Asserting password crackers ability to target Swedish passwords : An analysis / Lösenordsknäckares förmåga att attackera svenska lösenord

Jensen, Casper

January 2023

In today's digital world, passwords are the keys that unlock our online lives, keeping our social media, financial accounts, and streaming services secure. Unfortunately, this makes password information a prime target for hackers, who can gain access to our entire digital existence. One significant vulnerability is that an individual's language and cultural background often influence password creation. This master's thesis explores the realm of password security by examining the ability of popular password cracking and mangling tools to target passwords created by Swedish speakers. The study compares attacks on passwords created by Swedish speakers to those created by international users. The tools under scrutiny include Probabilistic Context Free Grammar (PCFG), Ordered Markov Enumerator (OMEN), Odinn, and Hashcat. The study also examines a method for measuring the quality of the tools' password guesses. The findings revealed a noteworthy trend: all the tools demonstrated better performance when attacking passwords created by Swedish speakers compared to their international counterparts. PCFG, in particular, was nearly twice as effective against Swedish passwords after just 10,000 guesses, while OMEN outperformed significantly against Swedish targets after 1-5 million guesses. The quality measurements, gauged by the percentage of cracked passwords after specific guess increments of 10,000, 1-5 million, and 1 billion were used to evaluate the effectiveness of the tools. This research highlights the nuanced dynamics of password security, emphasizing the impact of linguistic and cultural factors on the vulnerability of passwords.

cyber security

passwords

it-security

swedish passwords

Engineering and Technology

Teknik och teknologier

Data Protection and Data Elimination

Budd, Chris

10 1900

ITC/USA 2015 Conference Proceedings / The Fifty-First Annual International Telemetering Conference and Technical Exhibition / October 26-29, 2015 / Bally's Hotel & Convention Center, Las Vegas, NV / Data security is becoming increasingly important in all areas of storage. The news services frequently have stories about lost or stolen storage devices and the panic it causes. Data security in an SSD usually involves two components: data protection and data elimination. Data protection includes passwords to protect against unauthorized access and encryption to protect against recovering data from the flash chips. Data elimination includes erasing the encryption key and erasing the flash. Telemetry applications frequently add requirements such as write protection, external erase triggers, and overwriting the flash after the erase. This presentation will review these data security features.

SSD

data protection

passwords

encryption

SED

data elimination

erase

sanitization

A secure one-use dynamic backdoor password system based on public key cryptography.

January 2002

Yu Haitao. / Thesis (M.Phil.)--Chinese University of Hong Kong, 2002. / Includes bibliographical references (leaves 71). / Abstracts in English and Chinese. / Chapter Chapter 1. --- Introduction --- p.1 / Chapter 1.1 --- Introduction --- p.1 / Chapter 1.2 --- Thesis organization --- p.6 / Chapter Chapter 2. --- Conventional password authentication and backdoor password schemes --- p.7 / Chapter 2.1 --- Password and password authentication --- p.7 / Chapter 2.1.1 --- Introduction to password and its security problems --- p.7 / Chapter 2.1.2 --- Front-door passwords vs. backdoor passwords --- p.8 / Chapter 2.1.3 --- Dynamic passwords vs. static passwords --- p.9 / Chapter 2.2 --- Forgotten-password problem --- p.10 / Chapter Chapter 3. --- Introduction to Cryptography --- p.12 / Chapter 3.1 --- Introduction to information security --- p.12 / Chapter 3.2 --- Conventional cryptography --- p.16 / Chapter 3.3 --- Public-key cryptography --- p.21 / Chapter 3.4 --- RSA cryptosystem --- p.24 / Chapter 3.5 --- One-way function --- p.27 / Chapter 3.6 --- Digital signature --- p.30 / Chapter 3.7 --- Secret sharing --- p.34 / Chapter 3.8 --- Zero-knowledge proof --- p.34 / Chapter 3.9 --- Key management --- p.36 / Chapter 3.9.1 --- Key distribution in conventional cryptography --- p.36 / Chapter 3.9.2 --- Distribution of public keys --- p.39 / Chapter Chapter 4. --- A secure one-use dynamic backdoor password system based on Public Key Cryptography --- p.42 / Chapter 4.1 --- System objectives --- p.42 / Chapter 4.2 --- Simple system and analysis --- p.45 / Chapter 4.2.1 --- System diagram --- p.45 / Chapter 4.2.2 --- System protocol --- p.46 / Chapter 4.2.3 --- Applied technologies --- p.50 / Chapter 4.2.4 --- System security analysis --- p.52 / Chapter 4.3 --- Multi-user system and analysis --- p.55 / Chapter 4.3.1 --- Modification to the system diagram --- p.56 / Chapter 4.3.2 --- Modification to the system protocol --- p.57 / Chapter 4.3.3 --- System analysis for multi-user system --- p.64 / Chapter 4.4 --- Applicable modes and analysis --- p.66 / Chapter 4.5 --- Conclusion --- p.68 / Chapter Chapter 5. --- Conclusion --- p.69 / Bibliography --- p.71 / Appendix --- p.72 / Chapter A. --- Algorithm of MD5 --- p.72 / Chapter B. --- Algorithm of DSA --- p.76 / Chapter C. --- Algorithm of RSA --- p.79

Public key cryptography

Computers--Access control--Passwords

Computer security

Authentication

Lip motion tracking and analysis with application to lip-password based speaker verification

Liu, Xin

01 January 2013

No description available.

Access control

Computers

Lipreading

Lips

Passwords

Speech perception

Alleviating Insider Threats: Mitigation Strategies and Detection Techniques

Jenkins, Jeffrey Lyne

January 2013

Insider threats--trusted members of an organization who compromise security--are considered the greatest security threat to organizations. Because of ignorance, negligence, or malicious intent, insider threats may cause security breaches resulting in substantial damages to organizations and even society. This research helps alleviate the insider threat through developing mitigation strategies and detection techniques in three studies. Study 1 examines how security controls--specifically depth-of-authentication and training recency--alleviate non-malicious insider threats through encouraging secure behavior (i.e., compliance with an organization's security policy). I found that `simpler is better' when implementing security controls, the effects of training diminish rapidly, and intentions are poor predictors of actual secure behavior. Extending Study 1's finding on training recency, Study 2 explains how different types of training alleviate non-malicious insider threat activities. I found that just-in-time reminders are more effective than traditional training programs in improving secure behavior, and again that intentions are not an adequate predictor of actual secure behavior. Both Study 1 and Study 2 introduce effective mitigation strategies for alleviating the non-malicious insider threat; however, they have limited utility when an insider threat has malicious intention, or deliberate intentions to damage the organization. To address this limitation, Study 3 conducts research to develop a tool for detecting malicious insider threats. The tool monitors mouse movements during an insider threat screening survey to detect when respondents are being deceptive. I found that mouse movements are diagnostic of deception. Future research directions are discussed to integrate and extend the findings presented in this dissertation to develop a behavioral information security framework for alleviating both the non-malicious and malicious insider threats in organizations.

Information Systems

Insider Threat

Mouse Movements

Passwords

Security

Management

Experiment

Graphical one-time password authentication

Alsaiari, Hussain

January 2016

Complying with a security policy often requires users to create long and complex passwords to protect their accounts. However, remembering such passwords appears difficult for many and may lead to insecure practices, such as choosing weak passwords or writing them down. One-Time Passwords (OTPs) aim to overcome such problems; however, most implemented OTP techniques require special hardware, which not only adds costs, but also raises issues regarding availability. This type of authentication mechanism is mostly adopted by online banking systems to secure their clients’ accounts. However, carrying around authentication tokens was found to be an inconvenient experience for many customers. Not only the inconvenience, but if the token was unavailable, for any reason, this would prevent customers from accessing their accounts securely. In contrast, there is the potential to use graphical passwords as an alternative authentication mechanism designed to aid memorability and ease of use. The idea of this research is to combine the usability of recognition-based and draw-based graphical passwords with the security of OTP. A new multi-level user-authentication solution known as: Graphical One-Time Password (GOTPass) was proposed and empirically evaluated in terms of usability and security aspects. The usability experiment was conducted during three separate sessions, which took place over five weeks, to assess the efficiency, effectiveness, memorability and user satisfaction of the new scheme. The results showed that users were able to easily create and enter their credentials as well as remember them over time. Eighty-one participants carried out a total of 1,302 login attempts with a 93% success rate and an average login time of 24.5 seconds. With regard to the security evaluation, the research simulated three common types of graphical password attacks (guessing, intersection, and shoulder-surfing). The participants’ task was to act as attackers to try to break into the system. The GOTPass scheme showed a high resistance capability against the attacks, as only 3.3% of the 690 total attempts succeeded in compromising the system.

005.8

Corinda: heurísticas concorrentes para quebra de senhas / Corinda: concurrent heuristics for password cracking

Rodrigues, Bernardo Araujo

27 August 2018

Submitted by Luciana Ferreira (lucgeral@gmail.com) on 2018-10-01T15:53:01Z No. of bitstreams: 2 Dissertação - Bernardo Araujo Rodrigues - 2018.pdf: 3067186 bytes, checksum: 3e1e3581eaee095c176a4e930796f9cd (MD5) license_rdf: 0 bytes, checksum: d41d8cd98f00b204e9800998ecf8427e (MD5) / Approved for entry into archive by Luciana Ferreira (lucgeral@gmail.com) on 2018-10-02T11:43:06Z (GMT) No. of bitstreams: 2 Dissertação - Bernardo Araujo Rodrigues - 2018.pdf: 3067186 bytes, checksum: 3e1e3581eaee095c176a4e930796f9cd (MD5) license_rdf: 0 bytes, checksum: d41d8cd98f00b204e9800998ecf8427e (MD5) / Made available in DSpace on 2018-10-02T11:43:06Z (GMT). No. of bitstreams: 2 Dissertação - Bernardo Araujo Rodrigues - 2018.pdf: 3067186 bytes, checksum: 3e1e3581eaee095c176a4e930796f9cd (MD5) license_rdf: 0 bytes, checksum: d41d8cd98f00b204e9800998ecf8427e (MD5) Previous issue date: 2018-08-27 / Coordenação de Aperfeiçoamento de Pessoal de Nível Superior - CAPES / This work proposes the development of a software with the purpose of cracking passwords based on concurrent heuristic algorithms, first order model theory and statistical inference. The proposed methodology is developed on the Go programming language, with focus on communicating sequential processes. The software uses concurrent heuristic algorithms based on statistical patterns derived from sample sets to perform password cracking. Distinct statistical distributions are detected on sample sets. The software is able to crack significant portions of three diferente password sets in short periods of time. It is concluded that concurrent heuristic algorithms are a viable alternative to perform Central Processing Unit password cracking and can be used to raise awareness amonsgt users about the importance of high entropy passwords and digital privacy. / Propõe-se neste trabalho o desenvolvimento de software para quebra de senhas baseado em algoritmos heurísticos concorrentes, teoria dos modelos de primeira ordem e inferência estatística. A metodologia proposta é desenvolvida na linguagem de programação Go, que possui foco em processos sequenciais comunicantes. O software utiliza algoritmos heurísticos concorrentes criados a partir de padrões estatísticos identificados em conjuntos de amostras para realizar quebra de senhas. O software é capaz de quebrar porções significativas de três diferentes conjuntos de senhas em curto período de tempo. Conclui-se que heurísticas concorrentes são alternativa viável para realizar a quebra de senhas em Unidades Centrais de Processamento, podendo ser utilizada para conscientizar usuários sobre a importância de senhas de alta entropia e privacidade digital.

Senhas

Segurança da informação

Passwords

Information security

Single sign-on in heterogeneous computer environments

Louwrens, Cecil Petrus

05 September 2012

M.Sc. / The aim of this dissertation (referred to as thesis in the rest of the document) is to investigate the concept of Single Sign-on (SSO) in heterogeneous computing environments and to provide guidelines and reference frameworks for the selection and successful implementation of SSO solutions. In doing so. it also provides an overview of the basic types of SSO, Secure Single Sign-on (SSSO) solutions, enabling technologies, as well as products currently available. Chapter 1 introduces the sign-on problem, the purpose and organization of the thesis and terminology and abbreviations used. The crux of the sign-on problem is that users are required to sign on to multiple systems, developed at different times and based on different technologies, each with its own set of signon procedures and passwords. This inevitably leads to frustration, loss of productivity and weakened security. Users frequently resort to writing down passwords or using trivial password that can easily be guessed. In Chapter 2 the concepts of Single Sign-on and a special subset of SSO, Secure Single Sign-on are defined. Five types of SSO solutions are identified, namely: Synchronization, Scripting, Proxies and Trusted Hosts. Trusted Authentication Server and Hybrid solutions. Of the available types of solutions, only Trusted Authentication Server and Hybrid solutions can provide Secure Single Sign-on if properly implemented. The security services for SSSO are identified as authentication, authorization, integrity, confidentiality, non-repudiation, security management and cryptographic services. Additional SSSO concepts, as well as the vulnerabilities, obstacles and pitfalls to introducing SSO solutions are discussed. Chapter 3 provides an overview of the most important SSO enabling technologies. The following technologies are discussed: OSF DCE, SESAME, Kerberos, DSSA/SPX, TESS, NetSp, Secure Tokens, GSS-API and Public key Cryptography. Chapter 4 discusses the Open Software Foundation's (OSF) Distributed Computing Environment (DCE). OSF DCE is one of the two open standards for distributed processing which are having a major influence on the development of single sign-on solutions and forms the basis of many existing SSO products. DCE is not a SSO product. but consists of specifications and software. The goal of DCE is to turn a computer network into a single, coherent computing engine. It is considered to be one of the fundamental building blocks for SSO solutions in the future. In Chapter 5 SESAME is discussed in some detail as another major enabling technology for SSO. Secure European System for Applications in a Multi-vendor Environment (SESAME) is an architecture that implements a model for the provision of security services within open systems developed by the European Computer Manufacturers Association (ECMA). The architecture was developed and implemented on a trial basis, by Bull, ICL and Siemens-Nixdorf in an initiative supported by the European Commission. Chapter 6 presents a list of 49 commercial SSO products currently available, classified according to the type of SSO solution. A few representative products are discussed in more detail to give an indication what functionality a prospective buyer could expect. The 'Ideal Single Sign-on' solution is presented in Chapter 7. Detailed requirements are listed. These requirements are uniquely identified by a code and classified as essential or recommended functionality required. Chapter 8 assimilates the information in the previous chapters into a structured evaluation, selection and implementation plan for SSO solutions, consisting of nine separate phases. It also proposes a reference framework for the evaluation and selection process. Chapter 9 concludes the thesis. Findings and conclusions are summarized as to the importance and impact of Single Sign-on as well as the expected future directions to be expected. In addition, recommendations for the future implementation of SSO and SSSO solutions in heterogeneous computing environments are made.

Computers - Access control.

Computers - Access control - Passwords.

Single sign-on.

A tree grammar-based visual password scheme

Okundaye, Benjamin

January 2016

A thesis submitted to the Faculty of Science, University of the Witwatersrand, Johannesburg, in fulfilment of the requirements for the degree of Doctor of Philosophy. Johannesburg, August 31, 2015. / Visual password schemes can be considered as an alternative to alphanumeric passwords. Studies have shown that alphanumeric passwords can, amongst others, be eavesdropped, shoulder surfed, or guessed, and are susceptible to brute force automated attacks. Visual password schemes use images, in place of alphanumeric characters, for authentication. For example, users of visual password schemes either select images (Cognometric) or points on an image (Locimetric) or attempt to redraw their password image (Drawmetric), in order to gain authentication. Visual passwords are limited by the so-called password space, i.e., by the size of the alphabet from which users can draw to create a password and by susceptibility to stealing of passimages by someone looking over your shoulders, referred to as shoulder surfing in the literature. The use of automatically generated highly similar abstract images defeats shoulder surfing and means that an almost unlimited pool of images is available for use in a visual password scheme, thus also overcoming the issue of limited potential password space. This research investigated visual password schemes. In particular, this study looked at the possibility of using tree picture grammars to generate abstract graphics for use in a visual password scheme. In this work, we also took a look at how humans determine similarity of abstract computer generated images, referred to as perceptual similarity in the literature. We drew on the psychological idea of similarity and matched that as closely as possible with a mathematical measure of image similarity, using Content Based Image Retrieval (CBIR) and tree edit distance measures. To this end, an online similarity survey was conducted with respondents ordering answer images in order of similarity to question images, involving 661 respondents and 50 images. The survey images were also compared with eight, state of the art, computer based similarity measures to determine how closely they model perceptual similarity. Since all the images were generated with tree grammars, the most popular measure of tree similarity, the tree edit distance, was also used to compare the images. Eight different types of tree edit distance measures were used in order to cover the broad range of tree edit distance and tree edit distance approximation methods. All the computer based similarity methods were then correlated with the online similarity survey results, to determine which ones more closely model perceptual similarity. The results were then analysed in the light of some modern psychological theories of perceptual similarity. This work represents a novel approach to the Passfaces type of visual password schemes using dynamically generated pass-images and their highly similar distractors, instead of static pictures stored in an online database. The results of the online survey were then accurately modelled using the most suitable tree edit distance measure, in order to automate the determination of similarity of our generated distractor images. The information gathered from our various experiments was then used in the design of a prototype visual password scheme. The generated images were similar, but not identical, in order to defeat shoulder surfing. This approach overcomes the following problems with this category of visual password schemes: shoulder surfing, bias in image selection, selection of easy to guess pictures and infrastructural limitations like large picture databases, network speed and database security issues. The resulting prototype developed is highly secure, resilient to shoulder surfing and easy for humans to use, and overcomes the aforementioned limitations in this category of visual password schemes.

Content-based image retrieval.

Pattern recognition systems.

Password-authenticated two-party key exchange with long-term security

Unknown Date

In the design of two-party key exchange it is common to rely on a Die-Hellman type hardness assumption in connection with elliptic curves. Unlike the case of nite elds, breaking multiple instances of the underlying hardness assumption is here considered substantially more expensive than breaking a single instance. Prominent protocols such as SPEKE [12] or J-PAKE [8, 9, 10] do not exploit this, and here we propose a password-authenticated key establishment where the security builds on the intractability of solving a specied number of instances v of the underlying computational problem. Such a design strategy seems particularly interesting when aiming at long-term security guarantees for a protocol, where expensive special purpose equipment might become available to an adversary. In this thesis, we give one protocol for the special case when v = 1 in the random oracle model, then we provide the generalized protocol in the random oracle model and a variant of the generalized protocol in the standard model for v being a polynomial of the security parameter `. / by WeiZheng Gao. / Thesis (Ph.D.)--Florida Atlantic University, 2012. / Includes bibliography. / Electronic reproduction. Boca Raton, Fla., 2012. Mode of access: World Wide Web.

Data encryption (Computer science)

Computer networks (Security measures)

Software protection

Computers--Access control--Passwords