Password Cracking Using Probabilistic Context-Free Grammars (original) (raw)
Related papers
PROBABILISTIC CONTEXT-FREE GRAMMAR (PCFG) WISER PASSWORD CRACKING TECHNIQUES
Passwords continue to remain an important authentication technique. The probabilistic context-free grammar-based password cracking system of Weir et al. was an important addition to dictionary-based password cracking approaches. In this paper, we show how to substantially improve upon this system by systematically adding keyboard patterns and multiword patterns (two or more words in the alphabetic part of a password) to the context-free grammars used in the probabilistic password cracking. Our results on cracking multiple data sets show that by learning these new classes of patterns, we can achieve up to 22% improvement over the original system. In this paper, we also define metrics to help analyze and improve attack dictionaries. Using our approach to improving the dictionary, we achieve an additional improvement of ∼33% by increasing the coverage of a standard attack dictionary. Combining both approaches, we can achieve a 55% improvement over the previous system. Our tests were done over fairly long password guessing sessions (up to 85 billion) and thus show the uniform effectiveness of our techniques for long cracking sessions.
Using Markov Models to Crack Passwords
We present a Markov Model for cracking and measuring quality of passwords. The Markov Model represents the transitions between specific characters. The Markov Model was built from a list of captured passwords, thus generating a password model with the frequency of passwords also incorporated. Traditional password quality measurement tests only against large dictionaries. We found that through the Markov Model character transition map we can optimise the search sequence for partially known passwords.
PapiaPass: Sentence-based Passwords using Dependency Trees
Passwords could make many challenges for the security of a system. One way to address the problems associated with passwords is using system-assigned passwords. However, this solution could impair the usability of a system and cause lowering user satisfaction. In this paper, we propose a new type of computer-generated passwords based on syntactic sentence structures that provide strong security and better usability compared to other conventional methods of creating computer-generated passwords. Our proposed technique uses dependency treebanks to generate sentences that are grammatically correct but lack a coherence in the sense. Using a 30,000-sentence treebank, we were able to generate sentences 32 percent of which has an entropy of more than 30 bits and a length of 10 words or less. Our study on 95 participants demonstrates that the suggested method has improved user experience while the successful recall rates of passwords do not have a significant difference compared to random character and random word passwords with the same level of security.
Exploring the Frontier of Password Cracking: Methods, Effectiveness, and Defense Strategies
Asian Journal of Applied Science and Technology (AJAST) , 2024
The manner of attacker's behavior cannot be underestimated; hackers use simple traditional attacks such as brute-force and dictionary attacks as well as sophisticated algorithms including: Markov models, probabilistic context-free grammars (PCFG), and generative adversarial networks (GANs). These are one of among the most advanced approaches which utilize artificial intelligence and machine learning to identify the patterns in passwords, guess them and crack them. Markov models calculate transitions from one character state to another, so they estimate password guesses as a probability which is sampled from the distribution. PCFGs further advance the concept by making use of context-specific inputs for producing the passwords, and as a result it is possible to come up with the candidates who are balanced and have the contextually valid characters. Years ago, the CPA attack was considered the ultimate approach for password cracking. Today, GANs have taken their place, implementing adversarial networks that use them as generators to generate valid password examples. It is evident from the research that abusing users' habits and context during password cracking has been proved that it can lead to a tremendous speed gain of the cracking process. The crackers exploit here patterns in the behavior and environmental features and tailor the cracking strategies. Besides that, recurrent neural networks (RNNs) and convolutional neural networks (CNNs) are considered to be good options in password modeling as well, where the ongoing researches are devoted to the structures of neural network so that the guessing powers of networks can improve. These new approaches have demonstrated an improvement of at least 10-15% over the outdated ones, thus they are credible in forming the password cracking paradigm shift. Thus, for defeating such sophisticated threats, companies should take into account such robust passphrase policies, teach the user about safety of passwords and implementation of rigid access mechanisms. Educating people on cyber threats basics and development of the reasonable cybersecurity culture are the factors that provide the impact reduction of attacks based on users’ behavior and contextual information.
Sociocultural Influences for Password Definition: An AI-based Study
2021
Most of the research that analyses password security has been developed targeting English-speaking users. In this work, we present a framework for password segmentation, semantic classification, and clustering, in a multilingual context. This research uses natural language processing, statistical and deep learning techniques to obtain and leverage semantic patterns for password definition. Using the methods proposed in this work in password-guessing models produce over a 10% increase with respect to state-of-the-art methods (with a guessing space limited to 500 million predictions) on a dataset of leaked credentials.
Measuring password strength: An empirical analysis
arXiv preprint arXiv:0907.3402, 2009
Abstract: We present an in-depth analysis on the strength of the almost 10,000 passwords from users of an instant messaging server in Italy. We estimate the strength of those passwords, and compare the effectiveness of state-of-the-art attack methods such as dictionaries and Markov chain-based techniques.