Skip to main content
Fachgebiete
Automobil + Motoren Bauwesen + Immobilien Business IT + Informatik Elektrotechnik + Elektronik Energie + Nachhaltigkeit Finance + Banking Management + Führung Marketing + Vertrieb Maschinenbau + Werkstoffe Versicherung + Risiko
DE
EN
Bücher
Zeitschriften
Themenseiten
Organisationspsychologie Projektmanagement Marketing Smart Manufacturing
Weitere Formate
Podcasts Webinare Technik Webinare Wirtschaft Kongresse Veranstaltungskalender Awards
Jetzt Einzelzugang starten
Zugang für Unternehmen
Referenzkunden
SLX-Digitalkonferenz: Zukunftswerkstatt 2024

Mehr Umsatz mit Top-Kontakten

Am 7. Mai erfahren Sie, wie Vertriebsteams Leadgenerierung, Leadnurturing und Leadstrategien effizient steuern können.
Erweiterte Suche
Anmelden
nach oben
Erschienen in:
Understanding Cross-Channel Abuse with SMS-Spam Support Infrastructure Attribution Kapitel lesen Erstes Kapitel lesen

2016 | OriginalPaper | Buchkapitel

On the Implications of Zipf’s Law in Passwords

verfasst von : Ding Wang, Ping Wang

Erschienen in: Computer Security – ESORICS 2016

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config
loading …

Abstract

Textual passwords are perhaps the most prevalent mechanism for access control over the Internet. Despite the fact that human-beings generally select passwords in a highly skewed way, it has long been assumed in the password research literature that users choose passwords randomly and uniformly. This is partly because it is easy to derive concrete (numerical) security results under the uniform assumption, and partly because we do not know what’s the exact distribution of passwords if we do not make a uniform assumption. Fortunately, researchers recently reveal that user-chosen passwords generally follow the Zipf’s law, a distribution which is vastly different from the uniform one.
In this work, we explore a number of foundational security implications of the Zipf-distribution assumption about passwords. Firstly, we how the attacker’s advantages against password-based cryptographic protocols (e.g., authentication, encryption, signature and secret share) can be 2–4 orders of magnitude more accurately captured (formulated) than existing formulation results. As password protocols are the most widely used cryptographic protocols, our new formulation is of practical significance. Secondly, we provide new insights into popularity-based password creation policies and point out that, under the current, widely recommended security parameters, usability will be largely impaired. Thirdly, we show that the well-known password strength metric \(\alpha \)-guesswork, which was believed to be parametric, is actually non-parametric in two of four cases under the Zipf assumption. Particularly, nine large-scale, real-world password datasets are employed to establish the practicality of our findings.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

  • über 102.000 Bücher
  • über 537 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Maschinenbau + Werkstoffe
  • Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 390 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Maschinenbau + Werkstoffe




 

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 340 Zeitschriften

aus folgenden Fachgebieten:

  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Versicherung + Risiko




Jetzt Wissensvorsprung sichern!

Jetzt informieren
Vorheriges Kapitel Scalable Two-Factor Authentication Using Historical Data
Nächstes Kapitel PPOPM: More Efficient Privacy Preserving Outsourced Pattern Matching
Fußnoten
1
Note that the least frequent passwords are inherently difficult to be captured by a theoretic model due to the law of large numbers, and see more discussions in [36].
 
2
We note that, in Sects. 5.2–5.4 of [2], m is re-defined to be the entropy of passwords. This inconsistence would lead to great differences in security guarantees. We conjecture typos have occurred there.
 
Literatur
1.
Abdalla, M., Benhamouda, F., MacKenzie, P.: Security of the J-PAKE password-authenticated key exchange protocol. In: Proceedings of IEEE S&P 2015, pp. 571–587 (2015)
2.
Abdalla, M., Benhamouda, F., Pointcheval, D.: Public-key encryption indistinguishable under plaintext-checkable attacks. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 332–352. Springer, Heidelberg (2015)
3.
Bagherzandi, A., Jarecki, S., Saxena, N., Lu, Y.: Password-protected secret sharing. In: Proceedings of ACM CCS 2011, pp. 433–444 (2011)
4.
Bellare, M.: Practice-oriented provable-security. In: Proceedings of ISC 1997, pp. 221–231 (1997)
5.
Bellare, M., Hoang, V.T.: Adaptive witness encryption and asymmetric password-based cryptography. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 308–331. Springer, Heidelberg (2015)
6.
Benhamouda, F., Blazy, O., Chevalier, C., Pointcheval, D., Vergnaud, D.: New techniques for SPHFs and efficient one-round PAKE protocols. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 449–475. Springer, Heidelberg (2013)CrossRef
7.
8.
Bonneau, J.: The science of guessing: analyzing an anonymized corpus of 70 million passwords. In: Proceedings of IEEE S&P 2012, pp. 538–552 (2012)
9.
Bonneau, J., Herley, C., Oorschot, P., Stajano, F.: The quest to replace passwords: a framework for comparative evaluation of web authentication schemes. In: Proceedings of IEEE S&P 2012, pp. 553–567 (2012)
10.
Burr, W., Dodson, D., Perlner, R., Gupta, S., Nabbus, E.: NIST SP800-63-2: electronic authentication guideline. Technical report, National Institute of Standards and Technology, Reston, VA, August 2013
11.
Byun, J.W.: Privacy preserving smartcard-based authentication system with provable security. Secur. Commun. Netw. 8(17), 3028–3044 (2015)MathSciNetCrossRef
12.
Carnavalet, X., Mannan, M.: A large-scale evaluation of high-impact password strength meters. ACM Trans. Inform. Syst. Secur. 18(1), 1–32 (2015)CrossRef
13.
Castelluccia, C., Dürmuth, M., Perito, D.: Adaptive password-strength meters from markov models. In: Proceedings of NDSS 2012, pp. 1–15 (2012)
14.
Chatterjee, R., Bonneau, J., Juels, A., Ristenpart, T.: Cracking-resistant password vaults using natural language encoders. In: Proceedings of IEEE S&P 2015, pp. 481–498 (2015)
15.
Chen, L., Lim, H.W., Yang, G.: Cross-domain password-based authenticated key exchange revisited. ACM Trans. Inform. Syst. Secur. 16(4), 1–37 (2014)
16.
Dürmuth, M., Freeman, D., Biggio, B.: Who are you? A statistical approach to measuring user authenticity. In: NDSS 2016, pp. 1–15 (2016)
17.
Florêncio, D., Herley, C., van Oorschot, P.: An administrators guide to internet password research. In: Proceedings of USENIX LISA 2014, pp. 44–61 (2014)
18.
Gjøsteen, K., Thuen, Ø.: Password-based signatures. In: Petkova-Nikova, S., Pashalidis, A., Pernul, G. (eds.) EuroPKI 2011. LNCS, vol. 7163, pp. 17–33. Springer, Heidelberg (2012)CrossRef
19.
Herley, C., Van Oorschot, P.: A research agenda acknowledging the persistence of passwords. IEEE Secur. Priv. 10(1), 28–36 (2012)CrossRef
20.
Huang, X., Xiang, Y., Bertino, E., Zhou, J., Xu, L.: Robust multi-factor authentication for fragile communications. IEEE Trans. Depend. Secur. Comput. 11(6), 568–581 (2014)CrossRef
21.
Huang, Z., Ayday, E., Hubaux, J., Juels, A.: Genoguard: protecting genomic data against brute-force attacks. In: Proceedings of IEEE S&P 2015, pp. 447–462 (2015)
22.
Huh, J.H., Oh, S., Kim, H., et al.: Surpass: system-initiated user-replaceable passwords. In: Proceedings of CCS 2015, pp. 170–181 (2015)
23.
Jarecki, S., Kiayias, A., Krawczyk, H., Xu, J.: Highly-efficient and composable password-protected secret sharing. In: Proceedings of IEEE EuroS&P 2016, pp. 276–291 (2016)
24.
Jarecki, S., Krawczyk, H., Shirvanian, M., Saxena, N.: Device-enhanced password protocols with optimal online-offline protection. In: ASIACCS 2016, pp. 177–188 (2016)
25.
Katz, J., Ostrovsky, R., Yung, M.: Efficient and secure authenticated key exchange using weak passwords. J. ACM 57(1), 1–41 (2009)MathSciNetCrossRefMATH
26.
27.
Kiefer, F., Manulis, M.: Zero-knowledge password policy checks and verifier-based PAKE. In: Kutyłowski, M., Vaidya, J. (eds.) ESORICS 2014, Part II. LNCS, vol. 8713, pp. 295–312. Springer, Heidelberg (2014)
28.
Li, Y., Wang, H., Sun, K.: A study of personal information in human-chosen passwords and its security implications. In: Proceedings of INFOCOM 2016, pp. 1–9 (2016)
29.
Ma, J., Yang, W., Luo, M., Li, N.: A study of probabilistic password models. In: Proceedings of IEEE S&P 2014, pp. 689–704 (2014)
30.
Malone, D., Maher, K.: Investigating the distribution of password choices. In: Proceedings of WWW 2012, pp. 301–310 (2012)
31.
32.
33.
34.
Schechter, S., Herley, C., Mitzenmacher, M.: Popularity is everything: a new approach to protecting passwords from statistical-guessing attacks. In: Proceedings of HotSec 2010, pp. 1–8 (2010)
35.
Wang, D., He, D., Cheng, H., Wang, P.: fuzzyPSM: a new password strength meter using fuzzy probabilistic context-free grammars. In: Proceedings of DSN 2016, pp. 595–606 (2016)
36.
37.
Wang, D., Wang, P.: The emperor’s new password creation policies: an evaluationof leading web services and the effect of role in resisting against online guessing. In: Proceedings of ESORICS 2015, pp. 456–477 (2015)
38.
Wang, Y.: Password protected smart card and memory stick authentication against off-line dictionary attacks. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds.) SEC 2012. IFIP AICT, vol. 376, pp. 489–500. Springer, Heidelberg (2012)CrossRef
39.
Yan, J., Blackwell, A.F., Anderson, R.J., Grant, A.: Password memorability and security: empirical results. IEEE Secur. Priv. 2(5), 25–31 (2004)CrossRef
40.
Yi, X., Hao, F., Chen, L., Liu, J.K.: Practical threshold password-authenticated secret sharing protocol. In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS. LNCS, vol. 9326, pp. 347–365. Springer, Heidelberg (2015). doi:10.​1007/​978-3-319-24174-6_​18 CrossRef
Metadaten
Titel
On the Implications of Zipf’s Law in Passwords
verfasst von
Ding Wang
Ping Wang
Copyright-Jahr
2016
Buch
Computer Security – ESORICS 2016

Print ISBN: 978-3-319-45743-7

Electronic ISBN: 978-3-319-45744-4

Copyright-Jahr: 2016

DOI
https://doi.org/10.1007/978-3-319-45744-4_6