动态字典破解用户口令与安全口令选择

口令认证一直是最主要的身份认证方式。考虑到口令要满足口令策略和易记忆的要求,用户常常会将个人信息组合起来作为口令。因此,为了调查此类口令的比例,以2011年泄露的四种真实口令集为实验素材,预先设定口令的组合结构和格式,使用程序统计使用个人信息组合作为口令的比例。实验结果表明,使用姓名、电话号码、特殊日期等信息组合而成的口令比例为12.41%~25.53%。根据这一规律,提出了动态字典攻击。攻击者可以在获得用户部分个人信息后,生成具有针对性的动态字词典,并以此来破解用户口令。最后,还讨论了如何选择口令以防止攻击者通过动态字典破解用户口令。     

密码创建方案①

密码是计算机安全的重要组成部分,是保护用户各类账号的前线。本方案的目的在于建立一个创建强密码,保护这些密码以及更换频率的标准。内容有密码的安全性,密码保护标准,密码构造指导方针等。研究了用于个人、基于家用的机器、与工作相关的网络系统的密码方案。     

The Good and Not So Good of Enforcing Password Composition Rules

ABSTRACT

Many systems rely on password composition rules to force users to choose more secure passwords. The findings discussed here are from a study on the enforcement of good password practice in the form of password composition rules. The results show that the enforcement of password composition rules does not discourage users from using meaningful information in passwords. While composition rules reduce password reuse, the overall incidence remains high. Passwords created under these conditions are also perceived to be more difficult to remember. Nevertheless, the enforcement of password composition rules does significantly improve protection against dictionary-based attack.     

Normalizing variations in feature vector structure in keystroke dynamics authentication systems

Usernames and passwords stubbornly remain the most prevalent authentication mechanism. Password secrecy ensures that only genuine users are granted access. If the secret is breached, impostors gain the access too. One method of strengthening password authentication is through keystroke dynamics. Keystroke dynamics algorithms typically constrain the authentication entry to one valid sequence of key presses. In this paper, we introduce the concept of event sequences. We explore the nature of variations between multiple valid key-entry sequences and propose a scheme that effectively represents these variations. We test the efficacy of the new authentication method in distinguishing users. The experimental results show that typing proficiency of individuals is not the only determining authentication factor. We show that typing sequence variations contain sufficient discriminatory information to warrant their inclusion into user authentication methods. Based on these results, we present a novel strategy to create feature vectors for keystroke dynamics-based authentication. The proposed approach ensures that the feature vector’s length and structure are related only to the length of the password, independent of its content or the order of keys pressed. This normalization of feature vector structure has multiple advantages including leveraging the discriminatory power of event sequences, faster search-and-retrieval in n-graph-based authentication systems, and simplicity. The proposed authentication scheme is applicable to both static and continual authentication systems.     

基于Gaussian算法的密码智能识别认证系统

密码保护是传统的并且最为广泛应用的网络安全保护方法,然而,面对随着高科技犯罪带来的更严峻的网络安全形势,密码保护方法不再能满足用户的需求。一旦账号密码被盗取,那么用户个人信息面·临着被入侵的危险。所以密码保护是一个极其重要,且迫切需要解决的问题。文章提出的基于高斯算法的密码智能识别认证技术是一种密码保护方法,它能有效解决上述问题。文中设计了一种新的基于嵌入式的密码保护系统,能够从软硬件结合的角度有效地解决密码保护问题。讨论并测试了高斯算法,最后通过实验结果分析了高斯算法在本项目中的可靠性与准确性。     

基于神经网络的定向口令猜测研究

文本口令是现如今最主要的身份认证方式之一,很多用户为了方便记忆在构造口令时使用个人信息。然而,目前利用用户个人信息进行定向口令猜测,进而评估口令安全的工作相对欠缺。同时,神经网络在文本序列处理问题上的成功应用,使得利用神经网络进行口令安全问题研究成为一种新的研究思路。本文基于大规模口令集合,对用户口令构造行为进行分析的基础上,研究用户个人信息在口令构造中的作用,进而提出一种结合神经网络和用户个人信息的定向口令猜测模型TPGXNN（TargetedPassword Guessing using X Neural Networks）,并在8组共计7000万条口令数据上进行定向口令猜测实验。实验结果显示,在各组定向口令猜测实验中,TPGXNN模型的猜测成功率均比概率上下文无关文法、马尔科夫模型等传统模型更高,表明了TPGXNN模型的有效性。     

Password Security: An Empirical Investigation into E-Commerce Passwords and Their Crack Times

Abstract

Strong passwords are essential to the security of any e-commerce site as well as to individual users. Without them, hackers can penetrate a network and stop critical processes that assist consumers and keep companies operating. For most e-commerce sites, consumers have the responsibility of creating their own passwords and often do so without guidance from the web site or system administrator. One fact is well known about password creation—consumers do not create long or complicated passwords because they cannot remember them. Through an empirical analysis, this paper examines whether the passwords created by individuals on an e-commerce site use either positive or negative password practices. This paper also addresses the issue of crack times in relationship to password choices. The results of this study will show the actual password practices of current consumers, which could enforce the need for systems administrators to recommend secure password practices on e-commerce sites and in general.     

Password guessers under a microscope: an in-depth analysis to inform deployments

Password guessers are instrumental for assessing the strength of passwords. Despite their diversity and abundance, comparisons between password guessers are limited to simple success rates. Thus, little is known on how password guessers can best be combined with or complement each other. To extend analyses beyond success rates, we devise an analytical framework to compare the types of passwords that guessers generate. Using our framework, we show that different guessers often produce dissimilar passwords, even when trained on the same data. We leverage this result to show that combinations of computationally cheap guessers are as effective in guessing passwords as computationally intensive guessers, but more efficient. Our framework can be used to identify combinations of guessers that will best complement each other. To improve the success rate of any guesser, we also show how an effective training dataset can be identified for a given target password dataset, even when the target dataset is hashed. Our insights allow us to provide a concrete set of practical recommendations for password checking to effectively and efficiently measure password strength.

     

Password Policy Purgatory

IT system users, (all of us), and administrators, (increasingly large numbers of us), must all manage some passwords. In this article, the author reviews some issues related to password policies and concludes that managing passwords, in any sensible manner, is becoming more and more of a nuisance for users, a factor that should be to the forefront when administrators are creating password policies.     

基于蓝牙和NFC的防泄露密码使用管理系统

随着密码使用越来越广泛,用户需要记忆大量复杂的密码来保证安全,密码的记忆和输入变得越来越困难。为此,文章提出了一种基于蓝牙NFC的防泄露密码使用管理系统的设计,帮助用户记忆大量密码以及方便输入,并采用NFC(近场通讯)身份验证、类似于KDC(密钥分配中心)的密钥分配机制、挂失机制等安全机制来保证用户的密码安全。测试结果表明该系统能有效地帮助用户记忆大量密码以及快捷地进行密码的输入,并用挂失等安全机制有效地保证用户的密码不被泄露。     

Password hardening based on keystroke dynamics

We present a novel approach to improving the security of passwords. In our approach, the legitimate user’s typing patterns (e.g., durations of keystrokes and latencies between keystrokes) are combined with the user’s password to generate a hardened password that is convincingly more secure than conventional passwords alone. In addition, our scheme automatically adapts to gradual changes in a user’s typing patterns while maintaining the same hardened password across multiple logins, for use in file encryption or other applications requiring a long-term secret key. Using empirical data and a prototype implementation of our scheme, we give evidence that our approach is viable in practice, in terms of ease of use, improved security, and performance. Published online: 26 October 2001     

SplitPass: A Mutually Distrusting Two-Party Password Manager

Using a password manager is known to be more convenient and secure than not using one, on the assumption that the password manager itself is safe. However recent studies show that most popular password managers have security vulnerabilities that may be fooled to leak passwords without users’ awareness. In this paper, we propose a new password manager, SplitPass, which vertically separates both the storage and access of passwords into two mutually distrusting parties. During login, all the parties will collaborate to send their password shares to the web server, but none of these parties will ever have the complete password, which significantly raises the bar of a successful attack to compromise all of the parties. To retain transparency to existing applications and web servers, SplitPass seamlessly splits the secure sockets layer (SSL) and transport layer security (TCP) sessions to process on all parties, and makes the joining of two password shares transparent to the web servers. We have implemented SplitPass using an Android phone and a cloud assistant and evaluated it using 100 apps from top free apps in the Android official market. The evaluation shows that SplitPass securely protects users’ passwords, while incurring little performance overhead and power consumption.     

Improving static audio keystroke analysis by score fusion of acoustic and timing data

In this paper we investigate the capacity of sound & timing information during typing of a password for the user identification and authentication task. The novelty of this paper lies in the comparison of performance between improved timing-based and audio-based keystroke dynamics analysis and the fusion for the keystroke authentication. We collected data of 50 people typing the same given password 100 times, divided into 4 sessions of 25 typings and tested how well the system could recognize the correct typist. Using fusion of timing (9.73%) and audio calibration scores (8.99%) described in the paper we achieved 4.65% EER (Equal Error Rate) for the authentication task. The results show the potential of using Audio Keystroke Dynamics information as a way to authenticate or identify users during log-on.     

Hybritus: a password strength checker by ensemble learning from the query feedbacks of websites

Password authentication is vulnerable to dictionary attacks.Password strength measurement helps users to choose hard-to-guess passwords and enhance the security of systems based on password authentication.Although there are many password strength metrics and tools,none of them produces an objective measurement with inconsistent policies and different dictionaries.In this work,we analyzed the password policies and checkers of top 100 popular websites that are selected from Alexa rankings.The checkers are inconsistent and thus they may label the same password as different strength labels,because each checker is sensitive to its configuration,e.g.,the algorithm used and the training data.Attackers are empowered to exploit the above vulnerabilities to crack the protected systems more easily.As such,single metrics or local training data are not enough to build a robust and secure password checker.Based on these observations,we proposed Hybritus that integrates different websites'strategies and views into a global and robust model of the attackers with multiple layer perceptron(MLP)neural networks.Our data set is comprised of more than 3.3 million passwords taken from the leaked,transformed and randomly generated dictionaries.The data set were sent to 10 website checkers to get the feedbacks on the strength of passwords labeled as strong,medium and weak.Then we used the features of passwords generated by term frequency-inverse document frequency to train and test Hybritus.The experimental results show that the accuracy of passwords strength checking can be as high as 97.7%and over 94%even if it was trained with only ten thousand passwords.User study shows that Hybritus is usable as well as secure.     

口令攻击及其防范措施浅论

攻击者在攻击目标时,通常把破译普通用户的口令作为攻击的开始.口令是网络系统的第一道防线.当前的网络系统都是通过口令来验证用户身份、实施访问控制的.口令攻击是指黑客以口令为攻击目标,破解合法用户的口令,或避开口令验证过程,然后冒充合法用户潜入目标网络系统,夺取目标系统控制权的过程.本文主要介绍口令攻击的几种方式及如何来进行防范的.     

Neural Network Techniques for Proactive Password Checking

This paper deals with the access control problem. We assume that valuable resources need to be protected against unauthorized users and that, to this aim, a password-based access control scheme is employed. Such an abstract scenario captures many applicative settings. The issue we focus our attention on is the following: password-based schemes provide a certain level of security as long as users choose good passwords, i.e., passwords that are hard to guess in a reasonable amount of time. In order to force the users to make good choices, a proactive password checker can be implemented as a submodule of the access control scheme. Such a checker, any time the user chooses/changes his own password, decides on the fly whether to accept or refuse the new password, depending on its guessability. Hence, the question is: how can we get an effective and efficient proactive password checker? By means of neural networks and statistical techniques, we answer the above question, developing suitable proactive password checkers. Through a series of experiments, we show that these checkers have very good performance: error rates are comparable to those of the best existing checkers, implemented on different principles and by using other methodologies, and the memory requirements are better in several cases. It is the first time that neural network technology has been fully and successfully applied to designing proactive password checkers     

Graphical One-Time Password (GOTPass): A usability evaluation

ABSTRACT

Complying with a security policy often requires users to create long and complex passwords to protect their accounts. However, remembering such passwords is difficult for many and may lead to insecure practices, such as choosing weak passwords or writing them down. In addition, they are vulnerable to various types of attacks, such as shoulder surfing, replay, and keylogger attacks (Gupta, Sahni, Sabbu, Varma, & Gangashetty, 2012) One-Time Passwords (OTPs) aim to overcome such problems (Gupta et al., 2012); however, most implemented OTP techniques require special hardware, which not only adds cost, but there are also issues regarding its availability (Brostoff, Inglesant, & Sasse, 2010). In contrast, the use of graphical passwords is an alternative authentication mechanism designed to aid memorability and ease of use, often forming part of a multifactor authentication process. This article is complementary to the earlier work that introduced and evaluated the security of the new hybrid user-authentication approach: Graphical One-Time Password (GOTPass) (Alsaiari et al., 2015). The scheme aims to combine the usability of recognition-based and draw-based graphical passwords with the security of OTP. The article presents the results of an empirical user study that investigates the usability features of the proposed approach, as well as pretest and posttest questionnaires. The experiment was conducted during three separate sessions, which took place over five weeks, to measure the efficiency, effectiveness, memorability, and user satisfaction of the new scheme. The results showed that users were able to easily create and enter their credentials as well as remember them over time. Participants carried out a total of 1,302 login attempts with a 93% success rate and an average login time of 24.5 s.     

Effectiveness of image-based mnemonic techniques for enhancing the memorability and security of user-generated passwords

Complex passwords are hard to remember, so people often pick simple passwords, write complex ones down, and reuse the same password across multiple accounts. Proactive password checking (PPC) restrictions and mnemonic techniques can enhance password security and memorability. Participants in this study were assigned to one of three password generation groups: PPC restrictions alone, image-based mnemonic, or text-based mnemonic. They were asked to generate and later recall passwords for five separate fictitious online accounts. The use of mnemonic techniques resulted in the generation of longer and more complex passwords. Furthermore, passwords were more accurately recalled when they were generated using the image-based mnemonic technique or PPC restrictions alone, as opposed to the text-based mnemonic technique. However, passwords generated using PPC restrictions alone were more easily forgotten and susceptible to being cracked. Thus, the image-based mnemonic technique was shown to be the most effective method for generating secure and memorable passwords.     

Encouraging users to improve password security and memorability

Security issues in text-based password authentication are rarely caused by technical issues, but rather by the limitations of human memory, and human perceptions together with their consequential responses. This study introduces a new user-friendly guideline approach to password creation, including persuasive messages that motivate and influence users to select more secure and memorable text passwords without overburdening their memory. From a broad understanding of human factors-caused security problems, we offer a reliable solution by encouraging users to create their own formula to compose passwords. A study has been conducted to evaluate the efficiency of the proposed password guidelines. Its results suggest that the password creation methods and persuasive message provided to users convinced them to create cryptographically strong and memorable passwords. Participants were divided into two groups in the study. The participants in the experimental group who were given several password creation methods along with a persuasive message created more secure and memorable passwords than the participants in the control group who were asked to comply with the usual strict password creation rules. The study also suggests that our password creation methods are much more efficient than strict password policy rules. The security and usability evaluation of the proposed password guideline showed that simple improvements such as adding persuasive text to the usual password guidelines consisting of several password restriction rules make significant changes to the strength and memorability of passwords. The proposed password guidelines are a low-cost solution to the problem of improving the security and usability of text-based passwords.

     

动态口令身份认证和报警系统

针对目前普遍使用的固定口令身份认证系统,给出了一种基于白噪声器件的动态口令身份认证系统。该系统中,动态口令是通过自噪声器件产生的随机序列经过特定的不可逆映射函数变换后得到的,这使得攻击者很难从已知的任何数量的口令中推断出下一个口令。此外,系统还提供了无线报警提示功能,可将用户的登录信息及时地发送给对应的合法用户,从而能够有效地防止非法用户的假冒攻击行为。