不同口令组成策略下用户真实口令的安全性分析
|
摘要
口令组成策略对用户创建口令的长度和复杂性提出了要求。目前的一些研究表明,使用口令组成策略有助于提高用户口令强度,但是这些研究主要是通过招募参与者的形式在实验室或者网络上进行,参与者被要求创建的口令并不一定出现在现实中。不同于这些研究,文章从实际出发,利用网站中泄露出来的真实口令,研究现实网站中采用较多的几种口令组成策略对用户创建口令所产生的影响。文章主要比较了没有口令组成策略、basic6策略和2class6策略这3种情形下真实口令的一些特征,分析了这些口令的安全性。研究发现,口令组成策略会对用户所选择口令的长度和字符类型造成影响,要求多字符类型的口令组成策略会增加口令的长度。此外,研究也发现,上述3类口令组成策略都不能很好地帮助用户创建强口令。
Password composition policies place requirements on the length and complexity of passwords created by users. Current studies have shown that using password composition policies can help improve user password strength, but these studies are mainly conducted in the laboratory or on the network by recruiting participants, and the passwords that participants are required to create may not appear in reality. Different from these studies, starting from the reality, this paper studies the impact of several password composition policies used in the real websites on the passwords created by users by using the real passwords leaked from the websites. This paper mainly compares some features of the real passwords in three scenes: no password policy, basic6 policy and 2 class 6 policy, and analyzes the security of these passwords. The study finds that password composition policy affects the length and character type of the password selected by the user, and policy which requires multiple character types increases the length of the password. The study also finds that none of the above three password composition policies can help users create strong passwords.
Password composition policies place requirements on the length and complexity of passwords created by users. Current studies have shown that using password composition policies can help improve user password strength, but these studies are mainly conducted in the laboratory or on the network by recruiting participants, and the passwords that participants are required to create may not appear in reality. Different from these studies, starting from the reality, this paper studies the impact of several password composition policies used in the real websites on the passwords created by users by using the real passwords leaked from the websites. This paper mainly compares some features of the real passwords in three scenes: no password policy, basic6 policy and 2 class 6 policy, and analyzes the security of these passwords. The study finds that password composition policy affects the length and character type of the password selected by the user, and policy which requires multiple character types increases the length of the password. The study also finds that none of the above three password composition policies can help users create strong passwords.
引文
[1] GUAN Zhensheng. Concerning the Electronic Payment Identity Authentication Technology[J]. Netinfo Security, 2011, 11(3):9-11.关振胜.论电子支付中的身份认证技术[J].信息网络安全,2011,11(3):9-11.
[2] DARWISH A A, ZAKI W M, SAAD O M, et al. Human Authentication Using Face and Fingerprint Biometrics[C]//IEEE. The 2nd International Conference on Computational Intelligence, Communication Systems and Networks, July 28-30, 2010, Liverpool, UK.NJ:IEEE, 2010:274-278.
[3] WANG C J. The Solution Design Using USB Key for Network Security Authentication[C]//IEEE. Fourth International Conference on Computational Intelligence and Communication Networks, November3-5, 2012, Mathura, India.NJ:IEEE, 2012:766-769.
[4] BONNEAU J, HERLEY C, VAN OORSCHOT P C, et al. Passwords and the Evolution of Imperfect Authentication[J]. Communications of the ACM, 2015, 58(7):78-87.
[5] BONNEAU J, HERLEY C, VAN OORSCHOT P C, et al. The Quest to Replace Passwords:A Framework for Comparative Evaluation of Web Authentication Schemes[C]//IEEE. 2012 IEEE Symposium on Security and Privacy, May 20-23, 2012, San Francisco, CA, USA.NJ:IEEE, 2012:553-567.
[6] UR B, NOMA F, BEES J, et al. I Added"!"at the End to Make It Secure:Observing Password Creation in the Lab[C]//USENIX.Symposium on Usable Privacy and Security, July 22–24, 2015, Ottawa,Canada. Berkeley:USENIX Association, 2015:123-135.
[7] WASH R, RADER E, BERMAN R, et al. Understanding Password Choices:How Frequently Entered Passwords Are Reused Across Websites[C]//USENIX. The Twelfth Symposium on Usable Privacy and Security, June 22–24, 2016, Denver, CO, USA. Berkeley:USENIX Association, 2016:175-188.
[8] KASSIM M M, SUJITHA A. ProcurePass:A User Authentication Protocol to Resist Password Stealing and Password Reuse Attack[C]//IEEE. 2013 International Symposium on Computational and Business Intelligence, August 24-26, 2013, New Delhi, India. NJ:IEEE, 2013:31-34.
[9] DAS A, BONNEAU J, CAESAR M, et al. The Tangled Web of Password Reuse[C]//NDSS. NDSS’14, February 23-26, 2014, San Diego, CA, USA. Copyright 2014 Internet Society, 2014:23-26.
[10] KOMANDURI S, SHAY R, KELLEY P G, et al. Of Passwords and People:Measuring the Effect of Password-composition Policies[C]//ACM. The SIGCHI Conference on Human Factors in Computing Systems, May 7–12, 2011, Vancouver, BC, Canada. New York:ACM,2011:2595-2604.
[11] WANG Ding, WANG Ping. The Emperor’s New Password Creation Policies[M]//Springer. Computer Security-ESORICS 2015. Cham:Springer, Cham, 2015:456-477.
[12] GUO Yimin, ZHANG Zhenfeng. LPSE:Lightweight Password-strength Estimation for Password Meters[J]. Computers&Security, 2018,77(3):507-518.
[13] WHEELER D L. zxcvbn:Low-Budget Password Strength Estimation[C]//USENIX. The 25th USENIX Security Symposium,August 10–12, 2016, Austin, TX, USA. Berkeley:USENIX Association,2016:157-173.
[14] SHAY R, KOMANDURI S, KELLEY P G, et al. Encountering Stronger Password Requirements:User Attitudes and Behaviors[C]//ACM. The Sixth Symposium on Usable Privacy and Security, July14–16, 2010, Redmond, Washington, USA. New York:ACM, 2010:2.
[15] WEIR M, AGGARWAL S, COLLINS M, et al. Testing Metrics for Password Creation Policies by Attacking Large Sets of Revealed Passwords[C]//ACM. The 17th ACM Conference on Computer and Communications Security, October 4–8, 2010, Chicago, Illinois, USA.New York:ACM, 2010:162-175.
[16] PROCTOR R W, LIEN M C, VU K P L, et al. Improving Computer Security for Authentication of Users:Influence of Proactive Password Restrictions[J]. Behavior Research Methods, Instruments,&Computers,2002, 34(2):163-169.
[17] FLORêNCIO D, HERLEY C, VAN OORSCHOT P C. An Administrator’s Guide to Internet Password`Research[C]///USENIX. The28th USENIX Conference on Large Installation System Administration,November 9–14, 2014, Seattle, WA, USA. Berkeley:USENIX Association,2014:35-52.
[18] BURR W E, DODSON D F, NEWTON E M, et al. Electronic Authentication Guideline[EB/OL]. http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.390.8073, 2019-2-14.
[19] SHAY R, KOM S, DURITY A L, et al. Can Long Passwords Be Secure and Usable?[C]//ACM. The 32nd Annual ACM Conference on Human Factors in Computing Systems, April 26-May 1, 2014, Toronto,Ontario, Canada. New York:ACM, 2014:2927-2936.
[20] VU K P L, TAI B L, BHARGAV A, et al. Promoting Memorability and Security of Passwords Through Sentence Generation[J]. Proceedings of the Human Factors and Ergonomics Society Annual Meeting, 2004,48(13):1478-1482.
[21] YANG Weining, LI Ninghui, CHOWDHURY O, et al. An Empirical Study of Mnemonic Sentence-based Password Generation Strategies[C]//ACM. The 2016 ACM SIGSAC Conference on Computer and Communications Security, October 24–28, 2016, Vienna, Austria.New York:ACM, 2016:1216-1229.
[22] KUO C, ROMANOSKY S, CRANOR L F. Human Selection of Mnemonic Phrase-based Passwords[C]//ACM. The Second Symposium on Usable Privacy and Security, July 12–14, 2006,Pittsburgh, Pennsylvania, USA. New York:ACM, 2006:67-78.
[23] YAN J, BLACKWELL A, ANDERSON R, et al. Password Memorability and Security:Empirical Results[J]. IEEE Security&Privacy, 2004, 2(5):25-31.
[24] FORGET A, CHIASSON S, BIDDLE R. Helping Users Create Better Passwords:Is This the Right Approach?[C]//ACM. The 3rd Symposium on Usable Privacy and Security, July 18–20, 2007, Pittsburgh,Pennsylvania, USA. New York:ACM, 2007:151-152.
[25] FORGET A, CHIASSON S, VAN OORSCHOT P C, et al.Improving Text Passwords Through Persuasion[C]//ACM. The4th Symposium on Usable Privacy and Security, July 23–25, 2008,Pittsburgh, Pennsylvania, USA. New York:ACM, 2008:1-12.
[26] HUH J H, OH S, KIM H, et al. Surpass:System-initiated Userreplaceable Passwords[C]//ACM. The 22nd ACM SIGSAC Conference on Computer and Communications Security, October 12–16, 2015,Denver, Colorado, USA. New York:ACM, 2015:170-181.
[27] SEGRETI S M, MELICHER W, KOMANDURI S, et al. Diversify to Survive:Making Passwords Stronger with Adaptive Policies[C]//USENIX. The Thirteenth Symposium on Usable Privacy and Security,July 12–14, 2017, Santa Clara, California, USA. Berkeley:USENIX Association, 2017:1-12.
[28] YANG S, JI Shouling, BEYAH R. DPPG:A Dynamic Password Policy Generation System[J]. IEEE Transactions on Information Forensics and Security, 2018, 13(3):545-558.
[29] SCHECHTER S, HERLEY C, MITZENMACHER M. Popularity Is Everything:A New Approach to Protecting Passwords from Statisticalguessing Attacks[EB/OL]. https://www.usenix.org/legacy/event/hotsec10/tech/full_papers/Schechter.pdf, 2019-2-14.
[30] LI Xiaodong, JIA Huibin. Dynamic Password Authentication System Based on Time Synchronization[J]. Netinfo Security, 2010, 10(5):69-75.李晓东,贾慧斌.基于时间同步的动态口令认证系统[J].信息网络安全,2010,10(5):69-75.
[31] WEIR M, AGGARWAL S, DE MEDEIROS B, et al. Password Cracking Using Probabilistic Context-free Grammars[C]//IEEE. The30th IEEE Symposium on Security and Privacy, May 17-20, 2009,Berkeley, CA, USA. NJ:IEEE, 2009:391-405.
[32] NARAYANAN A, SHMATIKOV V. Fast Dictionary Attacks on Passwords Using Time-space Tradeoff[C]//ACM. The 12th ACM conference on Computer and Communications Security, November7–11, 2005, Alexandria, VA, USA. New York:ACM, 2005:364-372.
[33] DELL’AMICO M, FILIPPONE M. Monte Carlo Strength Evaluation:Fast and Reliable Password Checking[C]//ACM. The 22nd ACM SIGSAC Conference on Computer and Communications Security,October 12–16, 2015, Denver, Colorado, USA. New York:ACM, 2015:158-169.
[34] HABIB H, COLNAGO J, MELICHER W, et al. Password Creation in the Presence of Blacklists[C]//USEC. USEC’17, February 26, 2017, San Diego, CA, USA. Copyright 2017 Internet Society, 2017:50-61.
[2] DARWISH A A, ZAKI W M, SAAD O M, et al. Human Authentication Using Face and Fingerprint Biometrics[C]//IEEE. The 2nd International Conference on Computational Intelligence, Communication Systems and Networks, July 28-30, 2010, Liverpool, UK.NJ:IEEE, 2010:274-278.
[3] WANG C J. The Solution Design Using USB Key for Network Security Authentication[C]//IEEE. Fourth International Conference on Computational Intelligence and Communication Networks, November3-5, 2012, Mathura, India.NJ:IEEE, 2012:766-769.
[4] BONNEAU J, HERLEY C, VAN OORSCHOT P C, et al. Passwords and the Evolution of Imperfect Authentication[J]. Communications of the ACM, 2015, 58(7):78-87.
[5] BONNEAU J, HERLEY C, VAN OORSCHOT P C, et al. The Quest to Replace Passwords:A Framework for Comparative Evaluation of Web Authentication Schemes[C]//IEEE. 2012 IEEE Symposium on Security and Privacy, May 20-23, 2012, San Francisco, CA, USA.NJ:IEEE, 2012:553-567.
[6] UR B, NOMA F, BEES J, et al. I Added"!"at the End to Make It Secure:Observing Password Creation in the Lab[C]//USENIX.Symposium on Usable Privacy and Security, July 22–24, 2015, Ottawa,Canada. Berkeley:USENIX Association, 2015:123-135.
[7] WASH R, RADER E, BERMAN R, et al. Understanding Password Choices:How Frequently Entered Passwords Are Reused Across Websites[C]//USENIX. The Twelfth Symposium on Usable Privacy and Security, June 22–24, 2016, Denver, CO, USA. Berkeley:USENIX Association, 2016:175-188.
[8] KASSIM M M, SUJITHA A. ProcurePass:A User Authentication Protocol to Resist Password Stealing and Password Reuse Attack[C]//IEEE. 2013 International Symposium on Computational and Business Intelligence, August 24-26, 2013, New Delhi, India. NJ:IEEE, 2013:31-34.
[9] DAS A, BONNEAU J, CAESAR M, et al. The Tangled Web of Password Reuse[C]//NDSS. NDSS’14, February 23-26, 2014, San Diego, CA, USA. Copyright 2014 Internet Society, 2014:23-26.
[10] KOMANDURI S, SHAY R, KELLEY P G, et al. Of Passwords and People:Measuring the Effect of Password-composition Policies[C]//ACM. The SIGCHI Conference on Human Factors in Computing Systems, May 7–12, 2011, Vancouver, BC, Canada. New York:ACM,2011:2595-2604.
[11] WANG Ding, WANG Ping. The Emperor’s New Password Creation Policies[M]//Springer. Computer Security-ESORICS 2015. Cham:Springer, Cham, 2015:456-477.
[12] GUO Yimin, ZHANG Zhenfeng. LPSE:Lightweight Password-strength Estimation for Password Meters[J]. Computers&Security, 2018,77(3):507-518.
[13] WHEELER D L. zxcvbn:Low-Budget Password Strength Estimation[C]//USENIX. The 25th USENIX Security Symposium,August 10–12, 2016, Austin, TX, USA. Berkeley:USENIX Association,2016:157-173.
[14] SHAY R, KOMANDURI S, KELLEY P G, et al. Encountering Stronger Password Requirements:User Attitudes and Behaviors[C]//ACM. The Sixth Symposium on Usable Privacy and Security, July14–16, 2010, Redmond, Washington, USA. New York:ACM, 2010:2.
[15] WEIR M, AGGARWAL S, COLLINS M, et al. Testing Metrics for Password Creation Policies by Attacking Large Sets of Revealed Passwords[C]//ACM. The 17th ACM Conference on Computer and Communications Security, October 4–8, 2010, Chicago, Illinois, USA.New York:ACM, 2010:162-175.
[16] PROCTOR R W, LIEN M C, VU K P L, et al. Improving Computer Security for Authentication of Users:Influence of Proactive Password Restrictions[J]. Behavior Research Methods, Instruments,&Computers,2002, 34(2):163-169.
[17] FLORêNCIO D, HERLEY C, VAN OORSCHOT P C. An Administrator’s Guide to Internet Password`Research[C]///USENIX. The28th USENIX Conference on Large Installation System Administration,November 9–14, 2014, Seattle, WA, USA. Berkeley:USENIX Association,2014:35-52.
[18] BURR W E, DODSON D F, NEWTON E M, et al. Electronic Authentication Guideline[EB/OL]. http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.390.8073, 2019-2-14.
[19] SHAY R, KOM S, DURITY A L, et al. Can Long Passwords Be Secure and Usable?[C]//ACM. The 32nd Annual ACM Conference on Human Factors in Computing Systems, April 26-May 1, 2014, Toronto,Ontario, Canada. New York:ACM, 2014:2927-2936.
[20] VU K P L, TAI B L, BHARGAV A, et al. Promoting Memorability and Security of Passwords Through Sentence Generation[J]. Proceedings of the Human Factors and Ergonomics Society Annual Meeting, 2004,48(13):1478-1482.
[21] YANG Weining, LI Ninghui, CHOWDHURY O, et al. An Empirical Study of Mnemonic Sentence-based Password Generation Strategies[C]//ACM. The 2016 ACM SIGSAC Conference on Computer and Communications Security, October 24–28, 2016, Vienna, Austria.New York:ACM, 2016:1216-1229.
[22] KUO C, ROMANOSKY S, CRANOR L F. Human Selection of Mnemonic Phrase-based Passwords[C]//ACM. The Second Symposium on Usable Privacy and Security, July 12–14, 2006,Pittsburgh, Pennsylvania, USA. New York:ACM, 2006:67-78.
[23] YAN J, BLACKWELL A, ANDERSON R, et al. Password Memorability and Security:Empirical Results[J]. IEEE Security&Privacy, 2004, 2(5):25-31.
[24] FORGET A, CHIASSON S, BIDDLE R. Helping Users Create Better Passwords:Is This the Right Approach?[C]//ACM. The 3rd Symposium on Usable Privacy and Security, July 18–20, 2007, Pittsburgh,Pennsylvania, USA. New York:ACM, 2007:151-152.
[25] FORGET A, CHIASSON S, VAN OORSCHOT P C, et al.Improving Text Passwords Through Persuasion[C]//ACM. The4th Symposium on Usable Privacy and Security, July 23–25, 2008,Pittsburgh, Pennsylvania, USA. New York:ACM, 2008:1-12.
[26] HUH J H, OH S, KIM H, et al. Surpass:System-initiated Userreplaceable Passwords[C]//ACM. The 22nd ACM SIGSAC Conference on Computer and Communications Security, October 12–16, 2015,Denver, Colorado, USA. New York:ACM, 2015:170-181.
[27] SEGRETI S M, MELICHER W, KOMANDURI S, et al. Diversify to Survive:Making Passwords Stronger with Adaptive Policies[C]//USENIX. The Thirteenth Symposium on Usable Privacy and Security,July 12–14, 2017, Santa Clara, California, USA. Berkeley:USENIX Association, 2017:1-12.
[28] YANG S, JI Shouling, BEYAH R. DPPG:A Dynamic Password Policy Generation System[J]. IEEE Transactions on Information Forensics and Security, 2018, 13(3):545-558.
[29] SCHECHTER S, HERLEY C, MITZENMACHER M. Popularity Is Everything:A New Approach to Protecting Passwords from Statisticalguessing Attacks[EB/OL]. https://www.usenix.org/legacy/event/hotsec10/tech/full_papers/Schechter.pdf, 2019-2-14.
[30] LI Xiaodong, JIA Huibin. Dynamic Password Authentication System Based on Time Synchronization[J]. Netinfo Security, 2010, 10(5):69-75.李晓东,贾慧斌.基于时间同步的动态口令认证系统[J].信息网络安全,2010,10(5):69-75.
[31] WEIR M, AGGARWAL S, DE MEDEIROS B, et al. Password Cracking Using Probabilistic Context-free Grammars[C]//IEEE. The30th IEEE Symposium on Security and Privacy, May 17-20, 2009,Berkeley, CA, USA. NJ:IEEE, 2009:391-405.
[32] NARAYANAN A, SHMATIKOV V. Fast Dictionary Attacks on Passwords Using Time-space Tradeoff[C]//ACM. The 12th ACM conference on Computer and Communications Security, November7–11, 2005, Alexandria, VA, USA. New York:ACM, 2005:364-372.
[33] DELL’AMICO M, FILIPPONE M. Monte Carlo Strength Evaluation:Fast and Reliable Password Checking[C]//ACM. The 22nd ACM SIGSAC Conference on Computer and Communications Security,October 12–16, 2015, Denver, Colorado, USA. New York:ACM, 2015:158-169.
[34] HABIB H, COLNAGO J, MELICHER W, et al. Password Creation in the Presence of Blacklists[C]//USEC. USEC’17, February 26, 2017, San Diego, CA, USA. Copyright 2017 Internet Society, 2017:50-61.