Table of Contents Author Guidelines Submit a Manuscript
Security and Communication Networks
Volume 2018, Article ID 6160125, 12 pages
https://doi.org/10.1155/2018/6160125
Research Article

An Alternative Method for Understanding User-Chosen Passwords

1School of Electronic and Computer Engineering, Peking University Shenzhen Graduate School, Shenzhen 518055, China
2School of Electronics Engineering and Computer Science, Peking University, Beijing 100871, China
3School of Software and Microelectronics, Peking University, Beijing 102600, China
4National Engineering Research Center for Software Engineering, Peking University, Beijing 100871, China
5Key Laboratory of High Confidence Software Technologies (PKU), Ministry of Education, Beijing 100871, China

Correspondence should be addressed to Ping Wang; nc.ude.ukp@gnawp

Received 30 August 2017; Revised 2 December 2017; Accepted 27 December 2017; Published 28 January 2018

Academic Editor: Qi Jiang

Copyright © 2018 Zhixiong Zheng et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Linked References

  1. Z. Zhao, G.-J. Ahn, and H. Hu, “Picture gesture authentication: empirical analysis, automated attacks, and scheme evaluation,” ACM Transactions on Information and System Security, vol. 17, no. 4, article 14, 37 pages, 2015. View at Publisher · View at Google Scholar · View at Scopus
  2. A. K. Jain, A. Ross, and S. Pankanti, “Biometrics: a tool for information security,” IEEE Transactions on Information Forensics and Security, vol. 1, no. 2, pp. 125–143, 2006. View at Publisher · View at Google Scholar · View at Scopus
  3. N. Zheng, A. Paloski, and H. Wang, “An efficient user verification system via mouse movements,” in Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 139–150, ACM, October 2011. View at Publisher · View at Google Scholar · View at Scopus
  4. D. Florencio and C. Herley, “A large-scale study of web password habits,” in Proceedings of the 16th International World Wide Web Conference (WWW '07), pp. 657–666, ACM, May 2007. View at Publisher · View at Google Scholar · View at Scopus
  5. J. Yan, A. F. Blackwell, R. J. Anderson, and A. Grant, “Password memorability and security: empirical results,” IEEE Security & Privacy, vol. 2, no. 5, pp. 25–31, 2004. View at Publisher · View at Google Scholar · View at Scopus
  6. W. Cheswick, “Rethinking passwords,” Communications of the ACM, vol. 56, no. 2, pp. 40–44, 2013. View at Publisher · View at Google Scholar · View at Scopus
  7. J. Bonneau, C. Herley, P. C. Van Oorschot, and F. Stajano, “Passwords and the evolution of imperfect authentication,” Communications of the ACM, vol. 58, no. 7, pp. 78–87, 2015. View at Publisher · View at Google Scholar · View at Scopus
  8. J. Bonneau, C. Herley, P. C. Van Oorschot, and F. Stajano, “The quest to replace passwords: a framework for comparative evaluation of web authentication schemes,” in Proceedings of the 33rd IEEE Symposium on Security and Privacy (SP '12), pp. 553–567, IEEE, San Francisco, Calif, USA, May 2012. View at Publisher · View at Google Scholar · View at Scopus
  9. D. Wang, H. Cheng, P. Wang, and X. Huang, “Understanding passwords of Chinese users: characteristics, security and implications. CACR report,” in Proceedings of the ChinaCrypt 2015, 2015, http://t.cn/RG8RacH.
  10. A. Adams and M. A. Sasse, “Users are not the enemy,” Communications of the ACM, vol. 42, no. 12, pp. 40–46, 1999. View at Publisher · View at Google Scholar · View at Scopus
  11. A. Beautement, M. A. Sasse, and M. Wonham, “The compliance budget: managing security behaviour in organisations,” in Proceedings of the Workshop on New Security Paradigms (NSPW '08), pp. 47–58, ACM, Lake Tahoe, Calif, USA, September 2008. View at Publisher · View at Google Scholar
  12. D. Wang, D. He, H. Cheng, and P. Wang, “FuzzyPSM: a new password strength meter using fuzzy probabilistic context-free grammars,” in Proceedings of the 46th IEEE/IFIP International Conference on Dependable Systems and Networks (DSN '16), pp. 595–606, IEEE, July 2016. View at Publisher · View at Google Scholar · View at Scopus
  13. L. Wang, Y. Li, and K. Sun, “Amnesia: a bilateral generative password manager,” in Proceedings of the 36th IEEE International Conference on Distributed Computing Systems (ICDCS '16), pp. 313–322, IEEE, June 2016. View at Publisher · View at Google Scholar · View at Scopus
  14. D. McCarney, D. Barrera, J. Clark, S. Chiasson, and P. C. Van Oorschot, “Tapas: design, implementation, and usability evaluation of a password manager,” in Proceedings of the 28th Annual Computer Security Applications Conference, pp. 89–98, ACM, December 2012. View at Publisher · View at Google Scholar · View at Scopus
  15. B. Ives, K. R. Walsh, and H. Schneider, “The domino effect of password reuse,” Communications of the ACM, vol. 47, no. 4, pp. 75–78, 2004. View at Publisher · View at Google Scholar · View at Scopus
  16. D. Wang, H. Cheng, P. Wang, X. Huang, and G. Jian, “Zipf's law in passwords,” IEEE Transactions on Information Forensics and Security, vol. 12, no. 11, pp. 2776–2791, 2017. View at Publisher · View at Google Scholar
  17. M. Weir, S. Aggarwal, B. De Medeiros, and B. Glodek, “Password cracking using probabilistic context-free grammars,” in Proceedings of the 30th IEEE Symposium on Security and Privacy, pp. 391–405, IEEE, May 2009. View at Publisher · View at Google Scholar · View at Scopus
  18. S. Houshmand and S. Aggarwal, “Building better passwords using probabilistic techniques,” in Proceedings of the 28th Annual Computer Security Applications Conference, pp. 109–118, ACM, December 2012. View at Publisher · View at Google Scholar · View at Scopus
  19. R. Veras, C. Collins, and J. Thorpe, “On the semantic patterns of passwords and their security impact,” in Proceedings of the Network and Distributed System Security Symposium (NDSS '14), San Diego, Calif, USA, 2014. View at Publisher · View at Google Scholar
  20. M. Dell'Amico and M. Filippone, “Monte Carlo strength evaluation: fast and reliable password checking,” in Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 158–169, ACM, October 2015. View at Publisher · View at Google Scholar · View at Scopus
  21. R. Morris and K. Thompson, “Password security: a case history,” Communications of the ACM, vol. 22, no. 11, pp. 594–597, 1979. View at Publisher · View at Google Scholar · View at Scopus
  22. D. V. Klein, “Foiling the cracker: a survey of, and improvements to, password security,” in Proceedings of the 2nd USENIX Security Workshop, pp. 5–14, 1990.
  23. John the ripper password cracker—openwall, http://www.openwall.com/john/.
  24. hashcat—advanced password recovery, https://hashcat.net/hashcat/.
  25. J. Ma, W. Yang, M. Luo, and N. Li, “A study of probabilistic password models,” in Proceedings of the 35th IEEE Symposium on Security and Privacy (SP '14), pp. 689–704, IEEE, May 2014. View at Publisher · View at Google Scholar · View at Scopus
  26. R. Veras, J. Thorpe, and C. Collins, “Visualizing semantics in passwords: the role of dates,” in Proceedings of the 9th International Symposium on Visualization for Cyber Security, pp. 88–95, ACM, October 2012. View at Publisher · View at Google Scholar · View at Scopus
  27. M. Weir, S. Aggarwal, M. Collins, and H. Stern, “Testing metrics for password creation policies by attacking large sets of revealed passwords,” in Proceedings of the 17th ACM Conference on Computer and Communications Security, pp. 162–175, ACM, October 2010. View at Publisher · View at Google Scholar · View at Scopus
  28. C. Castelluccia, M. Dürmuth, and D. Perito, “Adaptive password-strength meters from markov models,” in Proceedings of the 19th Annual Network & Distributed System Security Symposium (NDSS '12), February 2012.
  29. J. Bonneau, “The science of guessing: analyzing an anonymized corpus of 70 million passwords,” in Proceedings of the 33rd IEEE Symposium on Security and Privacy (SP '12), pp. 538–552, IEEE, San Francisco, Calif, USA, May 2012. View at Publisher · View at Google Scholar · View at Scopus
  30. Z. Li, W. Han, and W. Xu, “A large-scale empirical analysis of chinese web passwords,” in Proceedings of the USENIX Security Symposium, pp. 559–574, 2014.
  31. B. L. Riddle, M. S. Miron, and J. A. Semo, “Passwords in use in a university timesharing environment,” Computers & Security, vol. 8, no. 7, pp. 569–579, 1989. View at Publisher · View at Google Scholar · View at Scopus
  32. R. Shay, S. Komanduri, P. G. Kelley et al., “Encountering stronger password requirements: user attitudes and behaviors,” in Proceedings of the 6th Symposium on Usable Privacy and Security, vol. 2, ACM, July 2010.
  33. Y. Zhang, F. Monrose, and M. K. Reiter, “The security of modern password expiration: an algorithmic framework and empirical analysis,” in Proceedings of the 17th ACM Conference on Computer and Communications Security, pp. 176–186, October 2010. View at Publisher · View at Google Scholar · View at Scopus
  34. X. Guo, H. Chen, X. Liu, X. Xu, and Z. Chen, “The scale-free network of passwords: visualization and estimation of empirical passwords,” https://arxiv.org/abs/1511.08324.
  35. S. Perez, “Recently confirmed Myspace hack could be the largest yet,” May 2016.
  36. V. I. Levenshtein, “Binary codes capable of correcting deletions, insertions, and reversals,” Soviet Physics—Doklady, vol. 10, no. 8, pp. 707–710, 1966. View at Google Scholar · View at MathSciNet
  37. A. Das, J. Bonneau, M. Caesar, N. Borisov, and X. Wang, “The tangled web of password reuse,” in Proceedings of the Network and Distributed System Security Symposium (NDSS '14), vol. 14, pp. 23–26, 2014.
  38. graph-tool: efficent network analysis with python, https://graph-tool.skewed.de/.
  39. A. Vance, “If your password is 123456, just make it hackme,” The New York Times, vol. 20, p. A1, 2010. View at Google Scholar
  40. S. Schechter, C. Herley, and M. Mitzenmacher, “Popularity is everything: a new approach to protecting passwords from statistical-guessing attacks,” in Proceedings of the 5th USENIX Conference on Hot Topics in Security, pp. 1–8, USENIX Association, 2010.