Skip to main content
SpringerLink
Log in

Unrevealed Patterns in Password Databases Part One: Analyses of Cleartext Passwords

  • Conference paper
  • First Online:
Technology and Practice of Passwords (PASSWORDS 2014)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9393))

Included in the following conference series:

Abstract

In this paper we present a regression based analyses of cleartext passwords moving towards an efficient password cracking methodology. Hundreds of available databases were examined and it was observed that they had similar behavior regardless of their size: password length distribution, entropy, letter frequencies form similar characteristics in each database. Exploiting these characteristics a huge amount of cleartext passwords were analyzed in order to be able to design more sophisticated brute-force attack methods. New patterns are exposed by analyzing millions of cleartext passwords.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 34.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 44.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Exact numbers of PLD of Rockyou database can be found on passcape.com [14].

References

  1. http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ . Accessed 23 October 2014

  2. http://thenextweb.com/google/2014/09/10/4-93-million-gmail-usernames-passwords-published-google-says-evidence-systems-compromised. Accessed 23 October 2014

  3. http://www.theguardian.com/technology/2014/jun/16/dominos-pizza-ransom-hack-data. Accessed 23 October 2014

  4. http://blog.aol.com/2014/04/28/aol-security-update/. Accessed 23 October 2014

  5. http://bgr.com/2014/05/27/ebay-hack-145-million-accounts-compromised/. Accessed 23 October 2014

  6. http://www.wired.co.uk/news/archive/2013-11/13/mac-rumours-forums-hacked. Accessed 23 October 2014

  7. http://www.theverge.com/2013/11/7/5078560/over-150-million-breached-records-from-adobe-hack-surface-online. Accessed 23 October 2014

  8. http://arstechnica.com/security/2013/07/hack-exposes-e-mail-addresses-password-data-for-2-million-ubuntu-forum-users/. Accessed 23 October 2014

  9. http://arstechnica.com/security/2013/05/drupal-org-resets-login-credentials-after-hack-exposes-password-data/. Accessed 23 October 2014

  10. http://nakedsecurity.sophos.com/2013/04/05/scribd-worlds-largest-online-library-admits-to-network-intrusion-password-breach/. Accessed 23 October 2014

  11. http://nakedsecurity.sophos.com/2013/04/27/livingsocial-hacked-50-million-affected/. Accessed 23 October 2014

  12. http://www.wired.co.uk/news/archive/2013-03/04/evernote-hacked. Accessed 23 October 2014

  13. http://www.wired.co.uk/news/archive/2013-02/02/twitter-hacked. Accessed 23 October 2014

  14. http://www.passcape.com/index.phpsection=blog&cmd=details&id=17. Accessed 23 June 2015

  15. Florencio, D., Herley, C.: A large-scale study of web password habits. In: Proceedings of the 16th International Conference on World Wide Web, Association for Computing Machinery, Banff, Alberta, Canada, pp. 657–666 (2007)

    Google Scholar 

  16. Shay, R., Komanduri, S., Kelley, P.G., Leon, P.G., Mazurek, M.L., Bauer, L., Christin, N., Cranor, L.F.: Encountering stronger password requirements: user attitudes and behaviors. In: SOUPS 2010: Proceedings of the 6th Symposium on Usable Privacy and Security. ACM (2010)

    Google Scholar 

  17. Kelley, P.G., Komanduri, S., Mazurek, M.L., Shay, R., Vidas, T., Bauer, L., Christin, N., Cranor, L.F., Lopez, J.: Guess again (and again and again): measuring password strength by simulating password-cracking algorithms. Carnegie Mellon University, Technical report CMU-CyLab-11-008 (2011)

    Google Scholar 

  18. A brief analysis of 40 000 leaked MySpace passwords, blog post. http://www.the-interweb.com/serendipity/index.php?/archives/94-A-brief-analysis-of-40,000-leaked-MySpace-passwords.html. Accessed 23 October 2014

  19. Bonneau, J.: The science of guessing: analyzing an anonymized corpus of 70 million passwords. In: 2012 IEEE Symposium on Security and Privacy, San Francisco, CA (2012)

    Google Scholar 

  20. Weir, M., Aggarwal, S., Collins, M., Stern, H.: Testing metrics for password creation policies by attacking large sets of revealed passwords. In: ACM Conference on Computer and Communications Security, pp. 162–175 (2010)

    Google Scholar 

  21. Dell Amico, M., Michiardi, P., Roudier, Y.: Password strength: an empirical analysis. In: Proceedings of the 29th Conference on Information Communications, San Diego, pp. 983–991 (2010)

    Google Scholar 

  22. Tihanyi, N.: Comparison of two hungarian password databases. Pollack Periodica 8(2), 179–186 (2013)

    Article  Google Scholar 

  23. Bonneau, J.: Statistical metrics for individual password strength. In: SP 2012 Proceedings of the 20th International Conference on Security Protocols, University of Cambridge, UK, pp. 76–86 (2012)

    Google Scholar 

Download references

Acknowledgment

We would like to thank the opportunity to the Hungarian NSA to grant access to unpublished Hungaraian databases that can not be found on the internet. Databases are originated from different vulnerability assessments and security hardening projects conducted by the National Security Authority of Hungary. For this project only truncated databases were provided. It means that databases do not contain any additional personal information about users, so it cannot be determined to whom the password belongs to. Password analysis and publication of this article is made with the authorization of the Hungarian NSA.

Author information

Authors and Affiliations

  1. HUNGUARD Ltd., Kékgolyó u. 6, Budapest, 1123, Hungary

    Norbert Tihanyi, Gergely Vargha & Ádám Lénárt

  2. Department of Computer Algebra, Eötvös Loránd University, Pázmány Péter sétány 1/C, Budapest, 1117, Hungary

    Norbert Tihanyi & Attila Kovács

  3. National Security Authority of Hungary, Cyber Defence Management Authority, Budapest, Hungary

    Norbert Tihanyi, Gergely Vargha & Ádám Lénárt

Authors
  1. Norbert Tihanyi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Attila Kovács
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Gergely Vargha
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Ádám Lénárt
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Norbert Tihanyi .

Editor information

Editors and Affiliations

  1. Dept of Telematics, Norwegian Univ of Science & Tech, Trondheim, Norway

    Stig F. Mjølsnes

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Tihanyi, N., Kovács, A., Vargha, G., Lénárt, Á. (2015). Unrevealed Patterns in Password Databases Part One: Analyses of Cleartext Passwords. In: Mjølsnes, S. (eds) Technology and Practice of Passwords. PASSWORDS 2014. Lecture Notes in Computer Science(), vol 9393. Springer, Cham. https://doi.org/10.1007/978-3-319-24192-0_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-24192-0_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-24191-3

  • Online ISBN: 978-3-319-24192-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation