How Guessable Is Your Password?

Go on … admit it … if you are forced to have a number in your password … you put it at the end? If you put an uppercase letter in your…

How Guessable Is Your Password?

Go on … admit it … if you are forced to have a number in your password … you put it at the end? If you put an uppercase letter in your password … you put it at the start? Well you might not, but most people do, which means a hash cracker can target a limited range of character sets for their cracking.

If you select a password with six characters and only use lowercase letters then we have 26⁶ passwords (308,915,776), but if we use alphanumeric characters then we have 36⁶ passwords (21,767,82,336). The cracking will then be seven times more difficult. Now if we go for upper and lowercase characters and numeric values, we now have 62 characters, so we have 62⁶ passwords (56,800,235,584) which is now 184 times more difficult [try here]:

So we’ve just published some analysis of the strength of passwords here.

In the paper we look at patterns and vulnerabilities based on Shannon entropy, Guessing entropy and Minimum entropy, and analyse from passwords from Rockyou and 163.com dataset. Our conclusions define improved passwords for good usability, deployability, rememberbility, and secure entropies.

Outline

Although receiving plenty of criticism, the text-based passwords are still heavily used for authenticating web and mobile application users. Many research efforts have been made to protect user’s password against attacks [3]. In recent, many password managers have been developed to help people to create/manage secure passwords with enough strength and easy to remember (e.g. Dashlane, Keepass, Lastpass). However, when using a password manager, at least a master password needs creating and remembering.

Password cracking

Most of users have various passwords for different web or mobile application accounts. However, it is difficult to remember so many passwords for a user. Although mobile devices have increasingly been used, it is still difficult to run a password manager over mobile devices. Besides, unfriendly on-screen keyboards make it more challenging or inconvenient to type passwords with special symbols or mixed-case characters. Many websites and mobile applications (apps) require users to choose complicate passwords (e.g., mixed-case letters, digits, special characters) and the authentication of passwords becomes more complicated. In this case, the text-password input interfaces (e.g. touchscreen virtual keyboards) are applied to protect users’ passwords from malwares.

In the paper, we will investigate these leaked passwords to comprehensively identify the strength of passwords. Basically, we will focus on four features of the passwords:

  1. Length of passwords.
  2. Variety of character types in a password.
  3. The randomness of passwords.
  4. Uniqueness of passwords.

Mathematically, we will analyze the password entropy, guessing entropy, and Minimum entropy for passwords in the leaked passwords lists. A number of password analyzing tools, including John the Ripper, Hashcat, and the password analysis and cracking toolkit (PACT) will be used to analyze the password lists for password length, password entropies, character types, pattern detection of masks, and other password features.

Password measurements

Password strength measurements can help to warn users away from highly vulnerable passwords. Many authentication systems of websites and mobile applications require passwords must be able to resist eavesdroppers and off-line analysis of authentication protocols run. In general, the security of passwords can be measured with password strength. Password strength is defined in terms of probability of a determined attacker discovering a selected users’ password by an inline attack. The password strength is also a function of both the entropy of the password and the way unsuccessful trials are limited. Entropy is believed as a standard measure of security:

  • Password Entropy. Shannon entropy is a popular method to evaluate the security strength of a password, which is also used as password entropy. Assuming a finite variable X corresponds to n passwords set (p1, p2 ,…, pn), the password entropy can be modeled with Shannon entropy as:

A password using lowercase characters can be represented as log2(26) ≈ 4.7 bits of entropy per character. For a password “iliveinedinburgh” would have an entropy value of about 4.7 × 16 ≈ 75 bits.

  • Guessing Entropy. The ability of passwords that resists against complete off-line attacks can be measured with Guessing entropy. Guessing entropy is a measure of the difficulty to guess the passwords in a login system. If the values of Y = sortd(X) are sorted with decreasing probability, the guessing entropy of Y can be defined as:

The guessing entropy is closely related to the average size of passwords. If a password has n bits guessing entropy, an attacker has as much difficulty in guessing the average password as in guessing an n bits random quantity.

  • Minimum Entropy. Since in some cases, the password strength cannot warn users away from reusing the same password because they are usually based on heuristics (e.g., numbers, password length, upper/lowercase, symbols). Minimum entropy is a way to estimate the strength of a password, which is defined as:

For example, a low strength password pb has low minimum entropy (Hmin(pb) = 1). High minimum entropy (Hmin(X) = α) guarantees that with high probability the adversary will always need to use around 2α guesses to recover the users’ passwords. The Minimum entropy shows the resistance of offline password cracking attacks with high probability.

Results

When we use a hash cracker like hashcat, we can apply some masks:

  • ?l = abcdefghijklmnopqrstuvwxyz
  • ?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
  • ?d = 0123456789
  • ?s = «space»!”#$%&’()*+,-./:;<=>?@[\]^_`{|}~
  • ?a = ?l?u?d?s
  • ?b = 0x00–0xff

where ?d uses a range of 0–9, and ?l uses a-z. So:

hashcat -a 3 ?l?l?l?l?l?l?l?l

will search the keyspace: “aaaaaaaa” to “zzzzzzzz”

When we analyse passwords from rockyou they are mainly between 6 and 10 characters, with 8-character passwords being the most popular (with 1-in-5

and for 163.com, we have passwords from 6 to 14 characters long, with 8-character passwords being the most popular length:

When we analyse rockyou, we already see the weaknesses, and where 88% of the passwords are lowercase alpha-number, where the range of characters are [0–9a-z], and thus selected from a character set of 36 characters:

On 163.com we see a strong focus on numeric passwords, but with a wider mixture of passwords:

On rockyou, for more advanced passwords, we typically see masks which have any character value, followed by numeric values at the end:

For the masks used on 163com.txt the following defines the masks used for catch passwords:

where a regular expression mask of six numeric values would catch 14% of the passwords on the site, and where we only have to search a small part of the complete password space.

Conclusions

You might think your password is secure because you have numbers in it, but if you always put them at the end, you are considerably reducing the strength of your password. If you want to read more, here is the paper:

http://wwwen.zte.com.cn/endata/magazine/ztecommunications/2016/3/201607/P020160715564598421157.pdf