cracker (May 18, 2012), http://www.openwall.com/john/

  29. Ragan, S.: Report: Analysis of the Stratfor Password List (May 31, 2012), http://www.thetechherald.com/articles/Report-Analysis-of-the-Stratfor-Password-List

  30. Sasse, M.A., Brostoff, S., Weirich, D.: Transforming the “Weakest Link” - Human/Computer Interaction Approach to Usable and Effective Security. BT Technol. 19, 122–131 (2001)

    CrossRef  Google Scholar 

  31. Smith, R.E.: The Strong Password Dilemma. Addison-Wesley (2002)

    Google Scholar 

  32. Stottmeister, C.: How to crack md5 passwords online (May 18, 2012), http://www.stottmeister.com/blog/2009/04/14/how-to-crack-md5-passwords/

  33. Thorsheim, P.: Security nirvana blog: Challenge recieved (May 2012), http://securitynirvana.blogspot.com/2012/05/challenge-received.html

  34. Verheul, E.R.: Selecting Secure Passwords. In: Abe, M. (ed.) CT-RSA 2007. LNCS, vol. 4377, pp. 49–66. Springer, Heidelberg (2006)

    CrossRef  Google Scholar 

  35. Villarrubia, C., Fernandez-Medina, E., Piattini, M.: Quality of Password Management Policy. In: The First International Conference on Availability, Reliability and Security, ARES 2006, p. 7 (April 2006)

    Google Scholar 

  36. Weinshall, D.: Cognitive Authentication Schemes Safe Against Spyware (Short Paper). In: Proc. of the 2006 IEEE Symposium on Security and Privacy (S&P 2006), pp. 295–300 (2006)

    Google Scholar 

  37. Weir, C.M.: Using Probabilistic Techniques to Aid in Password Cracking Attacks. PhD thesis, Florida State University (2010)

    Google Scholar 

  38. Wikipedia. Leet (May 20, 2012), http://en.wikipedia.org/wiki/Leet

  39. Yan, J., Blackwell, A., Anderson, R., Grant, A.: Password Memorability and Security: Empirical Results. IEEE Security & Privacy 2(5), 25–31 (2004)

    CrossRef  Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Helkala, K., Svendsen, N.K., Thorsheim, P., Wiehe, A. (2012). Cracking Associative Passwords. In: Jøsang, A., Carlsson, B. (eds) Secure IT Systems. NordSec 2012. Lecture Notes in Computer Science, vol 7617. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-34210-3_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-34210-3_11

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-34209-7

  • Online ISBN: 978-3-642-34210-3

  • eBook Packages: Computer ScienceComputer Science (R0)