Dispelling myths about secure passwords

Most of the websites that we use these days, as a rule, assess the degree of security of passwords that you create when setting up a new account, from “weak” to “strong”. They also advise you to use a combination of uppercase and uppercase letters with numbers to create a more secure password. However, no matter how good all these tips are, they will not be able to tell you exactly what the order of such combinations should be.

By luck, it turned out that almost every one of us is inclined to put capital letters at the beginning of the password, and numbers at the end . This pattern was established by a group of security experts who work at the French research institute Eurecom.
')
The results of their research , presented at the last ACM Computer and Communications Security Conference in Denver, showed that we do not quite understand what a secure password is and this misunderstanding is a threat to our privacy.



Programs traditionally used by cyber criminals to select passwords process certain combinations of passwords until they find a suitable user.

However, modern methods are not based on random assumptions. Criminals can now teach software using huge password lists (for example, like the passwords of 130 million Adobe users that were stolen in 2013), allowing you to find the most frequently used combinations. This method allows them to get a more realistic chance of successfully completing their attacks.

Building on this premise, experts used the program (like the one used by criminals) to analyze more than 10 million passwords. Such work was done with the aim of compiling a list of those passwords that criminals can most easily find.

The report describes some sets of passwords that were merged into the Internet in the recent past and the sets that will be used in the experiment (Rockyou, containing 32 million passwords, merged in 2009; Xato - 10 million passwords that appeared on Xato.net in February of this year).

Also describes three models for selecting a password (or three password cracking algorithms) :

1) Use of N-grams - sequences of N elements . The article uses 1-gram, 2-gram, 3-gram, 4-gram.

2) The use of stochastic context-free grammar (PCFGs)

3) Katz discount model ("Backoff")


The figure shows the dependence of the probability of selecting a password (axis of ordinates) as a percentage of the number of attempts (the x-axis) ranging from 2 ^ 0 = 1 to 2 ^ 80 = 1208925819614629174706176 iterations. Three models described above are used. Training is performed on a set of Xato, verification is carried out on a set of Rockyou. The more to the right and below is the graph, the worse the corresponding model in terms of speed of finding the password.


The figure above shows a comparative description of two attack models: stochastic context-free grammar (PCFGs) and another password guessing method — an attack using the method of compiling a list of possible keys (Dictionary attack). For this model, the specialized dictionary of foreign words dic-0294 and the so-called Openwall dictionary are used. The results show that the efficiency of selecting a password for them is lower than that of PCFGs. The Xato training set, as a dictionary for this method, gives the best results in terms of attack.


The figure shows a comparative description of the 1-gram, 2-gram, 3-gram, and 4-gram attack patterns.


The figure above shows a comparative graph of the PCFGs attack model for various training sets (including those involving the specialized Openwall dictionary).


The figure shows a comparative graph of the results of the Katz model for various training sets: Rockyou and Xato and their own with the addition of a starting symbol (the starting symbol is the specific terminology associated with the Katz model).


In the figure above, the results of the attack using the Katz model for different sizes of the training set. 0.1% of the total Xato training set, 1%, 10% and the entire Xato set (100%).


The figure shows the results of experiments on the Katz discount model for different values ​​of the word length in the training set (upper graph): all passwords, passwords long> = 8, passwords long> = 10, passwords long> = 12, and for different combinations of characters in passwords ( lower chart): unlimited; numbers and letters; lowercase, uppercase letters, numbers; letters, numbers and various symbols.

The result of this work was the “predictability index” , which they tested on another 32 million passwords to confirm its effectiveness. According to the results obtained, the least common passwords were the most secure. This means that it is necessary to create a long password, which also includes characters, and not just capital and spelled letters.



From now on, the purpose of users should be the creation of passwords that are not predictable at all, regardless of whether they include numbers, uppercase or capital letters. The study authors stated that passwords should be made longer, even adding a few words if necessary.

This study should help people be more aware of how to create new secure passwords, which will help them better protect their accounts. Although, unfortunately, the authors do not guarantee the “iron” way of creating completely secure passwords, but they assure that the method described by them is still the safest at the moment.

On the other hand, researchers pay attention to the fact that technology companies began to pay less attention to passwords as means of access to accounts, and that they consider alternative means where possible. At the same time, new ways to decrypt registration data are constantly appearing, as a result of which they become less and less protected.