Rigorous time/space tradeoffs for inverting functions
STOC '91 Proceedings of the twenty-third annual ACM symposium on Theory of computing
An introduction to Kolmogorov complexity and its applications (2nd ed.)
An introduction to Kolmogorov complexity and its applications (2nd ed.)
Password security: a case history
Communications of the ACM
Cryptography and data security
Cryptography and data security
Securing passwords against dictionary attacks
Proceedings of the 9th ACM conference on Computer and communications security
UNIX Password Security - Ten Years Later
CRYPTO '89 Proceedings of the 9th Annual International Cryptology Conference on Advances in Cryptology
Open Key Exchange: How to Defeat Dictionary Attacks Without Encrypting Public Keys
Proceedings of the 5th International Workshop on Security Protocols
A Time-Memory Tradeoff Using Distinguished Points: New Analysis & FPGA Results
CHES '02 Revised Papers from the 4th International Workshop on Cryptographic Hardware and Embedded Systems
Encrypted Key Exchange: Password-Based Protocols SecureAgainst Dictionary Attacks
SP '92 Proceedings of the 1992 IEEE Symposium on Security and Privacy
Password authenticated key exchange using hidden smooth subgroups
Proceedings of the 12th ACM conference on Computer and communications security
Graphical dictionaries and the memorable space of graphical passwords
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
On user choice in graphical password schemes
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
The design and analysis of graphical passwords
SSYM'99 Proceedings of the 8th conference on USENIX Security Symposium - Volume 8
Authenticated key exchange secure against dictionary attacks
EUROCRYPT'00 Proceedings of the 19th international conference on Theory and application of cryptographic techniques
Provably secure password-authenticated key exchange using Diffie-Hellman
EUROCRYPT'00 Proceedings of the 19th international conference on Theory and application of cryptographic techniques
Pass-thoughts: authenticating with our minds
NSPW '05 Proceedings of the 2005 workshop on New security paradigms
A natural language approach to automated cryptanalysis of two-time pads
Proceedings of the 13th ACM conference on Computer and communications security
ACSW '07 Proceedings of the fifth Australasian symposium on ACSW frontiers - Volume 68
Human-seeded attacks and exploiting hot-spots in graphical passwords
SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
A library for light-weight information-flow security in haskell
Proceedings of the first ACM SIGPLAN symposium on Haskell
Extending web applications with a lightweight zero knowledge proof authentication
CSTST '08 Proceedings of the 5th international conference on Soft computing as transdisciplinary science and technology
Fast Signature Matching Using Extended Finite Automaton (XFA)
ICISS '08 Proceedings of the 4th International Conference on Information Systems Security
A Secure Authenticated Key Exchange Protocol for Credential Services
IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences
Password strength: an empirical analysis
INFOCOM'10 Proceedings of the 29th conference on Information communications
Analyzing uncertainty in TG protection graphs with TG/MC
Journal of Computer Security
Testing metrics for password creation policies by attacking large sets of revealed passwords
Proceedings of the 17th ACM conference on Computer and communications security
The security of modern password expiration: an algorithmic framework and empirical analysis
Proceedings of the 17th ACM conference on Computer and communications security
Kamouflage: loss-resistant password management
ESORICS'10 Proceedings of the 15th European conference on Research in computer security
EURASIP Journal on Wireless Communications and Networking - Special issue on security and resilience for smart devices and applications
Attack on the GridCode one-time password
Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security
Crypt analysis of two time pads in case of compressed speech
Computers and Electrical Engineering
How unique and traceable are usernames?
PETS'11 Proceedings of the 11th international conference on Privacy enhancing technologies
Using global knowledge of users' typing traits to attack keystroke biometrics templates
Proceedings of the thirteenth ACM multimedia workshop on Multimedia and security
A method for making password-based key exchange resilient to server compromise
CRYPTO'06 Proceedings of the 26th annual international conference on Advances in Cryptology
Password exhaustion: predicting the end of password usefulness
ICISS'06 Proceedings of the Second international conference on Information Systems Security
Analysis of the parallel distinguished point tradeoff
INDOCRYPT'11 Proceedings of the 12th international conference on Cryptology in India
Graphical passwords: Learning from the first twelve years
ACM Computing Surveys (CSUR)
The benefits of understanding passwords
HotSec'12 Proceedings of the 7th USENIX conference on Hot Topics in Security
Effect of grammar on security of long passwords
Proceedings of the third ACM conference on Data and application security and privacy
Protection aspects of iconic passwords on mobile devices
CSS'12 Proceedings of the 4th international conference on Cyberspace Safety and Security
Statistical metrics for individual password strength
SP'12 Proceedings of the 20th international conference on Security Protocols
Computer Methods and Programs in Biomedicine
Quantifying the security of graphical passwords: the case of android unlock patterns
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Measuring password guessability for an entire university
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Pitfalls in the automated strengthening of passwords
Proceedings of the 29th Annual Computer Security Applications Conference
Useful password hashing: how to waste computing cycles with style
Proceedings of the 2013 workshop on New security paradigms workshop
Explicit authentication response considered harmful
Proceedings of the 2013 workshop on New security paradigms workshop
| Hi-index | 0.00 |
Human-memorable passwords are a mainstay of computer security. To decrease vulnerability of passwords to brute-force dictionary attacks, many organizations enforce complicated password-creation rules and require that passwords include numerals and special characters. We demonstrate that as long as passwords remain human-memorable, they are vulnerable to "smart-dictionary" attacks even when the space of potential passwords is large.Our first insight is that the distribution of letters in easy-to-remember passwords is likely to be similar to the distribution of letters in the users' native language. Using standard Markov modeling techniques from natural language processing, this can be used to dramatically reduce the size of the password space to be searched. Our second contribution is an algorithm for efficient enumeration of the remaining password space. This allows application of time-space tradeoff techniques, limiting memory accesses to a relatively small table of "partial dictionary" sizes and enabling a very fast dictionary attack.We evaluated our method on a database of real-world user password hashes. Our algorithm successfully recovered 67.6% of the passwords using a 2 x 109 search space. This is a much higher percentage than Oechslin's "rainbow" attack, which is the fastest currently known technique for searching large keyspaces. These results call into question viability of human-memorable character-sequence passwords as an authentication mechanism.