Dispelling Myths About Secure Passwords
Most of the websites that we use these days, as a rule, evaluate the degree of security of the passwords that you create when setting up a new account, from “weak” to “strong”. They also advise you to use a combination of uppercase and lowercase letters along with numbers to create a more secure password. However, no matter how good all these tips are, they will not be able to tell you exactly what the order of such combinations should be.
By happy coincidence, it turned out that almost every one of us is inclined to put capital letters at the beginning of the password, and numbers at the end . This pattern has been established by a group of security experts who work for the French research institute Eurecom.
Results of their researchpresented at the latest ACM computer and communications security conference in Denver, showed that we do not quite understand what a secure password is , and this misunderstanding threatens our privacy.
Programs traditionally used by cybercriminals for password guessing process certain combinations of passwords until they find the right user.
However, modern methods are not based on random assumptions. Criminals can now train software using huge lists of passwords (for example, passwords of 130 million Adobe users who were stolen in 2013), which allows you to find the most frequently used combinations. This method allows them to get a more real chance of successfully completing their attacks.
Based on this premise, experts used a program (similar to the one used by criminals) to analyze over 10 million passwords. Such work was done to make a list of those passwords that criminals can most easily pick up.
The report describes some sets of passwords that were leaked to the Internet in the recent past and those sets that will be used in the experiment (Rockyou, containing 32 million passwords, merged in 2009; Xato - 10 million passwords that appeared on Xato.net’s website February of this year). Three models for password selection (or three password cracking algorithms)
are also described : 1) Using N-grams - sequences of N elements . The article uses 1-gram, 2-gram, 3-gram, 4-gram. 2) Using stochastic context-free grammar (PCFGs) 3) Katz's discount model ("Backoff")
The figure shows the dependence of the password guessing probability (ordinate axis) as a percentage of the number of attempts (abscissa axis) ranging from 2 ^ 0 = 1 to 2 ^ 80 = 1208925819614629174706176 iterations. The three models described above are used. Training is done using the Xato kit, and testing is done with the Rockyou kit. The more to the right and lower the graph, the worse the corresponding model in terms of speed of finding the password.
The figure above shows the comparative characteristics of two attack models: stochastic context-free grammar (PCFGs) and another method of password selection - an attack by compiling a list of possible keys (Dictionary attack). For this model, a specialized dictionary of foreign words dic-0294 and the so-called Openwall dictionary are used. The results show that the efficiency of password guessing for them is lower than that of PCFGs. The Xato training set, as a dictionary for this method, gives the best results in terms of attack.
The figure shows a comparative characteristic of the attack model of 1-gram, 2-gram, 3-gram and 4-gram.
The figure above shows a comparative graph of the PCFGs attack model for various training sets (including those including the specialized Openwall dictionary).
The figure shows a comparative graph of the results of the Katz model for various training sets: Rockyou and Xato and them with the addition of a start symbol (the start symbol is a specific terminology associated with the Katz model).
In the figure above, the results of an attack using the Katz model for various sizes of the training set. 0.1% of the entire Xato training set, 1%, 10% and the entire Xato set (100%).
The figure shows the results of experiments on the Katz discount model for various values of the word length in the training set (upper graph): all passwords, passwords long> = 8, passwords long> = 10, passwords long> = 12 and for various combinations of characters in passwords ( bottom graph): no restrictions; numbers and letters; lowercase, capital letters, numbers; letters, numbers and various symbols.
The result of this work was the “predictability index” , which they tested on another 32 million passwords to confirm its effectiveness. According to the results, the least common passwords were the most secure. This means that you need to create a long password, which also includes characters, and not just uppercase and lowercase letters.
From now on, the goal of users should be to create passwords that are not predictable at all, regardless of whether they include numbers, upper or lower case letters. The authors of the study said that passwords should be made longer, if necessary, even adding a few words.
This study should help people become more knowledgeable about creating new secure passwords, which will help them better protect their accounts. Although, unfortunately, the authors do not guarantee an "iron" way to create completely secure passwords, they assure that the method they described is still the most secure at the moment.
Researchers, on the other hand, point out that technology companies have begun to pay less attention to passwords as means of accessing accounts, and that they are considering alternative means wherever possible. At the same time, new ways of decrypting registration data constantly appear, as a result of which they become increasingly less secure.