nach oben

Journal of Computer Virology and Hacking Techniques

Erschienen in:

21.08.2021 | Original Paper

Zipf’s law analysis on the leaked Iranian users’ passwords

verfasst von: Zeinab Alebouyeh, Amir Jalaly Bidgoly

Erschienen in: Journal of Computer Virology and Hacking Techniques | Ausgabe 2/2022

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Textual passwords are one of the most common methods of authentication and an important factor in systems security. Knowing the correct distribution of users’ passwords can play an important role in defining password policies and preventing various attacks. Culture and language can affect the pattern of users’ password selection and consequently, influence the vulnerability of passwords to guessing attacks. Therefore, knowing the distribution of English users’ passwords may not be appropriate for the security analysis of non-English users’ passwords. The main purpose of this paper is to analyze the passwords of Iranian users and investigating their differences from English-speaking users. The paper also examines the existence of Zipf’s law on Iranian passwords as the most well-known distribution for passwords. Password analysis of Iranian users shows that the popular password length between Iranian users and users of other countries is not much different, but in terms of the combination of characters used in the passwords, Iranian users are more inclined to use numeric passwords while English language users are more inclined to use passwords made up of alphabet. In this paper, Zipf’s law is reviewed on five datasets of Iranian users’ passwords using three different approaches including PDF, PDF with removing unpopular passwords and, CDF. Among these methods, in the CDF method, the passwords best matched with a Zipf’s law distribution between 0.02 and 0.07. Finally, the robustness of Iranians’ passwords to statistical guessing attacks has been measured and it is concluded that the passwords of Iranian users are more vulnerable to guessing attacks than English language users.

Vorheriger Artikel Cross-VM cache attacks on Camellia

Nächster Artikel Covert timing channels: analyzing WEB traffic

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

https://www.radware.com/ert-report-2018/.

https://diligent.com/en-gb/blog/cost-of-a-data-breach-ponemon-institute-report.

These datasets are available athttps://github.com/amirjalaly/Iranian-users-passwords.

http://www.7k7k.com/html/about.htm.

https://www.000webhost.com/.

Pinglish a.k.a Finglish stands for Persian text written with English letters.

http://www.physics.csbsju.edu/stats/KS-test.html.

Saltzer, J.H.: Protection and the control of information sharing in multics. Commun. ACM 17(7), 388–402 (1974)CrossRef

Morris, R., Thompson, K.: Password security: a case history. Commun. ACM 22(11), 594–597 (1979)CrossRef

Houshmand, S., Aggarwal, S.: Building better passwords using probabilistic techniques. In: Proceedings of the 28th ACM International Conference Proceeding Series, pp. 109–118 (2012)

Das, A., Bonneau, J., Caesar, M., Borisov, N., Wang, X.: The Tangled Web of Password Reuse, NDSS 2014: 21st Network & Distributed System Security Symposium, pp. 23–26 (2014)

Nelson, D., Vu, K.P.L.: Effectiveness of image-based mnemonic techniques for enhancing the memorability and security of user-generated passwords. Comput. Hum. Behav. 26(4), 705–715 (2010)CrossRef

Newman, M.E.J.: Power laws, Pareto distributions and Zipf’s law. Contemp. Phys. 46(5), 323–351 (2005)

Malone, D., Maher, K.: Investigating the relationship between password distribution and Zipf’s law. In: Proceedings of WWW, pp. 301–310 (2012)

Bonneau, J.: The science of guessing: analyzing an anonymized corpus of 70 million passwords. In: Proceedings—IEEE Symposium on Security and Privacy, pp. 538–552 (2012)

Wang, D., Cheng, H., Wang, P., Huang, X., Jian, G.: Zipf’s law in passwords. IEEE Trans. Inf. Forensics Secur. 12(11), 2776–2791 (2017)

10.

Riddle, B.L., Miron, M.S., Semo, J.A.: Passwords in use in a university timesharing environment. Comput. Secur. 8(7), 569–579 (1989)CrossRef

11.

Zviran, M., Haga, W.J.: Password security: an empirical study. J. Manag. Inf. Syst. 15(4), 161–185 (1998)CrossRef

12.

AlSabah, M., Oligeri, G., Riley, R.: Your culture is in your password: an analysis of a demographically-diverse password dataset. Comput. Secur. 77, 427–441 (2018)CrossRef

13.

Kuo, C., Romanosky, S., Cranor, L.F.: Human selection of mnemonic phrase-based passwords. ACM Int. Conf. Proc. Ser. 149, 67–78 (2006)

14.

Shay, R., Komanduri, S., Kelley, P.G., Leon, P.G., Mazurek, M.L., Bauer, L., Christin, N., Cranor, L.F.: Encountering stronger password requirements: user attitudes and behaviors. In: Proceedings of the Sixth Symposium on Usable Privacy and Security (SOUPS) (2010)

15.

Schechter, S., Herley, C., Mitzenmacher, M.: Popularity is everything A new approach to protecting passwords from statistical-guessing attacks. USENIX: Hot Topics on Security, pp. 1–6 (2010, 2010)

16.

Gao, X., Yang, Y., Liu, C., Mitropoulos, C., Lindqvist, J., Oulasvirta, A.: Forgetting of passwords: ecological theory and data. In: SEC’18: Proceedings of the 27th USENIX Conference on Security Symposium, pp. 221–238 (2018)

17.

Shay, R., Bertino, E.: A comprehensive simulation tool for the analysis of password policies. Int. J. Inf. Secur. 8(4), 275–289 (2009)CrossRef

18.

Adams, A., Sasse, M.A., Lunt, P.: Making passwords secure and usable. People and Computers XII (1997)

19.

Inglesant, P.G., Sasse, M.A.: The true cost of unusable password policies: password use in the wild. In: ACM Conference on Human Factors in Computing Systems, pp. 383–392 (2010)

20.

Shay, R.J.K., Bhargav-Spantzel, A., Bertino, E.: Password policy simulation and analysis. In: DIM’07—Proceedings of the 2007 ACM Workshop on Digital Identity Management, pp. 1–10 (2007)

21.

Davis, H.: Self-reference and the encoding of personal information in depression. Cogn. Ther. Res. 3(1), 97–110 (1979)CrossRef

22.

Greenwald, A.G., Banaji, M.R.: The self as a memory system: powerful, but ordinary. J. Pers. Soc. Psychol. 57(1), 41–54 (1989)CrossRef

23.

Barton, B.F., Barton, M.S.: User-friendly password methods for computer-mediated information systems. Comput. Secur. 3(3), 186–195 (1984)CrossRef

24.

Komanduri, S., et al.: Of passwords and people: measuring the effect of password-composition policies. In: CHI ’11: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 2595–2604 (2011)

25.

Guo, Y., Zhang, Z., Guo, Y., Guo, X.: Nudging personalized password policies by understanding users’ personality. Comput. Secur. 94,(2020)

26.

de Carné de Carnavalet, X., Mannan, M.: From very weak to very strong: analyzing password-strength meters. In: 21st Annual Network and Distributed System Security Symposium, NDSS 2014, San Diego, California, USA, February 23–26 (2014)

27.

Yang, S., Ji, S., Beyah, R.: DPPG: a dynamic password policy generation system. IEEE Trans. Inf. Forensics Secur. 13(3), 545–558 (2018)CrossRef

28.

Chou, H.C., Lee, H.C., Yu, H.J., Lai, F.P., Huang, K.H., Hsueh, C.W.: Password cracking based on learned patterns from disclosed passwords. Int. J. Innov. Comput. Inf. Control 9(2), 821–839 (2013)

29.

Devillers, M.M.A.: Analyzing Password Strength. Radboud University Nijmegen. Technical Report (2010)

30.

Li, Z., Han, W., Xu, W.: A large-scale empirical analysis of Chinese web passwords. In: Proceedings of the 23rd USENIX Security Symposium, pp. 559–574 (2014)

31.

Mourouzis, T., Pavlou, K.E., Kampakis, S.: The Evolution of User-Selected Passwords: A Quantitative Analysis of Publicly Available Datasets. arXiv: 1804.03946 (2018)

32.

Wang, D., Wang, P., He, D., Tian, Y., Birthday: Name and bifacial-security: understanding passwords of Chinese web users. In: Proceedings of the 28th USENIX Security Symposium, pp. 1537–1554 (2019)

33.

Mori, K., Watanabe, T., Zhou, Y., Akiyama Hasegawa, A., Akiyama, M., Mori, T.: Comparative analysis of three language spheres: are linguistic and cultural differences reflected in password selection habits? In: Proceedings—4th IEEE European Symposium on Security and Privacy Workshops, EUROS and PW, pp. 159–171 (2019)

34.

Grobler, M., Chamikara, M.A.P., Abbott, J., Jeong, J.J., Nepal, S., Paris, C.: The importance of social identity on password formulations. Pers. Ubiquit. Comput. 1–15 (2020)

35.

van Schaik, P., Jeske, D., Onibokun, J., Coventry, L., Jansen, J., Kusev, P.: Risk perceptions of cyber-security and precautionary behaviour. Comput. Hum. Behav. 75, 547–559 (2017)

36.

He, D., et al.: Group-based password characteristics analysis. IEEE Netw. 35(1), 311–317 (2021)CrossRef

37.

Martin, R.: Amid Widespread Data Breaches China. [Online]. Available (2011). (http://www.techinasia.com/alipay-hack/)

38.

Bowes, R.: Passwords. [Online]. Available (2015). (https://wiki.skullsecurity.org/Passwords)

39.

Allan, C.: 32 Million Rockyou Passwords Stolen. [Online]. Available (2009). (http://www.hardwareheaven.com/news.php?newsid=526)

40.

Weir, M., Aggarwal, S., De Medeiros, B., Glodek, B.: Password cracking using probabilistic context-free grammars. In: Proceedings–IEEE Symposium on Security and Privacy, pp. 391–405 (2009)

41.

Adamic, L.: Zipf, power-laws, and pareto-a ranking tutorial. Xerox Palo Alto Research Center. http://www.hpl.hp.com/research/idl/papers/ranking/r (2000)

42.

Bain, R.: Human Behavior and the Principle of Least Effort: an Introduction to Human Ecology. By George Kingsley Zipf. Cambridge, Mass.: Addison-Wesley Press, Inc., 1949. 573. Soc. Forces 28(3), 340–341 (1950)CrossRef

43.

Bakan, D.: The test of significance in psychological research. Psychol. Bull. 66(6), 423–437 (1966)CrossRef

44.

Nunnally, J.: Educational and Psychological Measurement, Educational and Psychological Measurement, XX(4), 641–650 (1960)

45.

Royall, R.M., Royall, R.M.: The effect of sample size on the meaning of significance tests. Am. Stat. 40(4), 313–315 (2012)MATH

46.

Shannon, C.E.: A mathematical theory of communication. Bell Syst. Tech. J. 27, 623–656 (1948)MathSciNetCrossRef

47.

Weir, M., Aggarwal, S., Collins, M., Stern, H.: Testing metrics for password creation policies by attacking large sets of revealed passwords. In: CCS ’10: Proceedings of the 17th ACM Conference on Computer and Communications Security, pp. 162–175 (2010)

48.

William, E., Donna, F., Elaine, M., Ray, A., William, T., Emad, A., NIST: Special Publication 800-63-2 Electronic Authentication Guideline (2017)

49.

Massey, J.L.: Guessing and entropy. In: Proceedings of the 1994 IEEE International Symposium on Information Theory, p. 204 (1994)

50.

Pliam, J.O.: On the incomparability of entropy and marginal guesswork in brute-force attacks. In: International conference on cryptology in India, pp. 67–79 (2000)

51.

Bonneau, J., Just, M., Matthews, G.: What’s in a name? Evaluating statistical attacks on personal knowledge questions. In: Proceedings of the Fourteenth International Conference on Financial Cryptography and Data Security, vol. 6052, pp. 98–113 (2010)

Titel: Zipf’s law analysis on the leaked Iranian users’ passwords
verfasst von: Zeinab Alebouyeh
Amir Jalaly Bidgoly
Publikationsdatum: 21.08.2021
Verlag: Springer Paris
Erschienen in: Journal of Computer Virology and Hacking Techniques / Ausgabe 2/2022
Elektronische ISSN: 2263-8733
DOI: https://doi.org/10.1007/s11416-021-00397-9

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Weitere Artikel der Ausgabe 2/2022

Cross-VM cache attacks on Camellia

On delegatability of MDVS schemes

Anomaly detection in business processes logs using social network analysis

Editorial

Covert timing channels: analyzing WEB traffic

Markhor: malware detection using fuzzy similarity of system call dependency sequences

Premium Partner