基于真实数据集的密码定量分析及规则创建

doi:10.3969/j.issn.1671-1122.2015.12.007

摘要/Abstract

摘要：

大规模泄密事件频发,攻击者越来越容易获得用户真实密码信息,利用这些真实密码及用户在设置密码中的行为倾向,攻击者可以大幅提高其攻击效率。利用可用性较好的密码创建规则约束用户行为是提高用户密码安全性的重要手段,使用户设置的密码在整体密码空间上趋于均匀分布,以提高用户密码抵抗猜解攻击的能力。文章在大规模真实数据集的基础上,从强度和可记忆度两个维度定量分析了国内用户密码的安全性及可记忆性,提出了能根据用户历史密码数据动态约束用户密码设置行为的密码创建规则：若用户采用纯数字密码,则密码长度不应低于7位,大写字母+小写字母组合的密码应避开6位和8位,大写字母+特殊字符的组合推荐使用9位。实验结果表明,在该密码创建规则的约束下,用户创建的密码具有高安全性和高可记忆性的优点。

关键词: 密码, 定量分析, 可记忆度, 密码强度, 创建规则

Abstract:

For the serials of massive password leaks, an attacker can obtain user password more and more easily. Using the real password which reflecting user behavior tendency, an attacker can greatly improve their attack efficiency. Password creation policy which was used for restrict user behavior is an important means to improve user password security. It enable password set by the user tending to be uniform in the overall spatial distribution in order to improve resistance to guess and attack the user's password. Based on a large-scale data set, this paper makes a quantitative analysis on domestic user password security and memorability, thus puts forward to create the rules that according to the behavior of the user setting password and password history which dynamically constraints the user's behavior. The password should comprise at least seven numbers if using a digital password. The number of password characters is not six or eight if using uppercase and lowercase combination. The length of uppercase and special character combination should be nine. The password is good in both high safety and high memorability if respectively using lowercase, uppercase and lowercase combination, and uppercase and special character combination. The threshold of password memorability and safety is 14.21 and 19.17 respectively. The password should conduct dictionary check. The experimental results show that, under the constraint of the password creation rules, user password has the advantages of high safety and high memorability.

Key words: password, quantitative analysis, memorability, password strength, create policy

中图分类号:

TP309

王秀利. 基于真实数据集的密码定量分析及规则创建[J]. 信息网络安全, 2015, 15(12): 42-47.

WANG Xiuli. Quantitative Analysis and Create Policy of Password Based on Real Dataset[J]. Netinfo Security, 2015, 15(12): 42-47.

图/表 15

表1

图1

图2

图3

表2

表3

表4

表5

图4

图5

表6

图6

图7

表7

表8

参考文献 11

[1]	卿斯汉. 关键基础设施安全防护[J]. 信息网络安全,2015(2):1-6.
[2]	陈明. 白盒密码安全性分析与研究. 网络安全技术与应用,2015( 3): 116-117.
[3]	张平,陈长松,胡红钢. 基于分组密码的认证加密工作模式[J]. 信息网络安全,2014(11):8-17.
[4]	解理,任艳丽. 两个公钥加密方案的安全性分析[J]. 计算机应用研究,2015,32(1):218-221.
[5]	文伟平,郭荣华,孟正,等. 信息安全风险评估关键技术研究与实现[J]. 信息网络安全,2015(2):7-14.
[6]	MASSEY J L.Guessing and entropy[C]//IEEE, International Symposium on Information Theory, June 27-July 1, 1994, Trondheim, Norway. Piscataway: IEEE, 1994: 204.
[7]	KOMANDURI S, SHAY R, KELLEY P G, et al.Of Passwords and People: Measuring the Effect of Password-composition Policies[C]// ACM Special Interest Group on Computer-Human Interaction, Conference on Human Factors in Computing Systems. May 7-12, 2011, Vancouver, Canada. New York: ACM, 2011: 2595-2604.
[8]	KULKARNI D.A Novel Web-based Approach for Balancing Usability and Security Requirements of Text Passwords[J]. International Journal of Network Security & its Applications, 2010, 2(3): 1.
[9]	CLAIR L S, JOHANSEN L, ENCK W, et al.Password Exhaustion: Predicting the End of Password Usefulness[J]. Lecture Notes in Computer Science, 2006 (4332): 37-55.
[10]	BURR W E, DODSON D F, NEWTON E M, et al.Electronic Authentication Guideline[M]. Gaithersburg: National Institute of Standards and Technology, 2004.
[11]	VU K P L, PROCTOR R W, BHARGAV S A, et al. Improving Password Security and Memorability to Protect Personal and Organizational information[J]. International Journal of Human-Computer Studies, 2007, 65(8): 744-757.

[1]	欧阳梦迪, 孙钦硕, 李发根. SM9加密算法的颠覆攻击与改进[J]. 信息网络安全, 2024, 24(6): 831-842.
[2]	杜育松, 江思维, 沈静, 张家豪. 一种抵御计时攻击的指数Bernoulli精确采样算法[J]. 信息网络安全, 2024, 24(6): 855-862.
[3]	叶清, 何俊霏, 杨智超. 基于格的可搜索公钥加密研究进展[J]. 信息网络安全, 2024, 24(6): 903-916.
[4]	郭祥鑫, 林璟锵, 贾世杰, 李光正. 针对大语言模型生成的密码应用代码安全性分析[J]. 信息网络安全, 2024, 24(6): 917-925.
[5]	胡丞聪, 胡红钢. 基于格的最优轮数口令认证秘密共享协议[J]. 信息网络安全, 2024, 24(6): 937-947.
[6]	沈霞民, 熊涛, 李华, 沈璇. CLEFIA动态密码结构的零相关线性区分器构造研究[J]. 信息网络安全, 2024, 24(6): 948-958.
[7]	朱敏, 肖昊. 一种面积高效的双态可配置NTT硬件加速器[J]. 信息网络安全, 2024, 24(6): 959-967.
[8]	沈卓炜, 汪仁博, 孙贤军. 基于Merkle树和哈希链的层次化轻量认证方案[J]. 信息网络安全, 2024, 24(5): 709-718.
[9]	杨杰超, 胡汉平, 帅燕, 邓宇昕. 基于时变互耦合双混沌系统的轻量级序列密码[J]. 信息网络安全, 2024, 24(3): 385-397.
[10]	顾妍妍, 沈丽敏, 高晨旭, 朱婷. 车载网中高效安全的无证书聚合签名方案[J]. 信息网络安全, 2024, 24(2): 188-202.
[11]	赵耿, 马英杰, 董有恒. 混沌密码理论研究与应用新进展[J]. 信息网络安全, 2024, 24(2): 203-216.
[12]	颜海龙, 王树兰. 基于国产密码技术的不动产登记集成办事平台设计与实现[J]. 信息网络安全, 2024, 24(2): 303-308.
[13]	张兴兰, 郭艳琨, 陈菲, 张丰. 基于量子Simon算法对分组密码类EM结构的密钥恢复攻击[J]. 信息网络安全, 2024, 24(1): 106-112.
[14]	刘芹, 王卓冰, 余纯武, 王张宜. 面向云安全的基于格的高效属性基加密方案[J]. 信息网络安全, 2023, 23(9): 25-36.
[15]	俞惠芳, 乔一凡, 孟茹. 面向区块链金融的抗量子属性基门限环签密方案[J]. 信息网络安全, 2023, 23(7): 44-52.