Adam SMRCKA

Page 1

An Investigation of Password Resistance to Traditional Offline Password-Cracking Attacks

Computer and Information Sciences

Project Aims

● Develop a password taxonomy and analyse the RockYou2021.txt wordlist.

● Assess attack methods and analyse the strength of passwords in the dataset.

Key Objectives

● Perform a comprehensive literature review to understand the history and practices in password development.

● Identify means of strength identification and sampling the dataset.

● Sample the wordlist.

● Identify & determine means and software used for password-cracking attacks.

● Use the results to determine the effectiveness of the current password requirements.

● Propose changes to the password standards.

Background & Project Justification

● Text-based passwords were first introduced in 1961 and remain the most common authentication method today (ESET, 2017).

● In 1979, it was first identified that weak textual passwords pose a security risk (Morris & Thompson, 1979).

● A 2014 paper further supported this finding, indicating that weak passwords are still commonly used by users (Taneski et al., 2014).

● According to a 2007 report, approximately 80% of all data breaches are caused by weak passwords or the reuse of stolen passwords (Cushman, 2007).

● However, there has been a lack of academic and research work analysing password security.

● Recommendations for password creation practices are typically set by organizations such as NIST, PCI-DSS, or ISO 27001.

● These standards differ significantly, and there is no consensus on which one is the most secure.

Project Details

● 2.65 million passwords were sampled from the original wordlist.

● A password taxonomy was created to classify passwords.

● Scripts were coded to automatically analyse, sort and compare passwords.

● Passwords were processed using the password taxonomy.

● A hash functions benchmark was performed on 3 different devices.

● Attack methods, software and hash function was chosen.

● The password cracking attack was performed

● The results were compared and analysed.

Password Taxonomy

● These characteristics were determined by analysing common password characteristics and traditional language division.

● The main characteristics were: Length, Composition, Letters and Capitals.

● Each class has their own subcategories such as for Length – 0-7, 8-10 and 11+.

● For words and names subclasses an appropriate wordlists were used.

● Each password could fall only into one subcategory from each class.

● Resulting in the division of passwords into 345 characteristic groups.

Password Cracking Attack

● All passwords were stored in one database and hashed using SHA-1 encryption – currently one of the most used hashed functions.

● HashCat cracking software was selected as it provides the best compatibility, easy-to-use interface, and relatively wide range of cracking modes and has also been used several times in other research papers.

● The most powerful device available – Lenovo Legion 5 Pro with NVIDIA RTX 3060 – was selected for the attack.

● A total of 15 attack methods were selected to crack passwords in the sampled dataset. This includes 4 Mask, 2 Dictionary, 7 Dictionary with rules and 2 Hybrid attacks.

Results/Findings/Highlights

● The mean password length was 10.5 characters.

● 40% of passwords mixed capitalised letters had only the first letter uppercased.

● 35% and 29% percent of passwords contained names and words respectively.

● Dictionary attack method was the most efficient cracking almost 30% of all passwords.

● Password length is key indicator of password strength – the longer the password the more secure it is. – 100% of passwords with 0-7 characters were cracked while only 30% with 11+.

● Complexity is another key component. The most secure categories were the ones with the highest complexity.

● All Symbols, Some Symbols and Random Capitals categories were the most resistant against the password cracking attack.

Conclusions/Future Work

● Based on the findings a recommendations to password creation practices was created, which differed in some aspects to the industry standards.

● The biggest differences were the recommendations to increase min. length to 10 characters and implement restriction on the use of names and words.

● Experiment with alternative attack methods/increase the sample size.

● Analyse the impact of AI on Password creation.

Bibliography

• Cushman R. (2007), Primer Authentication of Identity, University of Miami, p. 2

• ESET (2017) A short history of the computer password, WeLiveSecurity. Available at: https://www.welivesecurity.com/2017/05/04/short-history-computer-password/

• Morris R. and Thompson K. (1979), Password Security: A Case History. ACM, vol. 22, pp. 594-597.

• Taneski V., Heričko M. and Brumen B. (2014) Password security No change in 35 years?, 37th International Convention on IT, pp. 1360-1365, doi: 10.1109/MIPRO.2014.6859779.

This presentation poster was designed by FPPT.

Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.