Article
How Viable is Password Cracking in Digital Forensic Investigation? Analyzing the Guessability of over 3.9 Billion Real-World Accounts
Contribution Summary
This research presents the largest and most comprehensive analysis of real-world passwords to date, utilizing a dataset of over 3.9 billion accounts from Have I Been Pwned. The study examines password trends and patterns, including the use of personal information, demographics, and context-based password cracking. The analysis reveals that certain semantic classes are more common than others, highlighting the significance of user context in password selection. Additionally, the study evaluates the effectiveness of password cracking tools and techniques, providing insights for digital investigators. The findings have implications for password security and the development of more effective password strength meters.
Keywords: Password security; Password-based authentication; Context-based password cracking; Password strength meters; Digital forensics; Password analysis; Real-world passwords; Guessability
Abstract
Passwords have been and still remain the most common method of authentication in computer systems. These systems are therefore privileged targets of attackers, and the number of data breaches in the last few years attests to that. A detailed analysis of such data can provide insight on password trends and patterns users follow when they create a password. To this end, this paper presents the largest and most comprehensive analysis of real-world passwords to date - associated with over 3.9 billion accounts from Have I Been Pwned. This analysis includes statistics on use and most common patterns found in passwords and innovates with a breakdown of the constituent fragments that make each password. Furthermore, a classification of these fragments according to their semantic meaning, provides insight on the role of context in password selection. Finally, we provide an in-depth analysis on the guessability of these real-world passwords.
BibTeX
@article{kanta2021PasswordCracking3Billion,
author={Kanta, Aikaterini and Coray, Sein and Coisel, Iwen and Scanlon, Mark},
title="{How Viable is Password Cracking in Digital Forensic Investigation? Analyzing the Guessability of over 3.9 Billion Real-World Accounts}",
journal="{Forensic Science International: Digital Investigation}",
volume = {37},
pages = {301186},
year=2021,
month=07,
publisher={Elsevier},
doi = {https://doi.org/10.1016/j.fsidi.2021.301186},
url = {https://www.sciencedirect.com/science/article/pii/S2666281721000949},
abstract={Passwords have been and still remain the most common method of authentication in computer systems. These systems are therefore privileged targets of attackers, and the number of data breaches in the last few years attests to that. A detailed analysis of such data can provide insight on password trends and patterns users follow when they create a password. To this end, this paper presents the largest and most comprehensive analysis of real-world passwords to date – associated with over 3.9 billion accounts from Have I Been Pwned. This analysis includes statistics on use and most common patterns found in passwords and innovates with a breakdown of the constituent fragments that make each password. Furthermore, a classification of these fragments according to their semantic meaning, provides insight on the role of context in password selection. Finally, we provide an in-depth analysis on the guessability of these real-world passwords.}
}