Understanding user passwords through password prefix and postfix (P3) graph analysis and visualization

  • Xiaoying Yu
  • Qi LiaoEmail author
Regular contribution


While other authentication methods exist, passwords are still the dominant way for user authentication and system security. Over the years, passwords have become long and complex thanks to security policy and awareness. However, the security of user passwords remains unclear. Therefore, understanding users passwords is vital to improve the strength of passwords and system security in general. In this paper, we investigate one specific pattern, i.e., the prefix and postfix of user passwords. To facilitate password prefix and postfix (P3) analysis, we propose both hierarchical segmentation / optimization algorithms and password prefix/postfix graphs (P3G) construction and P3G visualizations. Through case study over real-world user passwords, we demonstrate P3 analysis and visualization are effective in identifying unique patterns for different user categories. The results suggest strong correlations between prefix/postfix and their context in user passwords.


Computer security Password analysis and visualization Prefix and postfix graphs Hierarchical segmentation Dynamic programming 


Compliance with ethical standards

Conflict of Interest

Authors declare that they have no conflict of interest.

Ethical approval

This article does not contain any studies with human participants or animals performed by any of the authors.


  1. 1.
    Aydin, K., Bateni, M., Mirrokni, V.: Distributed balanced partitioning via linear embedding. In: Ninth ACM International Conference on Web Search and Data Mining, pp. 387–396. San Francisco CA (2016)Google Scholar
  2. 2.
    Bentley, R.A., Hahn, M.W., Shennan, S.J.: Random drift and culture change. Proc. R. Soc. London B: Biol. Sci. 271(1547), 1443–1450 (2004)CrossRefGoogle Scholar
  3. 3.
    Bonneau, J.: The science of guessing: analyzing an anonymized corpus of 70 million passwords. In: IEEE Symposium on Security and Privacy (SP), pp. 538–552. San Francisco CA (2012)Google Scholar
  4. 4.
    Bonneau, J., Preibusch, S., Anderson, R.: A birthday present every eleven wallets? The security of customer-chosen banking pins. Financ. Cryptogr. Data Secur. 7397, 25–40 (2012a)CrossRefGoogle Scholar
  5. 5.
    Bonneau, J., Preibusch, S., Anderson, R.: A birthday present every eleven wallets? the security of customer-chosen banking pins. In: Proceedings of the 16th International Conference on Financial Cryptography and Data Security, Bonaire, pp 25–40 (2012b)Google Scholar
  6. 6.
    Brown, A.S., Bracken, E., Zoccoli, S., Douglas, K.: Generating and remembering passwords. Appl. Cognit. Psychol. 18(6), 641–651 (2004)CrossRefGoogle Scholar
  7. 7.
    Brunner, E., Wyon, O.: The Mediator: A Study of the Central Doctrine of the Christian Faith, vol. 3. James Clarke & Co, Plainview (1934)Google Scholar
  8. 8.
    i Cancho, R.F., Solé, R.V.: The small world of human language. Proc. R. Soc. London B: Biol. Sci. 268(1482), 2261–2265 (2001)CrossRefGoogle Scholar
  9. 9.
    Hc, Chou, Hc, Lee, Cw, Hsueh, Fp, Lai: Password cracking based on special keyboard patterns. Int. J. Innov. Comput. Inf. Control 8(1A), 387–402 (2012)Google Scholar
  10. 10.
  11. 11.
    Davis, D., Monrose, F., Reiter, M.K.: On user choice in graphical password schemes. In: Proceedings of the 13th conference on USENIX Security Symposium (SSYM’04), pp 151–164. San Diego, CA (2004)Google Scholar
  12. 12.
    Dell’Amico, M., Michiardi, P., Roudier, Y.: Password strength: An empirical analysis. In: Proceedings of the IEEE Conference on Computer Communications (INFOCOM), pp 1–9. San Diego, CA (2010)Google Scholar
  13. 13.
    Egelman, S., Sotirakopoulos, A., Muslukhov, I., Beznosov, K., Herley, C.: Does my password go up to eleven?: the impact of password meters on password selection. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI), pp 2379–2388. Paris, France (2013)Google Scholar
  14. 14.
    Herley, C., van Oorschot, P.: A research agenda acknowledging the persistence of passwords. IEEE Sec. Priv. 10(1), 28–36 (2012)CrossRefGoogle Scholar
  15. 15.
    Jakobsson, M., Dhiman, M.: Proceedings of the 7th usenix conference on hot topics in security (hotsec’12). In: The benefits of understanding passwords, p 10. Bellevue, WA (2012)Google Scholar
  16. 16.
    Li, Y., Wang, H., Sun, K.: A study of personal information in human-chosen passwords and its security implications. In: The 35th Annual IEEE International Conference on Computer Communications (INFOCOM). San Francisco, CA (2016)Google Scholar
  17. 17.
    Rao, A., Jha, B., Kini, G.: Effect of grammar on security of long passwords. In: Proceedings of the third ACM conference on Data and application security and privacy, pp 317–324. San Antonio, Texas (2013)Google Scholar
  18. 18.
    Schweitzer, D., Boleng, J., Hughes, C., Murphy, L.: Visualizing keyboard pattern passwords. In: 6th International Workshop on Visualization for Cyber Security (VizSec’09), pp. 69–73. Atlantic City, NJ (2009)Google Scholar
  19. 19.
    Segaran, T., Hammerbacher, J.: Beautiful Data: The Stories Behind Elegant Data Solutions, O’Reilly Media, p 386. ISBN 9780596157111 (2009)Google Scholar
  20. 20.
    Shay, R., Komanduri, S., Durity, A.L., Huh, P.S., Mazurek, M.L., Segreti, S.M., Ur, B., Bauer, L., Christin, N., Cranor, L.F.: Can long passwords be secure and usable? In: Proceedings of the 32nd annual ACM conference on Human factors in computing systems, pp 2927–2936. Toronto, Canada (2014)Google Scholar
  21. 21.
    Shi, L., Liao, Q., Tong, H., Hu, Y., Zhao, Y., Lin, C.: Hierarchical focus+context heterogeneous network visualization. In: Proceedings of the IEEE Pacific Visualization Symposium (PacificVis), pp 89–96. Yokohama, Japan (2014)Google Scholar
  22. 22.
    Veras, R., Thorpe, J., Collins, C.: Visualizing semantics in passwords: The role of dates. In: Proceedings of the Ninth International Symposium on Visualization for Cyber Security (VizSec’12)), pp 88–95. Seattle, WA (2012)Google Scholar
  23. 23.
    Veras, R., Collins, C., Thorpe, J.: On semantic patterns of passwords and their security impact. In: Network and Distributed System Security (NDSS) Symposium. San Diego, CA (2014)Google Scholar
  24. 24.
    Wang, D., Zhang, Z., Wang, P., Yan, J., Huang, X.: Targeted online password guessing: An underestimated threat. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS), pp 1242–1254. Vienna, Austria (2016)Google Scholar
  25. 25.
    Weir, M., Aggawal, S., Collins, M., Stern, H.: Testing metrics for password creation policies by attacking large sets of revealed passwords. In: Proceedings of the 17th ACM conference on Computer and communications security (CCS ’10), pp 162–175. Chicago, IL (2010)Google Scholar
  26. 26.
    Yang, W., Li, N., Chowdhury, O., Xiong, A., Proctor, R.W.: An empirical study of mnemonic sentence-based password generation strategies. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS), pp 1216–1229. Vienna, Austria (2016)Google Scholar
  27. 27.
    Yeganova, L., Smith, L., Wilbur, W.J.: Identification of related gene/protein names based on an hmm of name variations. Comput. Biol. Chem. 28(2), 97–107 (2004)CrossRefzbMATHGoogle Scholar
  28. 28.
    Yu, X., Liao, Q.: User password repetitive patterns analysis and visualization. Inf. Comput. Secur. 24(1), 93–115 (2016)MathSciNetCrossRefGoogle Scholar
  29. 29.
    Zheng, Z., Cheng, H., Zhang, Z., Zhao, Y., Wang, P.: An alternative method for understanding user-chosen passwords. Secur. Commun. Netw. 2018, 6160125 (2018)Google Scholar

Copyright information

© Springer-Verlag GmbH Germany, part of Springer Nature 2019

Authors and Affiliations

  1. 1.Department of Computer ScienceCentral Michigan UniversityMount PleasantUSA

Personalised recommendations