An Investigation of Password Resistance to Traditional Offline Password-Cracking Attacks
Adam Smrcka, BSc IT Management for Business, Department ofComputer and Information Sciences
Project Aims
● Develop a password taxonomy and analyse the RockYou2021.txt wordlist.
● Assess attack methods and analyse the strength of passwords in the dataset.
Key Objectives
● Perform a comprehensive literature review to understand the history and practices in password development.
● Identify means of strength identification and sampling the dataset.
● Sample the wordlist.
● Identify & determine means and software used for password-cracking attacks.
● Use the results to determine the effectiveness of the current password requirements.
● Propose changes to the password standards.
Background & Project Justification
● Text-based passwords were first introduced in 1961 and remain the most common authentication method today (ESET, 2017).
● In 1979, it was first identified that weak textual passwords pose a security risk (Morris & Thompson, 1979).
● A 2014 paper further supported this finding, indicating that weak passwords are still commonly used by users (Taneski et al., 2014).
● According to a 2007 report, approximately 80% of all data breaches are caused by weak passwords or the reuse of stolen passwords (Cushman, 2007).
● However, there has been a lack of academic and research work analysing password security.
● Recommendations for password creation practices are typically set by organizations such as NIST, PCI-DSS, or ISO 27001.
● These standards differ significantly, and there is no consensus on which one is the most secure.
Project Details
● 2.65 million passwords were sampled from the original wordlist.
● A password taxonomy was created to classify passwords.
● Scripts were coded to automatically analyse, sort and compare passwords.
● Passwords were processed using the password taxonomy.
● A hash functions benchmark was performed on 3 different devices.
● Attack methods, software and hash function was chosen.
● The password cracking attack was performed
● The results were compared and analysed.
Password Taxonomy
● These characteristics were determined by analysing common password characteristics and traditional language division.
● The main characteristics were: Length, Composition, Letters and Capitals.
● Each class has their own subcategories such as for Length – 0-7, 8-10 and 11+.
● For words and names subclasses an appropriate wordlists were used.
● Each password could fall only into one subcategory from each class.
● Resulting in the division of passwords into 345 characteristic groups.
Password Cracking Attack
● All passwords were stored in one database and hashed using SHA-1 encryption – currently one of the most used hashed functions.
● HashCat cracking software was selected as it provides the best compatibility, easy-to-use interface, and relatively wide range of cracking modes and has also been used several times in other research papers.
● The most powerful device available – Lenovo Legion 5 Pro with NVIDIA RTX 3060 – was selected for the attack.
● A total of 15 attack methods were selected to crack passwords in the sampled dataset. This includes 4 Mask, 2 Dictionary, 7 Dictionary with rules and 2 Hybrid attacks.
Results/Findings/Highlights
● The mean password length was 10.5 characters.
● 40% of passwords mixed capitalised letters had only the first letter uppercased.
● 35% and 29% percent of passwords contained names and words respectively.
● Dictionary attack method was the most efficient cracking almost 30% of all passwords.
● Password length is key indicator of password strength – the longer the password the more secure it is. – 100% of passwords with 0-7 characters were cracked while only 30% with 11+.
● Complexity is another key component. The most secure categories were the ones with the highest complexity.
● All Symbols, Some Symbols and Random Capitals categories were the most resistant against the password cracking attack.
Conclusions/Future Work
● Based on the findings a recommendations to password creation practices was created, which differed in some aspects to the industry standards.
● The biggest differences were the recommendations to increase min. length to 10 characters and implement restriction on the use of names and words.
● Experiment with alternative attack methods/increase the sample size.
● Analyse the impact of AI on Password creation.
Bibliography
• Cushman R. (2007), Primer Authentication of Identity, University of Miami, p. 2
• ESET (2017) A short history of the computer password, WeLiveSecurity. Available at: https://www.welivesecurity.com/2017/05/04/short-history-computer-password/
• Morris R. and Thompson K. (1979), Password Security: A Case History. ACM, vol. 22, pp. 594-597.
• Taneski V., Heričko M. and Brumen B. (2014) Password security No change in 35 years?, 37th International Convention on IT, pp. 1360-1365, doi: 10.1109/MIPRO.2014.6859779.