基于真实数据集的密码定量分析及规则创建

doi:10.3969/j.issn.1671-1122.2015.12.007

摘要/Abstract

摘要：

大规模泄密事件频发,攻击者越来越容易获得用户真实密码信息,利用这些真实密码及用户在设置密码中的行为倾向,攻击者可以大幅提高其攻击效率。利用可用性较好的密码创建规则约束用户行为是提高用户密码安全性的重要手段,使用户设置的密码在整体密码空间上趋于均匀分布,以提高用户密码抵抗猜解攻击的能力。文章在大规模真实数据集的基础上,从强度和可记忆度两个维度定量分析了国内用户密码的安全性及可记忆性,提出了能根据用户历史密码数据动态约束用户密码设置行为的密码创建规则：若用户采用纯数字密码,则密码长度不应低于7位,大写字母+小写字母组合的密码应避开6位和8位,大写字母+特殊字符的组合推荐使用9位。实验结果表明,在该密码创建规则的约束下,用户创建的密码具有高安全性和高可记忆性的优点。

关键词: 密码, 定量分析, 可记忆度, 密码强度, 创建规则

Abstract:

For the serials of massive password leaks, an attacker can obtain user password more and more easily. Using the real password which reflecting user behavior tendency, an attacker can greatly improve their attack efficiency. Password creation policy which was used for restrict user behavior is an important means to improve user password security. It enable password set by the user tending to be uniform in the overall spatial distribution in order to improve resistance to guess and attack the user's password. Based on a large-scale data set, this paper makes a quantitative analysis on domestic user password security and memorability, thus puts forward to create the rules that according to the behavior of the user setting password and password history which dynamically constraints the user's behavior. The password should comprise at least seven numbers if using a digital password. The number of password characters is not six or eight if using uppercase and lowercase combination. The length of uppercase and special character combination should be nine. The password is good in both high safety and high memorability if respectively using lowercase, uppercase and lowercase combination, and uppercase and special character combination. The threshold of password memorability and safety is 14.21 and 19.17 respectively. The password should conduct dictionary check. The experimental results show that, under the constraint of the password creation rules, user password has the advantages of high safety and high memorability.

Key words: password, quantitative analysis, memorability, password strength, create policy

中图分类号:

TP309

王秀利. 基于真实数据集的密码定量分析及规则创建[J]. 信息网络安全, 2015, 26(12): 42-47.

Xiuli WANG. Quantitative Analysis and Create Policy of Password Based on Real Dataset[J]. Netinfo Security, 2015, 26(12): 42-47.

图/表 15

表1

图1

图2

图3

表2

表3

表4

表5

图4

图5

表6

图6

图7

表7

表8

参考文献 11

[1]	卿斯汉. 关键基础设施安全防护[J]. 信息网络安全,2015(2):1-6.
[2]	陈明. 白盒密码安全性分析与研究. 网络安全技术与应用,2015( 3): 116-117.
[3]	张平,陈长松,胡红钢. 基于分组密码的认证加密工作模式[J]. 信息网络安全,2014(11):8-17.
[4]	解理,任艳丽. 两个公钥加密方案的安全性分析[J]. 计算机应用研究,2015,32(1):218-221.
[5]	文伟平,郭荣华,孟正,等. 信息安全风险评估关键技术研究与实现[J]. 信息网络安全,2015(2):7-14.
[6]	MASSEY J L.Guessing and entropy[C]//IEEE, International Symposium on Information Theory, June 27-July 1, 1994, Trondheim, Norway. Piscataway: IEEE, 1994: 204.
[7]	KOMANDURI S, SHAY R, KELLEY P G, et al.Of Passwords and People: Measuring the Effect of Password-composition Policies[C]// ACM Special Interest Group on Computer-Human Interaction, Conference on Human Factors in Computing Systems. May 7-12, 2011, Vancouver, Canada. New York: ACM, 2011: 2595-2604.
[8]	KULKARNI D.A Novel Web-based Approach for Balancing Usability and Security Requirements of Text Passwords[J]. International Journal of Network Security & its Applications, 2010, 2(3): 1.
[9]	CLAIR L S, JOHANSEN L, ENCK W, et al.Password Exhaustion: Predicting the End of Password Usefulness[J]. Lecture Notes in Computer Science, 2006 (4332): 37-55.
[10]	BURR W E, DODSON D F, NEWTON E M, et al.Electronic Authentication Guideline[M]. Gaithersburg: National Institute of Standards and Technology, 2004.
[11]	VU K P L, PROCTOR R W, BHARGAV S A, et al. Improving Password Security and Memorability to Protect Personal and Organizational information[J]. International Journal of Human-Computer Studies, 2007, 65(8): 744-757.

[1]	董晓丽, 商帅, 陈杰. 分组密码9轮Rijndael-192的不可能差分攻击[J]. 信息网络安全, 2020, 20(4): 40-46.
[2]	纪兆轩, 杨秩, 孙瑜, 单亦伟. 大数据环境下SHA1的GPU高速实现[J]. 信息网络安全, 2020, 20(2): 75-82.
[3]	韩益亮, 李喆, 李鱼. 基于Polar码改进的McEliece密码体制[J]. 信息网络安全, 2020, 20(1): 1-8.
[4]	任良钦, 王伟, 王琼霄, 鲁琳俪. 一种新型云密码计算平台架构及实现[J]. 信息网络安全, 2019, 19(9): 91-95.
[5]	韩益亮, 王众. 基于多变量和LRPC码的抗量子密码方案研究[J]. 信息网络安全, 2019, 19(8): 36-43.
[6]	吴志红, 赵建宁, 朱元, 陆科. 国密算法和国际密码算法在车载单片机上应用的对比研究[J]. 信息网络安全, 2019, 19(8): 68-75.
[7]	韦永霜, 陈建华, 韦永美. 基于椭圆曲线密码的RFID/NFC安全认证协议[J]. 信息网络安全, 2019, 19(12): 64-71.
[8]	邹翔, 陈兵. 基于国产密码算法的印章防伪技术研究[J]. 信息网络安全, 2019, 19(1): 76-82.
[9]	江明明, 赵利军, 王艳, 王保仓. 面向云数据共享的量子安全的无证书双向代理重加密[J]. 信息网络安全, 2018, 18(8): 17-24.
[10]	刘敬浩, 平鉴川, 付晓梅. 一种基于区块链的分布式公钥管理方案研究[J]. 信息网络安全, 2018, 18(8): 25-33.
[11]	叶阿勇, 李晴, 金俊林, 孟铃玉. 无线网络接入中用户身份和位置的双重隐身机制研究[J]. 信息网络安全, 2018, 18(7): 29-35.
[12]	向永谦, 宋智琪, 王天宇. 一种基于双明文的数据对称加密算法[J]. 信息网络安全, 2018, 18(7): 69-78.
[13]	周志彬, 张少波, 罗恩韬, 李超良. 一种无可信第三方的批量RFID所有权转移协议[J]. 信息网络安全, 2018, 18(6): 18-27.
[14]	张小红, 郭焰辉. 基于椭圆曲线密码的RFID系统安全认证协议研究[J]. 信息网络安全, 2018, 18(10): 51-61.
[15]	赵凯利, 李丹仪, 李强, 马存庆. 基于智能移动终端密码模块的身份认证方案实现[J]. 信息网络安全, 2017, 17(9): 107-110.