skip to main content
research-article

A Large-Scale Analysis of the Semantic Password Model and Linguistic Patterns in Passwords

Published:20 April 2021Publication History
Skip Abstract Section

Abstract

In this article, we present a thorough evaluation of semantic password grammars. We report multifactorial experiments that test the impact of sample size, probability smoothing, and linguistic information on password cracking. The semantic grammars are compared with state-of-the-art probabilistic context-free grammar (PCFG) and neural network models, and tested in cross-validation and A vs. B scenarios. We present results that reveal the contributions of part-of-speech (syntactic) and semantic patterns, and suggest that the former are more consequential to the security of passwords. Our results show that in many cases PCFGs are still competitive models compared to their latest neural network counterparts. In addition, we show that there is little performance gain in training PCFGs with more than 1 million passwords. We present qualitative analyses of four password leaks (Mate1, 000webhost, Comcast, and RockYou) based on trained semantic grammars, and derive graphical models that capture high-level dependencies between token classes. Finally, we confirm the similarity inferences from our qualitative analysis by examining the effectiveness of grammars trained and tested on all pairs of leaks.

References

  1. [n.d.]. Hashes.org—Shared Community Password Recovery. Retrieved September 28, 2019 from https://hashes.org.Google ScholarGoogle Scholar
  2. [n.d.]. LeakedSource Analysis of Mate1.com Hack. Retrieved May 1, 2018 from https://leakedsource.ru/blog/mate1.Google ScholarGoogle Scholar
  3. [n.d.]. LinkedIn Revisited—Full 2012 Hash Dump Analysis. Retrieved Septembet 28, 2019 from https://blog.korelogic.com/blog/2016/05/19/linkedin_passwords_2016.Google ScholarGoogle Scholar
  4. [n.d.]. Public Database Directory—Public DB Host. Retrieved May 1, 2018 from https://www.databases.today/.Google ScholarGoogle Scholar
  5. [n.d.]. StackOverflow—Developer Survey Results 2018. Retreived September28, 2018 from https://insights.stackoverflow.com/survey/2018#demographics.Google ScholarGoogle Scholar
  6. Stanley F. Chen and Joshua Goodman. 1999. An empirical study of smoothing techniques for language modeling. Computer Speech & Language 13, 4 (Oct. 1999), 359--393. DOI:https://doi.org/10.1006/csla.1999.0128Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Matteo Dell’Amico and Maurizio Filippone. 2015. Monte Carlo strength evaluation: Fast and reliable password checking. In Proc. 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM, New York, 158--169. DOI:https://doi.org/10.1145/2810103.2813631Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Roger Garside. 1996. The robust tagging of unrestricted text: The BNC experience. In Using Corpora for Language Research: Studies in the Honour of Geoffrey Leech, J. Thomas and M. Short (Eds.). Longman Publishing Group, 167.Google ScholarGoogle Scholar
  9. Briland Hitaj, Paolo Gasti, Giuseppe Ateniese, and Fernando Perez-Cruz. 2019. PassGAN: A deep learning approach for password guessing. In Applied Cryptography and Network Security, Robert H. Deng, Valérie Gauthier-Umaña, Martín Ochoa, and Moti Yung (Eds.). Springer International Publishing, Cham, 217--237.Google ScholarGoogle Scholar
  10. Shiva Houshmand, Sudhir Aggarwal, and Randy Flood. 2015. Next Gen PCFG password cracking.IEEE Trans. Information Forensics and Security 10, 8 (Aug. 2015), 1776--1791. DOI:https://doi.org/10.1109/tifs.2015.2428671Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Shouling Ji, Shukun Yang, Ting Wang, Changchang Liu, Wei-Han Lee, and Raheem Beyah. 2015. Pars: A uniform and open-source password analysis and research system. In Proc. 31st Annual Computer Security Applications Conference ACM, ACM Press, 321--330. DOI:https://doi.org/10.1145/2818000.2818018Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Saranga Komanduri. 2018. Modeling the Adversary to Evaluate Password Strength With Limited Samples. Ph.D. Dissertation. DOI:https://doi.org/10.1184/R1/6720701.v1Google ScholarGoogle Scholar
  13. Hang Li and Naoki Abe. 1998. Generalizing case frames using a thesaurus and the MDL principle. Comput. Linguist. 24, 2 (June 1998), 217--244.Google ScholarGoogle Scholar
  14. Jerry Ma, Weining Yang, Min Luo, and Ninghui Li. 2014. A study of probabilistic password models. In Proc. IEEE Symposium on Security and Privacy. IEEE, IEEE, 689--704. DOI:https://doi.org/10.1109/sp.2014.50Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Christopher D. Manning and Hinrich Schütze. 1999. Foundations of Statistical Natural Language Processing. MIT Press.Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. William Melicher, Blase Ur, Sean M. Segreti, Saranga Komanduri, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2016. Fast, lean, and accurate: Modeling password guessability using neural networks. In Proc. 25th USENIX Security Symposium. USENIX Association, 175--191.Google ScholarGoogle Scholar
  17. George A Miller. 1995. WordNet: A lexical database for English. Commun. ACM 38, 11 (Nov. 1995), 39--41. DOI:https://doi.org/10.1145/219717.219748Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Peter Norvig. 2009. Natural language corpus data. In Beautiful Data, Toby Segaran and Jeff Hammerbacher (Eds.). O’Reilly Media, Chapter 14, 219--242.Google ScholarGoogle Scholar
  19. Jorma Rissanen. 1983. A universal prior for integers and estimation by minimum description length. The Annals of Statistics 11, 2 (June 1983), 416--431. DOI:https://doi.org/10.1214/aos/1176346150Google ScholarGoogle ScholarCross RefCross Ref
  20. Blase Ur, Sean M. Segreti, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Saranga Komanduri, Darya Kurilova, Michelle L. Mazurek, William Melicher, and Richard Shay. 2015. Measuring real-world accuracies and biases in modeling password guessability. In Proc. 24th USENIX Security Symposium. USENIX Association, 463--481.Google ScholarGoogle Scholar
  21. Rafael Veras, Christopher Collins, and Julie Thorpe. 2014. On semantic patterns of passwords and their security impact. In Proc. NDSS Symposium. Internet Society. DOI:https://doi.org/10.14722/ndss.2014.23103Google ScholarGoogle ScholarCross RefCross Ref
  22. Miranda Wei, Maximilian Golla, and Blase Ur. 2018. The password doesn’t fall far: How service influences password choice. In Proc. of Who Are You?! Adventures in Authentication Workshop (WAY).Google ScholarGoogle Scholar
  23. Matt Weir, Sudhir Aggarwal, Breno De Medeiros, and Bill Glodek. 2009. Password cracking using probabilistic context-free grammars. In Proc. IEEE Symposium on Security and Privacy. IEEE, IEEE, 391--405. DOI:https://doi.org/10.1109/sp.2009.8Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Zhixiong Zheng, Haibo Cheng, Zijian Zhang, Yiming Zhao, and Ping Wang. 2018. An alternative method for understanding user-chosen passwords. Security and Communication Networks 2018, Article ID 6160125 (2018), 1--12. DOI:https://doi.org/10.1155/2018/6160125Google ScholarGoogle Scholar

Index Terms

  1. A Large-Scale Analysis of the Semantic Password Model and Linguistic Patterns in Passwords

    Recommendations

    Comments

    Login options

    Check if you have access through your login credentials or your institution to get full access on this article.

    Sign in

    Full Access

    • Published in

      cover image ACM Transactions on Privacy and Security
      ACM Transactions on Privacy and Security  Volume 24, Issue 3
      August 2021
      286 pages
      ISSN:2471-2566
      EISSN:2471-2574
      DOI:10.1145/3450360
      Issue’s Table of Contents

      Copyright © 2021 ACM

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      • Published: 20 April 2021
      • Revised: 1 January 2021
      • Accepted: 1 January 2021
      • Received: 1 February 2019
      Published in tops Volume 24, Issue 3

      Permissions

      Request permissions about this article.

      Request Permissions

      Check for updates

      Qualifiers

      • research-article
      • Research
      • Refereed

    PDF Format

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    HTML Format

    View this article in HTML Format .

    View HTML Format
    About Cookies On This Site

    We use cookies to ensure that we give you the best experience on our website.

    Learn more

    Got it!