Quantitative Analysis and Create Policy of Password Based on Real Dataset

doi:10.3969/j.issn.1671-1122.2015.12.007

Abstract

Abstract:

For the serials of massive password leaks, an attacker can obtain user password more and more easily. Using the real password which reflecting user behavior tendency, an attacker can greatly improve their attack efficiency. Password creation policy which was used for restrict user behavior is an important means to improve user password security. It enable password set by the user tending to be uniform in the overall spatial distribution in order to improve resistance to guess and attack the user's password. Based on a large-scale data set, this paper makes a quantitative analysis on domestic user password security and memorability, thus puts forward to create the rules that according to the behavior of the user setting password and password history which dynamically constraints the user's behavior. The password should comprise at least seven numbers if using a digital password. The number of password characters is not six or eight if using uppercase and lowercase combination. The length of uppercase and special character combination should be nine. The password is good in both high safety and high memorability if respectively using lowercase, uppercase and lowercase combination, and uppercase and special character combination. The threshold of password memorability and safety is 14.21 and 19.17 respectively. The password should conduct dictionary check. The experimental results show that, under the constraint of the password creation rules, user password has the advantages of high safety and high memorability.

Key words: password, quantitative analysis, memorability, password strength, create policy

CLC Number:

TP309

WANG Xiuli. Quantitative Analysis and Create Policy of Password Based on Real Dataset[J]. Netinfo Security, 2015, 15(12): 42-47.

Figures/Tables 15

References 11

[1]	卿斯汉. 关键基础设施安全防护[J]. 信息网络安全,2015(2):1-6.
[2]	陈明. 白盒密码安全性分析与研究. 网络安全技术与应用,2015( 3): 116-117.
[3]	张平,陈长松,胡红钢. 基于分组密码的认证加密工作模式[J]. 信息网络安全,2014(11):8-17.
[4]	解理,任艳丽. 两个公钥加密方案的安全性分析[J]. 计算机应用研究,2015,32(1):218-221.
[5]	文伟平,郭荣华,孟正,等. 信息安全风险评估关键技术研究与实现[J]. 信息网络安全,2015(2):7-14.
[6]	MASSEY J L.Guessing and entropy[C]//IEEE, International Symposium on Information Theory, June 27-July 1, 1994, Trondheim, Norway. Piscataway: IEEE, 1994: 204.
[7]	KOMANDURI S, SHAY R, KELLEY P G, et al.Of Passwords and People: Measuring the Effect of Password-composition Policies[C]// ACM Special Interest Group on Computer-Human Interaction, Conference on Human Factors in Computing Systems. May 7-12, 2011, Vancouver, Canada. New York: ACM, 2011: 2595-2604.
[8]	KULKARNI D.A Novel Web-based Approach for Balancing Usability and Security Requirements of Text Passwords[J]. International Journal of Network Security & its Applications, 2010, 2(3): 1.
[9]	CLAIR L S, JOHANSEN L, ENCK W, et al.Password Exhaustion: Predicting the End of Password Usefulness[J]. Lecture Notes in Computer Science, 2006 (4332): 37-55.
[10]	BURR W E, DODSON D F, NEWTON E M, et al.Electronic Authentication Guideline[M]. Gaithersburg: National Institute of Standards and Technology, 2004.
[11]	VU K P L, PROCTOR R W, BHARGAV S A, et al. Improving Password Security and Memorability to Protect Personal and Organizational information[J]. International Journal of Human-Computer Studies, 2007, 65(8): 744-757.

[1]	HU Chengcong, HU Honggang. Lattice-Based Round-Optimal Password Authenticated Secret Sharing Protocol [J]. Netinfo Security, 2024, 24(6): 937-947.
[2]	CHEN Guangxuan, WU Jiajian, CAO Danni, XIE Qingquan. Research on iPhone Forensic Method Based on Checkm8 Vulnerability [J]. Netinfo Security, 2021, 21(12): 44-50.
[3]	XIAO Shuai, ZHANG Hanlin, XIAN Hequn, CHEN Fei. A Password Authentication Key Agreement Protocol for IoT Devices [J]. Netinfo Security, 2021, 21(10): 83-89.
[4]	Hongjun BI, Ru TAN, Jianjun ZHAO, Yufu LI. Research on Password Guessing Model Based on Theme PCFG [J]. Netinfo Security, 2019, 19(8): 1-7.
[5]	Yajun GUO, Bei YE, Wei ZHOU. Security Analysis of User Real Password under Different Password Composition Policies [J]. Netinfo Security, 2019, 19(6): 37-44.
[6]	Limin MA, Wei ZHANG, Ying SONG. An Enhanced Kerberos Protocol Based on OTP with Formal Analysis [J]. Netinfo Security, 2019, 19(10): 57-64.
[7]	Ding-bo LI, Lu-ning XIA, Zhan WANG. Design and Implementation of a Multi-cloud Based Browser Password Manager [J]. Netinfo Security, 2015, 15(9): 124-128.
[8]	Guo-feng JIANG, Neng GAO, Wei-yu JIANG. Secure Password Manager Based on Shadow DOM and Improved PBE [J]. Netinfo Security, 2015, 15(9): 270-273.
[9]	ZHU Peng-fei, YU Hua-zhang, LU Zhou, ZHANG Yi-fei. A Smart Inspection Recording Scheme based on OTP Token [J]. 信息网络安全, 2014, 14(9): 165-166.
[10]	. An Improved Scheme of CHAP [J]. , 2014, 14(7): 75-.
[11]	. Research on Password Access Defense Technology for Linux Operating System’ Root Account [J]. , 2014, 14(3): 24-.
[12]	Qing-yang ZHANG, Yang YANG, Jiu-jun CHENG, Jing-xue LIAO. Mechanism on Computer Access Permission Management Based on the Mobile Clients' Dynamic Password Algorithm [J]. Netinfo Security, 2014, 14(11): 46-51.