Investigating the Distribution of Password Choices David Malone and Kevin Maher,
advertisement
Investigating the Distribution of Password Choices David Malone and Kevin Maher, Hamilton Institute, NUI Maynooth. 19 April 2012 How to Guess a Password? Passwords are everywhere. If you dont know the password, can you guess it? 1. Make a list of passwords. 2. Assess the probability that each was used. 3. Guess from most likely to least likely. A dictionary attack, but with optimal ordering. (Applies to computers and keys too.) How long will that take? If we knew probability Pi of i th password. Rank the passwords from 1 (most likely) to N (least likely). Average number of guesses is: G= N X iPi . i =1 Note, not the same as Entropy (Massey ’94, Arikan ’96). Does this Pi really make sense? Is there a distribution with which passwords are chosen? Outline • Is there password distribution? Is knowing it better than a crude guess? • Are there any general features? Do different user groups behave in a similar way? • Some distributions better than others. Can we help users make better decisions? Getting data Want a collection of passwords to study distribution. Asked Yahoo, Google. • ... Crackers eventually obliged. • 2006: flirtlife, 98930 users, 43936 passwords, 0.44. • 2009: hotmail, 7300 users, 6670 passwords, 0.91. • 2009: computerbits, 1795 users, 1656 passwords, 0.92. • 2009: rockyou, 32603043 users, 14344386 passwords, 0.44. Good: cleartext! Bad: Had to clean up data. Top Ten Rank 1 2 3 4 5 6 7 8 9 10 hotmail 123456 123456789 111111 12345678 tequiero 000000 alejandro sebastian estrella 1234567 #users 48 15 10 9 8 7 7 6 6 6 flirtlife 123456 ficken 12345 hallo 123456789 schatz 12345678 daniel 1234 askim #users 1432 407 365 348 258 230 223 185 175 171 computerbits password computerbits 123456 dublin letmein qwerty ireland 1234567 liverpool munster (c.f. Imperva analysis of Rockyou data, 2010) #users 20 10 7 6 5 4 4 3 3 3 rockyou 123456 12345 123456789 password iloveyou princess 1234567 rockyou 12345678 abc123 #users 290729 79076 76789 59462 49952 33291 21725 20901 20553 16648 Distribution? 100 10000 least squares s=0.44 least squares s=0.69 1000 Frequency Frequency 10 100 10 1 1 0.1 0.1 1 10 100 Rank (binned) 1000 10000 1 10 hotmail 100 100 1000 Rank (binned) 10000 100000 flirtlife 1e+06 least squares s=0.45 least squares s=0.78 100000 10000 Frequency Frequency 10 1 1000 100 10 1 0.1 0.1 1 10 100 Rank (binned) computerbits 1000 10000 1 10 100 1000 100001000001e+06 1e+07 1e+08 Rank (binned) rockyou Zipf ? • A straight line on a log-log plot points towards heavy tail. • Zipf? Pr ∝ 1 rs • Slope gives s. • Can check p-values (Clauset ’09). • s is small, less than 1. Guesswork Predictions 3500 3000 25000 Uniform model Guesswork Real data Guesswork Zipf model Guesswork Uniform model 0.85 Guesswork Real data 0.85 Guesswork Zipf model 0.85 Guesswork 20000 Uniform model Guesswork Real data Guesswork Zipf model Guesswork Uniform model 0.85 Guesswork Real data 0.85 Guesswork Zipf model 0.85 Guesswork 2000 Guesses Guesses 2500 1500 15000 10000 1000 5000 500 0 0 hotmail 900 800 700 flirtlife 8e+06 Uniform model Guesswork Real data Guesswork Zipf model Guesswork Uniform model 0.85 Guesswork Real data 0.85 Guesswork Zipf model 0.85 Guesswork 7e+06 6e+06 Uniform model Guesswork Real data Guesswork Zipf model Guesswork Uniform model 0.85 Guesswork Real data 0.85 Guesswork Zipf model 0.85 Guesswork 600 Guesses Guesses 5e+06 500 400 4e+06 3e+06 300 2e+06 200 100 1e+06 0 0 computerbits rockyou Who cares? • Algorithm Design — exploit heavy tail? • Can we get close to optimal dictionary attack? • Can we make dictionary attack less effective? 2 and 3 answer questions about common behavior and helping users. Dictionary Attack Suppose we use one dataset as a dictionary to attack another. users 1e+03 1e-01 1e+02 1e-02 1e+01 optimal guessing guesses from rockyou guesses from flirtlife guesses from computerbits 40% 1e-03 1e+00 1e+00 1e+01 1e+02 1e+03 1e+04 1e+05 1e+06 1e+07 1e+08 guesses hotmail probability / fraction of users 1e+00 1e-01 1e+02 1e-02 1e+01 optimal guessing guesses from rockyou guesses from flirtlife guesses from computerbits 40% 1e-03 1e+05 1e+00 1e+04 1e-01 1e+03 1e-02 1e+02 1e-03 users users 1e+03 probability / fraction of users 1e+00 1e+01 1e+00 1e+00 1e+01 1e+02 1e+03 1e+04 1e+05 1e+06 1e+07 1e+08 guesses optimal guessing guesses from rockyou guesses from hotmail guesses from computerbits 40% probability / fraction of users Dictionary Attack — Same Story 1e-04 1e+00 1e-05 1e+00 1e+01 1e+02 1e+03 1e+04 1e+05 1e+06 1e+07 1e+08 guesses hotmail flirtlife 1e+00 1e+00 1e+07 1e+03 1e-01 1e+01 optimal guessing guesses from rockyou guesses from flirtlife guesses from hotmail 40% 1e-04 1e+03 1e-05 1e+02 1e+01 1e-03 1e+00 1e+00 1e+01 1e+02 1e+03 1e+04 1e+05 1e+06 1e+07 1e+08 guesses computerbits 1e-03 1e+04 optimal guessing guesses from flirtlife guesses from hotmail guesses from computerbits 40% 1e-06 1e-07 1e+00 1e+00 1e+01 1e+02 1e+03 1e+04 1e+05 1e+06 1e+07 1e+08 guesses rockyou probability / fraction of users users 1e-02 1e-02 1e+05 users 1e-01 1e+02 probability / fraction of users 1e+06 Dictionary Attack Gawker December 2010, Gawker, 748090 DES Hashes, well salted. 1e+00 1e+05 users 1e+04 1e-02 1e+03 1e-03 1e+02 1e+01 1e-04 guesses from rockyou guesses from flirtlife guesses from hotmail guesses from computerbits guesses from dictionary 40% 1e-05 1e+00 1e+00 1e+01 1e+02 1e+03 1e+04 1e+05 1e+06 1e+07 1e+08 guesses Results in paper for % passwords. Dell’Amico’10 review smart generators. This looks ×10! probability / fraction of users 1e-01 Helping Users If users select passwords ‘randomly’, can we make them a better generator? • Banned list (e.g. twitter), • Password rules (e.g. numbers and letters). • Act like a cracker (e.g. cracklib), • Cap peak of password distribution (e.g. Schechter’10), • Aim for uniform? Metropolis-Hastings algorithm takes bad random number generator and makes it good. Metropolis-Hastings for Uniform Passwords Keep a frequency table F (x) for requests to use password x. 1. Uniformly choose x from all previously seen passwords. 2. Ask user for a new password x ′ . 3. Generate a uniform real number u in the range [0, F (x ′ )] and then increment F (x ′ ). If u ≤ F (x) go to step 4 (accept), otherwise return to step 2 (reject). 4. Accept use of x ′ as password. How does it do? 10000 First Choice Metropolis-Hastings Scheme Hard limit 1/1000000 Frequency 1000 100 10 1 1 10 100 1000 Rank 10000 100000 1e+06 Rockyou-based test, 1000000 users, mean tries 1.28, variance 0.61. Could be implemented using min-count sketch. Doesn’t store actual use frequencies. No parameters, aims to flatten whole distribution. Conclusions • Idea of distribution of password choices seems useful. • Zipf is OK, but not perfect match. • Different user groups have a lot in common (not peak). • Dictionaries not great for dictionary attacks. • Treat users as random password generators? • Future: Generalise beyond web passwords? • Future: Field test of Metropolis-Hastings? • Future: What does optimal banned list look like? From Reviews • So much cool literature from (at least) 1979–2012. • In security, passwords are the gift that keeps on giving.
