Bicycle attacks considered harmful: Quantifying the damage of widespread password length leakage

Harsha, Benjamin; Morton, Robert; Blocki, Jeremiah; Springer, John A.; Dark, Melissa

doi:10.1016/j.cose.2020.102068

Cited by 6 publications

(6 citation statements)

References 2 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The LinkedIn Dataset is Not IID When we attempted to generate LP based upper/lower bounds for the LinkedIn frequency corpus [31] we discovered that there was no feasible solution that satisfies all of the constraints in LPlower and LPupper. This indicates that we cannot view the LinkedIn frequency corpus 𝑆 as consisting of 𝑁 independent samples from an unknown distribution i.e., the LinkedIn frequency corpus is inconsistent with any proposed password distribution D if the samples are drawn independently.…”

Section: Discussionmentioning

confidence: 99%

“…Two of the password datasets (Yahoo! [8,13] and LinkedIn [31]) are actually differentially private frequency lists and do not include plaintext passwords. For these datasets we can still apply our techniques to upper/lower bound 𝜆 𝐺 , but we cannot compare our bounds with the empirical password cracking models.…”

Section: Datasetsmentioning

confidence: 99%

“…We use the empirical attack results in Liu et al [40] to compare with our bounds for 000webhost, Neopets, Battlefield Heroes, Brazzers, [23] 32603388 14344391 11884632 LinkedIn [31] 174292189 57431283 21424510 000webhost [28] 15268903 10592935 9006529 Neopets [21] 68345757 27987227 21509860 Battlefield Heroes [56] 541016 416130 373549 Brazzers [22] 925614 587934 491136 Clixsense [29] 2222529 1628577 1455585 CSDN [62] 6428449 4037749 3581824…”

Section: Password Cracking Modelsmentioning

confidence: 99%

“…Empirical Distribution: The empirical password distribution has been used to evaluate many password research ideas. Harsha et al [31] used empirical distributions derived from the LinkedIn and RockYou datasets to quantify the advantage of an attacker after learning the length of the user's password. The empirical password distribution has also been used to tune and evaluate distributionaware password throttling mechanisms [12,53] to defend against online attacks, distribution-aware mechanisms to tune relevant cost parameters for password hashing [3,4,7], achieve (personalized) password typo correction [19,20] and evaluate the security of Compromised Credential Checking protocols [39].…”

Section: Related Workmentioning

confidence: 99%

See 3 more Smart Citations

Towards a Rigorous Statistical Analysis of Empirical Password Datasets

Blocki¹,

Liu²

2021

Preprint

Self Cite

View full text Add to dashboard Cite

In this paper we consider the following problem: given 𝑁 independent samples 𝑆 = (𝑠 1 , . . . , 𝑠 𝑁 ) from an unknown distribution P over passwords 𝑝𝑤𝑑 1 , 𝑝𝑤𝑑 2 , . . . can we generate high confidence upper/lower bounds on the guessing curve 𝜆 𝐺 𝐺 𝑖=1 𝑝 𝑖 where 𝑝 𝑖 = Pr[𝑝𝑤𝑑 𝑖 ] and the passwords are ordered such that 𝑝 𝑖 ≥ 𝑝 𝑖+1 . Intuitively, 𝜆 𝐺 represents the probability that an attacker who knows the distribution P can guess a random password 𝑝𝑤𝑑 ← P within 𝐺 guesses. Understanding how the guessing curve 𝜆 𝐺 increases with the number of guesses 𝐺 can help quantify the damage of a password cracking attack and inform password policies. Despite an abundance of large (breached) password datasets upper/lower bounding 𝜆 𝐺 remains a challenging problem. We introduce several statistical techniques to derive tighter upper/lower bounds on the guessing curve 𝜆 𝐺 which hold with high confidence. We apply our techniques to analyze 9 large password datasets finding that our new lower bounds dramatically improve upon prior work. Our empirical analysis shows that even state-of-the-art password cracking models are significantly less guess efficient than an attacker who knows the distribution. When 𝐺 is not too large we find that our upper/lower bounds on 𝜆 𝐺 are both very close to the empirical distribution λ𝐺 which justifies the use of the empirical distribution in settings where the guessing number 𝐺 is not too large i.e., 𝐺 ≪ 𝑁 closely approximates 𝜆 𝐺 . The analysis also highlights regions of the curve where we can, with high confidence, conclude that the empirical distribution significantly overestimates the real guessing curve 𝜆 𝐺 . Our new statistical techniques yield substantially tighter upper/lower bounds on 𝜆 𝐺 though there are still regions of the curve where the best upper/lower bounds diverge significantly.

show abstract

Section: Discussionmentioning

confidence: 99%

Section: Datasetsmentioning

confidence: 99%

Section: Password Cracking Modelsmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

See 2 more Smart Citations

Towards a Rigorous Statistical Analysis of Empirical Password Datasets

Blocki¹,

Liu²

2021

Preprint

Self Cite

View full text Add to dashboard Cite

show abstract

“…We consider nine empirical password datasets (along with their size Plaintext passwords are available for all datasets except for the differentially private LinkedIn [15] and Yahoo! [6,8] frequency corpuses which intentionally omit passwords.…”

Section: Empirical Password Datasetsmentioning

confidence: 99%

DAHash: Distribution Aware Tuning of Password Hashing Costs

Bai¹,

Blocki²

2021

Preprint

Self Cite

View full text Add to dashboard Cite

An attacker who breaks into an authentication server and steals all of the cryptographic password hashes is able to mount an offlinebrute force attack against each user's password. Offline brute-force attacks against passwords are increasingly commonplace and the danger is amplified by the well documented human tendency to select low-entropy password and/or reuse these passwords across multiple accounts. Moderately hard password hashing functions are often deployed to help protect passwords against offline attacks by increasing the attacker's guessing cost. However, there is a limit to how "hard" one can make the password hash function as authentication servers are resource constrained and must avoid introducing substantial authentication delay. Observing that there is a wide gap in the strength of passwords selected by different users we introduce DAHash (Distribution Aware Password Hashing) a novel mechanism which reduces the number of passwords that an attacker will crack.Our key insight is that a resource-constrained authentication server can dynamically tune the hardness parameters of a password hash function based on the (estimated) strength of the user's password. We introduce a Stackelberg game to model the interaction between a defender (authentication server) and an offline attacker. Our model allows the defender to optimize the parameters of DAHash e.g., specify how much effort is spent to hash weak/moderate/high strength passwords. We use several large scale password frequency datasets to empirically evaluate the effectiveness of our differentiated cost password hashing mechanism. We find that the defender who uses our mechanism can reduce the fraction of passwords that would be cracked by a rational offline attacker by around 15%.

show abstract