Abstract
In this paper we present a regression based analyses of cleartext passwords moving towards an efficient password cracking methodology. Hundreds of available databases were examined and it was observed that they had similar behavior regardless of their size: password length distribution, entropy, letter frequencies form similar characteristics in each database. Exploiting these characteristics a huge amount of cleartext passwords were analyzed in order to be able to design more sophisticated brute-force attack methods. New patterns are exposed by analyzing millions of cleartext passwords.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Exact numbers of PLD of Rockyou database can be found on passcape.com [14].
References
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ . Accessed 23 October 2014
http://thenextweb.com/google/2014/09/10/4-93-million-gmail-usernames-passwords-published-google-says-evidence-systems-compromised. Accessed 23 October 2014
http://www.theguardian.com/technology/2014/jun/16/dominos-pizza-ransom-hack-data. Accessed 23 October 2014
http://blog.aol.com/2014/04/28/aol-security-update/. Accessed 23 October 2014
http://bgr.com/2014/05/27/ebay-hack-145-million-accounts-compromised/. Accessed 23 October 2014
http://www.wired.co.uk/news/archive/2013-11/13/mac-rumours-forums-hacked. Accessed 23 October 2014
http://www.theverge.com/2013/11/7/5078560/over-150-million-breached-records-from-adobe-hack-surface-online. Accessed 23 October 2014
http://arstechnica.com/security/2013/07/hack-exposes-e-mail-addresses-password-data-for-2-million-ubuntu-forum-users/. Accessed 23 October 2014
http://arstechnica.com/security/2013/05/drupal-org-resets-login-credentials-after-hack-exposes-password-data/. Accessed 23 October 2014
http://nakedsecurity.sophos.com/2013/04/05/scribd-worlds-largest-online-library-admits-to-network-intrusion-password-breach/. Accessed 23 October 2014
http://nakedsecurity.sophos.com/2013/04/27/livingsocial-hacked-50-million-affected/. Accessed 23 October 2014
http://www.wired.co.uk/news/archive/2013-03/04/evernote-hacked. Accessed 23 October 2014
http://www.wired.co.uk/news/archive/2013-02/02/twitter-hacked. Accessed 23 October 2014
http://www.passcape.com/index.phpsection=blog&cmd=details&id=17. Accessed 23 June 2015
Florencio, D., Herley, C.: A large-scale study of web password habits. In: Proceedings of the 16th International Conference on World Wide Web, Association for Computing Machinery, Banff, Alberta, Canada, pp. 657–666 (2007)
Shay, R., Komanduri, S., Kelley, P.G., Leon, P.G., Mazurek, M.L., Bauer, L., Christin, N., Cranor, L.F.: Encountering stronger password requirements: user attitudes and behaviors. In: SOUPS 2010: Proceedings of the 6th Symposium on Usable Privacy and Security. ACM (2010)
Kelley, P.G., Komanduri, S., Mazurek, M.L., Shay, R., Vidas, T., Bauer, L., Christin, N., Cranor, L.F., Lopez, J.: Guess again (and again and again): measuring password strength by simulating password-cracking algorithms. Carnegie Mellon University, Technical report CMU-CyLab-11-008 (2011)
A brief analysis of 40 000 leaked MySpace passwords, blog post. http://www.the-interweb.com/serendipity/index.php?/archives/94-A-brief-analysis-of-40,000-leaked-MySpace-passwords.html. Accessed 23 October 2014
Bonneau, J.: The science of guessing: analyzing an anonymized corpus of 70 million passwords. In: 2012 IEEE Symposium on Security and Privacy, San Francisco, CA (2012)
Weir, M., Aggarwal, S., Collins, M., Stern, H.: Testing metrics for password creation policies by attacking large sets of revealed passwords. In: ACM Conference on Computer and Communications Security, pp. 162–175 (2010)
Dell Amico, M., Michiardi, P., Roudier, Y.: Password strength: an empirical analysis. In: Proceedings of the 29th Conference on Information Communications, San Diego, pp. 983–991 (2010)
Tihanyi, N.: Comparison of two hungarian password databases. Pollack Periodica 8(2), 179–186 (2013)
Bonneau, J.: Statistical metrics for individual password strength. In: SP 2012 Proceedings of the 20th International Conference on Security Protocols, University of Cambridge, UK, pp. 76–86 (2012)
Acknowledgment
We would like to thank the opportunity to the Hungarian NSA to grant access to unpublished Hungaraian databases that can not be found on the internet. Databases are originated from different vulnerability assessments and security hardening projects conducted by the National Security Authority of Hungary. For this project only truncated databases were provided. It means that databases do not contain any additional personal information about users, so it cannot be determined to whom the password belongs to. Password analysis and publication of this article is made with the authorization of the Hungarian NSA.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Tihanyi, N., Kovács, A., Vargha, G., Lénárt, Á. (2015). Unrevealed Patterns in Password Databases Part One: Analyses of Cleartext Passwords. In: Mjølsnes, S. (eds) Technology and Practice of Passwords. PASSWORDS 2014. Lecture Notes in Computer Science(), vol 9393. Springer, Cham. https://doi.org/10.1007/978-3-319-24192-0_6
Download citation
DOI: https://doi.org/10.1007/978-3-319-24192-0_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-24191-3
Online ISBN: 978-3-319-24192-0
eBook Packages: Computer ScienceComputer Science (R0)