The trends in the offline password-guessing field : Offline guessing attack on Swedish real-life passwords / Trenderna inom fältet för offline-gissning av lösenord : Offline-gissningsattack på svenska verkliga lösenord

Zarzour, Yasser, Alchtiwi, Mohamad

January 2023

Password security is one of the most critical aspects of IT security, as password-based authentication is still the primary authentication method. Unfortunately, our passwords are subject to different types of weaknesses and various types of password-guessing attacks. The first objective of this thesis is to provide a general perception of the trends in offline password-guessing tools, methods, and techniques. The study shows that the most cited tools are Hashcat, John the Ripper, Ordered Markov ENumerator (OMEN), and PassGan. Methods are increasingly evolving and becoming more sophisticated by emerging Deep Learning and Neural Networks. Unlike methods and tools, techniques are not subject to significant development, noting that dictionary and rule-based attacks are at the top of used techniques. The second objective of this thesis is to explore to what extent Swedish personal names are used in real-life passwords. Hence, an experiment is conducted for this purpose. The experiment results show that about 26% of Swedish users use their personal names when they create passwords, making them vulnerable to easy guessing by password-guessing tools. Furthermore, a simple analysis of the resulting password recovery file is performed in terms of password length and complexity. The resulting numbers show that more than half of guessed passwords are shorter than eight characters, indicating incompliance with the recommendations from standard organizations. In addition, results show a weak combination of letters, digits, and special characters, indicating that many Swedish users do not maintain sufficient diversity when composing their passwords. This means less password complexity, making passwords an easy target to guess. This study may serve as a quick reference to getting an overview of trends in the password-guessing field. On the other side, the resulting rate of Swedish personal names in Swedish password leaks may draw the attention of active social actors regarding information security to improve password security measures in Sweden. / Lösenordssäkerhet är en av de mest kritiska aspekterna av IT-säkerhet eftersom  lösenordsbaserad autentisering fortfarande är den viktigaste metoden för autentisering. Tyvärr är våra lösenord föremål för olika typer av svagheter och olika typer av lösenordsgissningsattacker. Det första syftet med detta arbete är att ge en allmän uppfattning om trenderna inom verktyg,metoder och tekniker angående offline lösenordsgissning. Studien visar att Hashcat, John the Ripper, Ordered Markov ENumerator OMEN och PassGan är de mest citerade verktygen. Medan metoderna alltmer utvecklas och blir mer sofistikerade genom framväxande “DeepLearning”, och “Neural Networks”. Till skillnad från metoder och verktyg är tekniker inte föremål för stor utveckling, och notera att “dictionary” attacker och “rule-based” attacker är överst bland använda tekniker. Det andra syftet är att utforska i vilken utsträckning svenska personnamn används i verkliga lösenord. Därför genomförs ett experiment för detta ändamål. Resultaten av experimentet visar att cirka 26 % av svenska användare använder sina personnamn när de skapar lösenord, vilket gör lösenord sårbara för enkel gissning med hjälp av lösenordsgissningsverktyg. Dessutom utförs en enkel analys av den resulterande lösenordsåterställningsfilen vad gäller lösenordslängd och komplexitet. De resulterande siffrorna visar att mer än hälften av de gissade lösenorden är kortare än åtta tecken, vilket är en indikation på att de inte följer rekommendationerna från standardorganisationer. Resultaten visar också en svag kombination av bokstäver, siffror och specialtecken vilket indikerar att många svenskar inte upprätthåller tillräcklig variation när de komponerar sina lösenord. Detta innebär mindre lösenordskomplexitet, vilket gör lösenord till ett mål för enkel gissning. Arbetet kan fungera som en snabbreferens för att få en överblick över trender inom lösenordsgissningsfältet. Å andra sidan kan den resulterande andelen svenska personnamn i  svenska lösenordsläckor uppmärksamma de aktiva aktörerna i samhället gällande informationssäkerhet för att förbättra lösenordssäkerhetsåtgärderna i Sverige.

Password security

password-guessing tool

password-guessing method

password-guessing technique

offline attack

Swedish password leak

Lösenordssäkerhet

lösenordsgissningsverktyg

lösenordsgissningsmetoder

lösenordsgissningstekniker

offline attack

svenska lösenordsläckor

Computer Sciences

Datavetenskap (datalogi)

Computer Engineering

Datorteknik

Information Systems

Other Computer and Information Science

Annan data- och informationsvetenskap

Probability Theory and Statistics

Sannolikhetsteori och statistik

Computer Systems

Datorsystem

Sensitivity to Growth over Time in Pre-Post Norm-Referenced Tests

Peters, Wole

02 October 2013

There is very little in the literature about the sensitivity of norm-referenced tests to growth of diverse groups of test takers, particularly low-achieving test takers, who operate at the lowest 15 percentile of their peers. To bridge the knowledge gap, this study examined the sensitivity to growth of norm-referenced achievement tests. The purpose of the study is to determine the sensitivity of norm-referenced test to the growth of low-achieving students in prekindergarten through 12th grade. Four analysis were performed to test eight identified norm-referenced test for their sensitivity to the growth of students who perform at approximately the 15th percentile or below of their grade peers. Results of the analyses suggested that two of the eight tests are adequate for use with low-achieving students within a norm period. The other six tests showed lack of precision and appeared not to be suitable for measuring progress of low -achieving students.

Norm-referenced tests

Pre-post tests

Test sensitivity

Test precision

Guessing floor

Floor of test

Reliable change

obtained score

estimated true score

True Score. Change Score

Growth..

A shoulder-surfing resistant graphical password system

Alesand, Elias, Sterneling, Hanna

January 2017

The focus of this report is to discuss graphical password systems and how they can contribute to handle security problems that threaten authentication processes. One such threat is shoulder-surfing attacks, which are also reviewed in this report. Three already existing systems that are claimed to be shoulder-surfing resilient are described and a new proposed system is presented and evaluated through a user study. Moreover, the system is compared to the mentioned existing systems to further evaluate the usability, memorability and the time it takes to authenticate. The user study shows that test subjects are able to remember their chosen password one week after having registered and signed in once. It is also shown that the average time to sign in to the system after five minutes of practice is within a range of 3.30 to 5.70 seconds. The participants in the experiments gave the system an average score above 68 on the System Usability Scale, which is the score of an average system.

shoulder-surfing

resistant

graphical password system

guessing attacks

graphical passwords

recognition-based

recall-based

pure recall-based

password

security

password space

pictorial superiority effect

brute-force attack

dictionary attack

hot-spots

memorability

graphical components

authentication

Computer Sciences

Datavetenskap (datalogi)

The development and empirical substantiation of Japanese pedagogical materials based on kabuki

Katsumata, Yuriko

21 May 2020

Many researchers (e.g., Nation, 2001, 2015; Schmitt, 2000) have recognized the importance of vocabulary learning in second language (L2) or additional language (AL) acquisition. The strong effects of lexical and background knowledge on L2reading comprehension have similarly been found in various studies (e.g., Hu & Nation, 2000; Rokni & Hajilari, 2013). In the case of Japanese language, the opportunities for acquiring the lexical and background knowledge associated with Japanese history and culture, especially traditional culture, are scant, because only a small number of Japanese pedagogical materials deal minimally with these topics. Meanwhile, many learners are motivated to study Japanese because of their interest in Japanese history and culture, according to a survey conducted by the Japan Foundation in 2012. This project aimed to increase the opportunities for learning Japanese history and traditional culture through the development of new pedagogical materials based on kabuki, and then the empirical evaluation of the developed pedagogical materials. Nine Chinese-as-a-first-language Japanese learners at the upper-intermediate level participated in the nine-week online course, including the pre- and post-course tests in the first and last weeks. Employing a multi-method research approach, the study examined the changes in learners’ lexical and background knowledge related to Japanese history and culture, their reading comprehension, and their interest in kabuki. Four kinds of multiple-choice tests were administered to collect the quantitative data. In addition, the qualitative data were gathered through the pre- and post-course questionnaires and post-course individual interviews. Overall, the findings indicated that almost all participants increased their background knowledge of kabuki, as well as their vocabulary related to kabuki and general theatrical performances. The results in other areas, such as historical vocabulary, vocabulary depth, reading comprehension, and historical background knowledge were mixed. Further, concerning the depth of vocabulary knowledge, it was found that the learning of vocabulary depth was more difficult than learning of vocabulary breadth. Likewise, the knowledge of use, such as collocations and register constraints, was found to be more difficult to learn than other aspects of vocabulary depth. The participants’ reports in the post-course questionnaire and individual interviews showed that most participants seemed to have increased their interest in kabuki. Overall, the first-of-their-kind developed pedagogical materials contributed to the development of lexical and background knowledge, specifically knowledge associated with Japanese traditional culture and history. This study may provide a model for an evidence-based approach to the development of pedagogical materials that practitioners can adopt or adapt. / Graduate

Japanese pedagogical materials

Japanese language study

kabuki

development of the pedagogical materials

vocabulary size

depth of vocabulary knowledge

vocabulary lists

guessing-from-context (inferencing)

word exposure frequency

lexical coverage

reading comprehension

intensive vs. extensive reading

prior knowledge

topic interest

Kanadehon Chushingura

The effective use of multiple-choice questions in assessing scientific calculations

Terblanche, Hester Aletta

02 1900

This study investigated the effective use of online Multiple-Choice Questions (MCQs) with immediate formative feedback, and the granting of partial credit for correct second or third chance answers when assessing and assisting students’ conceptual learning at higher cognitive levels. The research sample comprised first year engineering science students at the Tshwane University of Technology (TUT), Pretoria campus. The differences between using online MCQ-assessment for problem-solving calculations and using constructed written questions (CRQs)1 in the assessment of problem-solving calculations were explored. Furthermore, the differences between the assessment of problem-solving calculations using online MCQs without immediate formative feedback, and with immediate formative feedback and the granting of partial credit were analysed. The findings revealed that students’ marks were lower when answering problem-solving calculations using online MCQs without immediate formative feedback than when answering the same questions using CRQs. This clearly indicates that using online MCQs without immediate formative feedback is not effective in assessing scientific problem-solving calculations. Alternatively, online MCQs proved effective in assessing problem-solving calculations when immediate formative feedback and partial credit were employed. The statistical analysis showed that students performed significantly better when immediate formative feedback was given and partial credit was granted for correct second or third attempts. This was due to online MCQs utilising immediate formative feedback, which made it possible to grant partial credit when students chose the correct answers after feedback. This showed that online MCQs with immediate formative feedback and partial credit being granted can be an effective assessment tool for scientific problem-solving calculations. It increases performance and supports learning from assessment. Students can thus correct their calculations whilst in the process of doing them. / Science and Technology Education / M. Ed. (Science Education)

Multiple-choice questions

MCQs with immediate formative feedback

Guessing in MCQs

Problem-solving calculations

Assessing calculations using MCQs

MCQs in scientific calculations

MCQs at university

Using MCQs to study

MCQs with multiple opportunities

Online MCQs

378.16601309682275