Advertisement

Common Passwords and Common Words in Passwords

  • Jikai LiEmail author
  • Ethan Zeigler
  • Thomas Holland
  • Dimitris Papamichail
  • David Greco
  • Joshua Grabentein
  • Daan Liang
Conference paper
  • 313 Downloads
Part of the Advances in Intelligent Systems and Computing book series (AISC, volume 1160)

Abstract

Passwords often include dictionary words or meaningful strings. Figuring out these words or strings may significantly reduce the number of password guessing. The wordlists used by password cracking software, such as Hashcat, typically include the words from various dictionaries and leaked plain passwords. Is it really necessary to put all dictionary words and leaked passwords into the wordlist? In this work, we use Mac system dictionary and rockyou.com leak as two sample wordlists to check the substrings of over 600 million leaked passwords from different websites. We find only a small portion of words from these two wordlists are used by the leaked passwords. More specifically, about 90,000 out of 235,886 Mac dictionary words and about six millions out of 13 millions rockyou.com unique passwords are used by the leaked passwords. In addition to that, we find that a small portion of unique passwords are shared by a large portion of accounts.

Keywords

Password Hashcat Dictionary Substring 

References

  1. 1.
  2. 2.
    Selena, L.: Every single Yahoo account was hacked - 3 billion in all (2017). http://money.cnn.com/2017/10/03/technology/business/yahoo-breach-3-billion-accounts/index.html
  3. 3.
    Jeremi, M.G.: How LinkedIn’s password sloppiness hurts us all (2016). https://arstechnica.com/information-technology/2016/06/how-linkedins-password-sloppiness-hurts-us-all/
  4. 4.
    Dan, G.: 6.6 million plaintext passwords exposed as site gets hacked to the bone (2016). https://arstechnica.com/information-technology/2016/09/plaintext-passwords-and-wealth-of-other-data-for-6-6-million-people-go-public/
  5. 5.
  6. 6.
    John the Ripper password cracker. https://www.openwall.com/john/
  7. 7.
  8. 8.
  9. 9.
    Tatli, E.I.: Cracking more password hashes with patterns. IEEE Trans. Inf. Forensics Secur. 10(8), 1656–1665 (2015)CrossRefGoogle Scholar
  10. 10.
  11. 11.
    Weir, M., Aggarwal, S., De Medeiros, B., Glodek, B.: Password cracking using probabilistic context-free grammars. In: 30th IEEE Symposium on Security and Privacy, pp. 391–405 (2009).  https://doi.org/10.1109/SP.2009.8
  12. 12.
    Veras, R., Collins, C., Thorpe, J.: On the semantic patterns of passwords and their security impact. In: Proceedings of the Network Distribution System Security Symposium (2014)Google Scholar
  13. 13.
    Xu, R., Chen, X., Wang, X., Shi, J.: An in-depth study of digits in passwords for Chinese websites. In: IEEE Third International Conference on Data Science in Cyberspace (DSC), Guangzhou, pp. 588-595 (2018).  https://doi.org/10.1109/DSC.2018.00094
  14. 14.
    Melicher, W., Ur, B., Segreti, S.M., Komanduri, S., Bauer, L., Christin, N., Cranor, L.F.: Fast, lean, and accurate: modeling password guessability using neural networks. In: USENIX Security Symposium (2016)Google Scholar
  15. 15.
    Bonneau, J.: The science of guessing: analyzing an anonymized corpus of 70 million passwords. In: IEEE Symposium on Security and Privacy, pp. 538–552 (2012)Google Scholar
  16. 16.
    Malone, D., Maher, K.: Investigating the distribution of password choices. In: Proceedings of the 21st International Conference on World Wide Web (WWW 2012), pp. 301-310 (2012)Google Scholar
  17. 17.
    Han, G., Yu, Y., Li, X., Chen, K., Li, H.: Characterizing the semantics of passwords: the role of pinyin for Chinese Netizens. Comput. Stan. Interfaces 54(Part 1), 20–28 (2017)CrossRefGoogle Scholar
  18. 18.
    Morris, R., Thompson, K.: Password Security: A Case History 22(11), 594–597 (1979)Google Scholar
  19. 19.
    Kumar, M.: Collection of 1.4 Billion Plain-Text Leaked Passwords Found Circulating Online. https://thehackernews.com/2017/12/data-breach-password-list.html
  20. 20.
  21. 21.
    Aho, A., Corasick, M.: Efficient string matching: an aid to bibliographic search. Commun. ACM 18(6), 333–340 (1975).  https://doi.org/10.1145/360825.360855MathSciNetCrossRefzbMATHGoogle Scholar

Copyright information

© The Editor(s) (if applicable) and The Author(s), under exclusive license to Springer Nature Switzerland AG 2020

Authors and Affiliations

  • Jikai Li
    • 1
    Email author
  • Ethan Zeigler
    • 1
  • Thomas Holland
    • 1
  • Dimitris Papamichail
    • 1
  • David Greco
    • 1
  • Joshua Grabentein
    • 1
  • Daan Liang
    • 2
  1. 1.The College of New JerseyEwingUSA
  2. 2.Department of Civil, Construction and Environmental EngineeringUniversity of AlabamaTuscaloosaUSA

Personalised recommendations