PDF(590 KB)
Hybritus: a password strength checker by ensemble learning from the query feedbacks of websites
Yongzhong HE, Endalew Elsabeth ALEM, Wei WANG
PDF(590 KB)
PDF(590 KB)
Hybritus: a password strength checker by ensemble learning from the query feedbacks of websites
Password authentication is vulnerable to dictionary attacks. Password strength measurement helps users to choose hard-to-guess passwords and enhance the security of systems based on password authentication. Although there are many password strength metrics and tools, none of them produces an objective measurement with inconsistent policies and different dictionaries. In this work, we analyzed the password policies and checkers of top 100 popular websites that are selected from Alexa rankings. The checkers are inconsistent and thus they may label the same password as different strength labels, because each checker is sensitive to its configuration, e.g., the algorithm used and the training data. Attackers are empowered to exploit the above vulnerabilities to crack the protected systems more easily. As such, single metrics or local training data are not enough to build a robust and secure password checker. Based on these observations, we proposed Hybritus that integrates different websites’ strategies and views into a global and robust model of the attackers with multiple layer perceptron (MLP) neural networks. Our data set is comprised of more than 3.3 million passwords taken from the leaked, transformed and randomly generated dictionaries. The data set were sent to 10 website checkers to get the feedbacks on the strength of passwords labeled as strong, medium and weak. Then we used the features of passwords generated by term frequency–inverse document frequency to train and test Hybritus. The experimental results show that the accuracy of passwords strength checking can be as high as 97.7% and over 94% even if it was trained with only ten thousand passwords. User study shows that Hybritus is usable as well as secure.
password / password strength / password checker / neural networks
| [1] |
Gorman L. Comparing passwords, tokens, and biometrics for user authentication. Proceedings of the IEEE, 2003, 91(12): 2021–2040
|
| [2] |
Shen C, Chen Y, Guan X, Maxion R. Pattern-growth based mining mouse-interaction behavior for an active user authentication system. IEEE Transactions on Dependable and Secure Computing, 2017, DOI:10.1109/TDSC.2017.2771295
|
| [3] |
Shen C, Li Y, Chen Y, Guan X, Roy R. Performance analysis of multimotion sensor behavior for active smartphone authentication. IEEE Transactions on Information Forensics and Security, 2018, 13(1): 48–62
|
| [4] |
Shen C, Chen Y, Guan X. Performance evaluation of implicit smartphones authentication via sensor-behavior analysis. Information Sciences, 2018, (430–431): 538–553
|
| [5] |
Herley C, Van Oorschot P. A research agenda acknowledging the persistence of passwords. IEEE Security & Privacy, 2012, 10(1): 28–36
|
| [6] |
Das A, Bonneau J, Caesar M, Borisov N,Wang X. The tangled web of password reuse. The Network and Distributed System Security Symposium, 2014, 14: 23–26
|
| [7] |
Burr WE, Dodson D F, Newton E M, Perlner R A, Polk WT, Gupta S, Nabbus E A. Electronic authentication guideline–special publication. 800-63-Version 1.0.2. Recommendations of the National Institute of Standards of Technology (NIST), 2006
|
| [8] |
Komanduri S, Shay R, Kelley P,Mazurek M, Bauer L, Christin N, Cranor L, Egelman S. Of passwords and people: measuring the effect of password-composition policies. In: Proceedings of the International Conference on Human Factors in Computing Systems. 2011, 2595–2604
|
| [9] |
Weir M, Aggarwal S, Collins M, Stern H. Testing metrics for password creation policies by attacking large sets of revealed passwords. In: Proceedings of the 17th ACM Conference on Computer and Communications Security. 2010: 162–175
|
| [10] |
Ma W, Campbell J, Tran D, Kleeman D. Password entropy and password quality. In: Proceedings of the 4th International Conference on Network and System Security. 2010, 583–587
|
| [11] |
De Carnavalet X D C, Mannan M. From very weak to very strong: analyzing password-strength meters. The Network and Distributed System Security Symposium, 2014, 14: 23–26
|
| [12] |
Bonneau J, Herley C, Oorschot P C, Frank Stajano. The quest to replace passwords: a framework for comparative evaluation of Web authentication schemes. In: Proceedings of IEEE Symposium on Security and Privacy. 2010, 553–567
|
| [13] |
Inglesant P, Sasse M. The true cost of unusable password policies: password use in the wild. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. 2010, 383–392
|
| [14] |
Schaffer K. Are password requirements too difficult? Computer, 2011, 44(12): 90–92
|
| [15] |
Shay R, Kelley P G, Leon P G, Mazurek M L, Christin N, Cranor L F. Encountering stronger password requirements: user attitudes and behaviors categories and subject descriptors. In: Proceedings of the 6th Symposium on Usable Privacy and Security. 2010, 2
|
| [16] |
Grawemeyer B, Johnson H. Using and managing multiple passwords: a week to a view. Interacting with Computers, 2011, 23(3): 256–267
|
| [17] |
Amico M D, Michiardi P, Roudier Y, Antipolis S. Password strength: an empirical analysis. In: Proceedings of the 29th IEEE International Conference on Computer Communications. 2010, 983–991
|
| [18] |
Jakobsson M, Dhiman M. The Benefits of Understanding Passwords. Springer Briefs in Computer Science, Springer, New York, NY, 2013
|
| [19] |
Veras R, Thorpe J, Collins C. Visualizing semantics in passwords: the role of dates. In: Proceedings of the 9th International Symposium on Visualization for Cyber Security. 2012, 88–95
|
| [20] |
Florêncio D, Herley C, Van Oorschot P C. An administrator’s guide to internet password research. In: Proceedings of the 28th Large Installation System Administration Conference. 2014, 44–61
|
| [21] |
Gautam T, Jain A. Analysis of brute force attack using TG – Dataset. In: Proceedings of SAI Intelligent Systems Conference. 2015, 984–988
|
| [22] |
Kelley P G, Komanduri S, Mazurek M L, Shay R, Vidas T, Bauer L, Chnstin N, Cranor L F, López J. Guess again (and again and again): measuring password strength by simulating password-cracking algorithms. In: Proceedings of IEEE Symposium on Security and Privacy. 2012, 523–537
|
| [23] |
Li Z, Han W, Xu W. A large-scale empirical analysis of Chinese Web passwords. In: Proceedings of the 23rd USENIX Security Symposium. 2014, 559–574
|
| [24] |
Bonneau J. The science of guessing: analyzing an anonymized corpus of 70 million passwords. In: Proceedings of the IEEE Symposium on Security and Privacy. 2012, 538–552
|
| [25] |
Florencio D, Herley C.Where do security policies come from? In: Proceedings of the 6th Symposium on Usable Privacy and Security. 2010, 10
|
| [26] |
Wang D, Wang P. The emperor’s new password creation policies. In: Proceedings of European Symposium on Research in Computer Security. 2015
|
| [27] |
Wang W, Liu J, Pitsilis G, Zhang X. Abstracting massive data for lightweight intrusion detection in computer networks. Information Science, 2018, 433: 417–430
|
| [28] |
Castelluccia C, Dürmuth M, Perito D. Adaptive password-strength meters fromMarkov models. In: Proceedings of the 19th Annual Network and Distributed System Security Symposium. 2012
|
| [29] |
Weir M, Aggarwal S, De Medeiros B, Glodek B. Password cracking using probabilistic context-free grammars. In: Proceedings of the 30th IEEE Symposium on Security and Privacy. 2009, 391–405
|
| [30] |
Wang D. fuzzyPSM: a new password strength meter using fuzzy probabilistic context-free grammars. In: Proceedings of the 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks. 2016, 595–606
|
| [31] |
Shay R, Bauer L, Christin N, Cranor L F, Forget A, Komanduri S, Mazurek M L, Melicher W, Segreti S M, Ur B. A spoonful of sugar? The impact of guidance and feedback on password-creation behavior. In: Proceedings of the 33rd ACM Conference on Human Factors in Computing Systems. 2015, 2903–2912
|
| [32] |
Bonneau J, Preibusch S. The password thicket: technical and market failures in human authentication on the Web. In: Proceedings of the Workshop on the Economics of Information Security. 2010
|
| [33] |
Wang W, Guyet T, Quiniou R, Cordier M, Masseglia F, Zhang X. Autonomic intrusion detection: adaptively detecting anomalies over unlabeled audit data streams in computer networks. Knowledge-Based Systems, 2014, 70(11): 103–117
|
| [34] |
Wang W, He Y, Liu J, Gombault S. Constructing important features from massive network traffic for lightweight intrusion detection. IET Information Security, 2015, 9(6): 374–379
|
| [35] |
Wang W, Guan X, Zhang X. Processing of massive audit data streams for real-time anomaly intrusion detection. Computer Communications, 2008, 31(1): 58–72
|
| [36] |
Wang X, Wang W, He Y, Liu J, Han Z, Zhang X. Characterizing android apps’ behavior for effective detection of malapps at large scale. Future Generation Computer Systems, 2017, 75: 30–45
|
| [37] |
Wang W, Wang X, Feng D, Liu J, Han Z, Zhang X. Exploring permission-induced risk in android applications for malicious application detection. IEEE Transactions on Information Forensics and Security, 2014, 9(11): 1869–1882
|
| [38] |
Su D, Liu J, Wang X, Wang X. Detecting android locker-ransomware on Chinese social networks. IEEE Access, 2019, 7: 20381–20393
|
| [39] |
Wang W, Li Y, Wang X, Liu J, Zhang X. Detecting android malicious apps and categorizing benign apps with ensemble of classifiers. Future Generation Computer Systems, 2018, 78: 987–994
|
| [40] |
Wang W, Gao Z, Zhao M, Li Y, Liu J, Zhang X. DroidEnsemble: detecting android malicious applications with ensemble of string and structural static features. IEEE Access, 2018, 6: 31798–31807
|
| [41] |
Wang W, Zhao M, Gao Z, Xu G, Li Y, Xian H, Zhang X. Constructing features for detecting android malicious applications: issues, taxonomy and directions. IEEE Access, 2019, 7: 67602–67631
|
| [42] |
Wang W, Zhao M, Wang J. Effective android malware detection with a hybrid model based on deep autoencoder and convolutional neural network. Journal of Ambient Intelligence and Humanized Computing, 2018, 1–9
|
| [43] |
Liu X, Liu J, Zhu S, Wang W, Zhang X. Privacy risk analysis and mitigation of analytics libraries in the android ecosystem. IEEE Transactions on Mobile Computing. 2019, DOI:10.1109/TMC.2019.2903186
|
| [44] |
Zhang C, Liu C, Zhang X, Almpanidis G. An up-to-date comparison of state-of-the-art classification algorithms. Expert System Applications, 2017, 82: 128–150
|
| [45] |
Ciaramella A, Arco P D, De Santis A, Galdi C, Tagliaferri R. Neural network techniques for proactive password checking. IEEE Transactions on Dependable and Secure Computing, 2006, 3(4): 327–339
|
| [46] |
Sibai F N, Shehhi A, Shehhi S, Shehhi B, Salami N. Secure password detection with artificial neural networks. In: Proceedings of International Conference on Innovations in Information Technology. 2008, 628–632
|
| [47] |
Shay R, Komanduri S, Durity A L, Huh P, Mazurek M L, Segreti S M, Ur B, Bauer L, Christin N, Cranor L F. Designing password policies for strength and usability. ACM Transactions on Information and System Security, 2016, 18(4): 13
|
/
| 〈 |
|
〉 |
AI Summary
