Abstract
In this article, we present a thorough evaluation of semantic password grammars. We report multifactorial experiments that test the impact of sample size, probability smoothing, and linguistic information on password cracking. The semantic grammars are compared with state-of-the-art probabilistic context-free grammar (PCFG) and neural network models, and tested in cross-validation and A vs. B scenarios. We present results that reveal the contributions of part-of-speech (syntactic) and semantic patterns, and suggest that the former are more consequential to the security of passwords. Our results show that in many cases PCFGs are still competitive models compared to their latest neural network counterparts. In addition, we show that there is little performance gain in training PCFGs with more than 1 million passwords. We present qualitative analyses of four password leaks (Mate1, 000webhost, Comcast, and RockYou) based on trained semantic grammars, and derive graphical models that capture high-level dependencies between token classes. Finally, we confirm the similarity inferences from our qualitative analysis by examining the effectiveness of grammars trained and tested on all pairs of leaks.
- [n.d.]. Hashes.org—Shared Community Password Recovery. Retrieved September 28, 2019 from https://hashes.org.Google Scholar
- [n.d.]. LeakedSource Analysis of Mate1.com Hack. Retrieved May 1, 2018 from https://leakedsource.ru/blog/mate1.Google Scholar
- [n.d.]. LinkedIn Revisited—Full 2012 Hash Dump Analysis. Retrieved Septembet 28, 2019 from https://blog.korelogic.com/blog/2016/05/19/linkedin_passwords_2016.Google Scholar
- [n.d.]. Public Database Directory—Public DB Host. Retrieved May 1, 2018 from https://www.databases.today/.Google Scholar
- [n.d.]. StackOverflow—Developer Survey Results 2018. Retreived September28, 2018 from https://insights.stackoverflow.com/survey/2018#demographics.Google Scholar
- Stanley F. Chen and Joshua Goodman. 1999. An empirical study of smoothing techniques for language modeling. Computer Speech & Language 13, 4 (Oct. 1999), 359--393. DOI:https://doi.org/10.1006/csla.1999.0128Google Scholar
Digital Library
- Matteo Dell’Amico and Maurizio Filippone. 2015. Monte Carlo strength evaluation: Fast and reliable password checking. In Proc. 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM, New York, 158--169. DOI:https://doi.org/10.1145/2810103.2813631Google Scholar
Digital Library
- Roger Garside. 1996. The robust tagging of unrestricted text: The BNC experience. In Using Corpora for Language Research: Studies in the Honour of Geoffrey Leech, J. Thomas and M. Short (Eds.). Longman Publishing Group, 167.Google Scholar
- Briland Hitaj, Paolo Gasti, Giuseppe Ateniese, and Fernando Perez-Cruz. 2019. PassGAN: A deep learning approach for password guessing. In Applied Cryptography and Network Security, Robert H. Deng, Valérie Gauthier-Umaña, Martín Ochoa, and Moti Yung (Eds.). Springer International Publishing, Cham, 217--237.Google Scholar
- Shiva Houshmand, Sudhir Aggarwal, and Randy Flood. 2015. Next Gen PCFG password cracking.IEEE Trans. Information Forensics and Security 10, 8 (Aug. 2015), 1776--1791. DOI:https://doi.org/10.1109/tifs.2015.2428671Google Scholar
Digital Library
- Shouling Ji, Shukun Yang, Ting Wang, Changchang Liu, Wei-Han Lee, and Raheem Beyah. 2015. Pars: A uniform and open-source password analysis and research system. In Proc. 31st Annual Computer Security Applications Conference ACM, ACM Press, 321--330. DOI:https://doi.org/10.1145/2818000.2818018Google Scholar
Digital Library
- Saranga Komanduri. 2018. Modeling the Adversary to Evaluate Password Strength With Limited Samples. Ph.D. Dissertation. DOI:https://doi.org/10.1184/R1/6720701.v1Google Scholar
- Hang Li and Naoki Abe. 1998. Generalizing case frames using a thesaurus and the MDL principle. Comput. Linguist. 24, 2 (June 1998), 217--244.Google Scholar
- Jerry Ma, Weining Yang, Min Luo, and Ninghui Li. 2014. A study of probabilistic password models. In Proc. IEEE Symposium on Security and Privacy. IEEE, IEEE, 689--704. DOI:https://doi.org/10.1109/sp.2014.50Google Scholar
Digital Library
- Christopher D. Manning and Hinrich Schütze. 1999. Foundations of Statistical Natural Language Processing. MIT Press.Google Scholar
Digital Library
- William Melicher, Blase Ur, Sean M. Segreti, Saranga Komanduri, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2016. Fast, lean, and accurate: Modeling password guessability using neural networks. In Proc. 25th USENIX Security Symposium. USENIX Association, 175--191.Google Scholar
- George A Miller. 1995. WordNet: A lexical database for English. Commun. ACM 38, 11 (Nov. 1995), 39--41. DOI:https://doi.org/10.1145/219717.219748Google Scholar
Digital Library
- Peter Norvig. 2009. Natural language corpus data. In Beautiful Data, Toby Segaran and Jeff Hammerbacher (Eds.). O’Reilly Media, Chapter 14, 219--242.Google Scholar
- Jorma Rissanen. 1983. A universal prior for integers and estimation by minimum description length. The Annals of Statistics 11, 2 (June 1983), 416--431. DOI:https://doi.org/10.1214/aos/1176346150Google Scholar
Cross Ref
- Blase Ur, Sean M. Segreti, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Saranga Komanduri, Darya Kurilova, Michelle L. Mazurek, William Melicher, and Richard Shay. 2015. Measuring real-world accuracies and biases in modeling password guessability. In Proc. 24th USENIX Security Symposium. USENIX Association, 463--481.Google Scholar
- Rafael Veras, Christopher Collins, and Julie Thorpe. 2014. On semantic patterns of passwords and their security impact. In Proc. NDSS Symposium. Internet Society. DOI:https://doi.org/10.14722/ndss.2014.23103Google Scholar
Cross Ref
- Miranda Wei, Maximilian Golla, and Blase Ur. 2018. The password doesn’t fall far: How service influences password choice. In Proc. of Who Are You?! Adventures in Authentication Workshop (WAY).Google Scholar
- Matt Weir, Sudhir Aggarwal, Breno De Medeiros, and Bill Glodek. 2009. Password cracking using probabilistic context-free grammars. In Proc. IEEE Symposium on Security and Privacy. IEEE, IEEE, 391--405. DOI:https://doi.org/10.1109/sp.2009.8Google Scholar
Digital Library
- Zhixiong Zheng, Haibo Cheng, Zijian Zhang, Yiming Zhao, and Ping Wang. 2018. An alternative method for understanding user-chosen passwords. Security and Communication Networks 2018, Article ID 6160125 (2018), 1--12. DOI:https://doi.org/10.1155/2018/6160125Google Scholar
Index Terms
A Large-Scale Analysis of the Semantic Password Model and Linguistic Patterns in Passwords






Comments