动态字典破解用户口令与安全口令选择

口令认证一直是最主要的身份认证方式。考虑到口令要满足口令策略和易记忆的要求,用户常常会将个人信息组合起来作为口令。因此,为了调查此类口令的比例,以2011年泄露的四种真实口令集为实验素材,预先设定口令的组合结构和格式,使用程序统计使用个人信息组合作为口令的比例。实验结果表明,使用姓名、电话号码、特殊日期等信息组合而成的口令比例为12.41%~25.53%。根据这一规律,提出了动态字典攻击。攻击者可以在获得用户部分个人信息后,生成具有针对性的动态字词典,并以此来破解用户口令。最后,还讨论了如何选择口令以防止攻击者通过动态字典破解用户口令。     

Impact of restrictive composition policy on user password choices

This study investigates the efficacy of using a restrictive password composition policy. The primary function of access controls is to restrict the use of information systems and other computer resources to authorised users only. Although more secure alternatives exist, password-based systems remain the predominant method of user authentication. Prior research shows that password security is often compromised by users who adopt inadequate password composition and management practices. One particularly under-researched area is whether restrictive password composition policies actually change user behaviours in significant ways. The results of this study show that a password composition policy reduces the similarity of passwords to dictionary words. However, in this case the regime did not reduce the use of meaningful information in passwords such as names and birth dates, nor did it reduce password recycling.     

Improving Password Cybersecurity Through Inexpensive and Minimally Invasive Means: Detecting and Deterring Password Reuse Through Keystroke-Dynamics Monitoring and Just-in-Time Fear Appeals

Password reuse – using the same password for multiple accounts – is a prevalent phenomenon that can make even the most secure systems vulnerable. When passwords are reused across multiple systems, hackers may compromise accounts by stealing passwords from low-security sites to access sites with higher security. Password reuse can be particularly threatening to users in developing countries in which cybersecurity training is limited, law enforcement of cybersecurity is non-existent, or in which programs to secure cyberspace are limited. This article proposes a two-pronged solution for reducing password reuse through detection and mitigation. First, based on the theories of routine, cognitive load and motor movement, we hypothesize that password reuse can be detected by monitoring characteristics of users' typing behavior (i.e. keystroke dynamics). Second, based on protection motivation theory, we hypothesize that providing just-in-time fear appeals when a violation is detected will decrease password reuse. We tested our hypotheses in an experiment and found that users' keystroke dynamics are diagnostic of password reuse. By analyzing changes in typing patterns, we were able to detect password reuse with 81.71% accuracy. We also found that just-in-time fear appeals decrease password reuse; 88.41% of users who received a fear appeal subsequently created unique passwords, whereas only 4.45% of users who did not receive a fear appeal created unique passwords. Our results suggest that future research should continue to examine keystroke dynamics as an indicator of cybersecurity behaviors and use just-in-time fear appeals as a method for reducing non-secure behavior. The findings of our research provide a practical and cost-effective solution to bolster cybersecurity through discouraging password reuse.     

Ku-Chien远程身份认证方案的安全性分析

Ku－Chien远程身份认证方案是一种使用智能卡、低开销、实用的口令认证方案。本文分析了Ku－Chien方案的安全性,指出了Ku－Chien方案的安全缺陷：不能抵御并行会话攻击和伪造主机攻击。分析了产生安全缺陷的原因：登陆阶段用户计算出的秘密信息和认证阶段远程主机计算出的秘密信息具有类似的结构。最后,利用口令更改计数器,给出了一种改进的口令认证方案。该方案允许用户自主选择并更改口令,实现了双向认证;能够抵御重放攻击、内部攻击,具备强安全修复性;能够抵御并行会话攻击和伪造远程主机攻击。     

Elastic password authentication scheme using the Passcell-based virtual scroll wheel

User authentication such as password setting has become increasingly important for the secure management of the information stored in mobile devices. However, in the password authentication schemes used in mobile devices, enhancing security reduces their usability, and passwords become hard to memorize. In addition, enhancing their usability makes them vulnerable to shoulder-surfing or recording attacks involving stealing a glance at the authentication process through the system interface. In this paper, we propose a password authentication scheme that uses a virtual scroll wheel, called WheelLock, to ensure appropriate usability and prevent brute force, shoulder-surfing, and recording attacks.     

Neural Network Techniques for Proactive Password Checking

This paper deals with the access control problem. We assume that valuable resources need to be protected against unauthorized users and that, to this aim, a password-based access control scheme is employed. Such an abstract scenario captures many applicative settings. The issue we focus our attention on is the following: password-based schemes provide a certain level of security as long as users choose good passwords, i.e., passwords that are hard to guess in a reasonable amount of time. In order to force the users to make good choices, a proactive password checker can be implemented as a submodule of the access control scheme. Such a checker, any time the user chooses/changes his own password, decides on the fly whether to accept or refuse the new password, depending on its guessability. Hence, the question is: how can we get an effective and efficient proactive password checker? By means of neural networks and statistical techniques, we answer the above question, developing suitable proactive password checkers. Through a series of experiments, we show that these checkers have very good performance: error rates are comparable to those of the best existing checkers, implemented on different principles and by using other methodologies, and the memory requirements are better in several cases. It is the first time that neural network technology has been fully and successfully applied to designing proactive password checkers     

密码创建方案①

密码是计算机安全的重要组成部分,是保护用户各类账号的前线。本方案的目的在于建立一个创建强密码,保护这些密码以及更换频率的标准。内容有密码的安全性,密码保护标准,密码构造指导方针等。研究了用于个人、基于家用的机器、与工作相关的网络系统的密码方案。     

基于神经网络的定向口令猜测研究

文本口令是现如今最主要的身份认证方式之一,很多用户为了方便记忆在构造口令时使用个人信息。然而,目前利用用户个人信息进行定向口令猜测,进而评估口令安全的工作相对欠缺。同时,神经网络在文本序列处理问题上的成功应用,使得利用神经网络进行口令安全问题研究成为一种新的研究思路。本文基于大规模口令集合,对用户口令构造行为进行分析的基础上,研究用户个人信息在口令构造中的作用,进而提出一种结合神经网络和用户个人信息的定向口令猜测模型TPGXNN（TargetedPassword Guessing using X Neural Networks）,并在8组共计7000万条口令数据上进行定向口令猜测实验。实验结果显示,在各组定向口令猜测实验中,TPGXNN模型的猜测成功率均比概率上下文无关文法、马尔科夫模型等传统模型更高,表明了TPGXNN模型的有效性。     

基于集成学习的口令强度评估模型

针对现有的口令评估模型通用性差,没有一个可以对从简单口令到非常复杂口令都适用的评估模型的问题,设计了一种基于多模型的集成学习的口令评估模型。首先,使用真实的口令训练集训练多个现有的口令评估模型作为子模型;其次,将多个经过训练的子模型作为基学习器进行集成学习,采用偏弱项投票法的结合策略实现各个子模型的优势集成;最后,实现一个以高准确性为前提的通用口令评估模型。实验中使用网络泄露的真实用户口令数据集作为实验数据,实验结果表明,基于多模型集成学习模型针对不同复杂程度的口令进行口令强度评估,其评估结果准确率高、通用性强,所提模型在口令评估方面具有较好的适用性。     

智能卡口令认证方案

本文提出了一种智能卡口令认证方案，在这个方案中，用户能随意更改口令，远程系统不需要存储用户的口令表或验证表，并且能防止恶意的重放攻击，一旦建立起安全的网络环境，认证能被通信双方单独处理。     

改进的抵抗离线字典攻击的口令更新协议

口令认证是最简单,方便和应用最广泛的一种用户认证方式。最近,Tsaur等人指出了Chang等人的口令更新协议存在拒绝服务攻击并且不能提供口令的后向安全。随后,他们给出了一种改进的口令更新协议,并声称该协议是安全的。文中,分析了Tsaur等人的口令更新协议,指出了其方案是易受离线字典攻击的,且不能提供口令的前向和后向安全性。最后,提出一种改进的口令更新协议,并分析其安全性。     

Password authentication schemes with smart cards

In this paper, two password authentication schemes with smart cards are proposed. In the schemes, users can change their passwords freely, and the remote system does not need the directory of passwords or verification tables to authenticate users. Once the secure network environment is set up, authentication can be handled solely by the two parties involved. For a network without synchronized clocks, the proposed nonce-based authentication scheme is able to prevent malicious reply attacks.     

图形密码身份认证方案设计及其安全性分析

为了解决身份认证方案中口令的安全性和易记忆性的矛盾,针对传统的字符式口令的诸多缺点,提出了结合新型图形密码的身份认证参考方案.在图形密码设计原则下,依据基于识别型和基于记忆型的设计思想,提出图形密码身份认证参照方案,并将图形密码的安全性与文本密码进行比较,分析了图形密码的密钥空间和抵抗常见口令攻击的能力.经分析多数图形密码在易记忆性和安全性方面优于传统密码.     

PG-RNN:一种基于递归神经网络的密码猜测模型

用户名—密码（口令）是目前最流行的用户身份认证方式，鉴于获取真实的大规模密码明文非常困难，利用密码猜测技术来生成大规模密码集，可以评估密码猜测算法效率、检测现有用户密码保护机制的缺陷等，是研究密码安全性的主要方法。本文提出了一种基于递归神经网络的密码猜测概率模型（password guessing RNN， PG-RNN），区别于传统的基于人为设计规则的密码生成方法，递归神经网络能够自动地学习到密码集本身的分布特征和字符规律。因此，在泄露的真实用户密码集上训练后的递归神经网络，能够生成非常接近训练集真实数据的密码，避免了人为设定规则来破译密码的局限性。实验结果表明，PG-RNN生成的密码在结构字符类型、密码长度分布上比Markov模型更好地接近原始训练数据的分布特征，同时在真实密码匹配度上，本文提出的PG-RNN模型比目前较好的基于生成对抗网络的PassGAN模型提高了1.2%。     

运用DH-EKE增强WTLS握手协议的安全性

WTLS握手协议不满足前向安全性,非匿名验证模式下不满足用户匿名性,完全匿名模式下易遭受中间人攻击.DH-EKE协议具有认证的密钥协商功能,将改进的DH-EKE集成到WTLS握手协议中,只需使用可记忆的用户口令,不需使用鉴权证书及数字签名.该方案适用于完全匿名的验证模式,可抵御中间人攻击和字典式攻击,且在服务器中不直接存储口令,攻击者即使攻破服务器获得口令文件也无法冒充用户,能够在WTLS握手协议中实现简单身份认证和安全密钥交换.     

一种新的可视化图形口令

对用户的认证是系统安全的核心组成部分之一.基于口令的认证是一种最常用的对用户的认证方法.人们往往选取容易记忆的简单口令,但是它们也容易被攻击.有些图形口令免去了人们记忆口令的烦恼,但是它们要求对用户的培训必须秘密进行,这使得用户设置和修改口令比较困难.提出了一种新的图形口令方案,它利用人们随身携带的普通钥匙作为图形口令,用户通过看看屏幕就可以输入口令,试验表明它简单、易于实现,用户使用起来也十分方便.     

Password guessers under a microscope: an in-depth analysis to inform deployments

Password guessers are instrumental for assessing the strength of passwords. Despite their diversity and abundance, comparisons between password guessers are limited to simple success rates. Thus, little is known on how password guessers can best be combined with or complement each other. To extend analyses beyond success rates, we devise an analytical framework to compare the types of passwords that guessers generate. Using our framework, we show that different guessers often produce dissimilar passwords, even when trained on the same data. We leverage this result to show that combinations of computationally cheap guessers are as effective in guessing passwords as computationally intensive guessers, but more efficient. Our framework can be used to identify combinations of guessers that will best complement each other. To improve the success rate of any guesser, we also show how an effective training dataset can be identified for a given target password dataset, even when the target dataset is hashed. Our insights allow us to provide a concrete set of practical recommendations for password checking to effectively and efficiently measure password strength.

     

中文语境下的口令分析方法

针对目前口令语义分析挖掘主要针对英文口令，且局限于常见的单词或姓氏等口令单元的问题，在中文语境下，利用古诗、成语建立模式库，使用口令字符串的数据分析技术，提出了一种基于已知口令元的中文语境口令分析方法。首先，识别出已知口令元；然后，将其视作单个口令自由度；最后，计算给定攻击成功率下的自由度攻击成本，得出口令安全性的量化数值。设计实验对大量明文口令进行量化分析之后，可知在使用中文语境的口令中，80%的用户口令不具有高安全性，能够被字典攻击轻易攻破。     

提高密码安全性的策略

本文主要探讨了默认密码、弱密码、系统保存密码的缺陷、密码取回等等问题,以及简单介绍了在线破解、离线破解、非技术破解等等破解手段。同时,本文还提出一些加强我们的密码的方法,如密码字符随机化、字符多元化、加长密码的长度和其他一些设置密码的技巧。最后,给出了评估密码强度的方法并展望了下一代密码技术。     

动态口令身份认证和报警系统

针对目前普遍使用的固定口令身份认证系统,给出了一种基于白噪声器件的动态口令身份认证系统。该系统中,动态口令是通过自噪声器件产生的随机序列经过特定的不可逆映射函数变换后得到的,这使得攻击者很难从已知的任何数量的口令中推断出下一个口令。此外,系统还提供了无线报警提示功能,可将用户的登录信息及时地发送给对应的合法用户,从而能够有效地防止非法用户的假冒攻击行为。