[go: up one dir, main page]

CN111786796B - Password Strength Evaluation Method Based on Password Reuse, Character Jump and Separation - Google Patents

Password Strength Evaluation Method Based on Password Reuse, Character Jump and Separation Download PDF

Info

Publication number
CN111786796B
CN111786796B CN202010625153.0A CN202010625153A CN111786796B CN 111786796 B CN111786796 B CN 111786796B CN 202010625153 A CN202010625153 A CN 202010625153A CN 111786796 B CN111786796 B CN 111786796B
Authority
CN
China
Prior art keywords
password
character
probability
user
basic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010625153.0A
Other languages
Chinese (zh)
Other versions
CN111786796A (en
Inventor
董奇颖
贾春福
汪定
单轩
洪淑弘
段非
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nankai University
Original Assignee
Nankai University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nankai University filed Critical Nankai University
Priority to CN202010625153.0A priority Critical patent/CN111786796B/en
Publication of CN111786796A publication Critical patent/CN111786796A/en
Application granted granted Critical
Publication of CN111786796B publication Critical patent/CN111786796B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/088Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

一种基于口令重用、字符跳变与分隔的口令强度评估方法,属于信息安全技术领域,步骤包括:选取与场景相契合的口令集,通过模糊匹配算法,构造字符转换字典及口令结构字典;将用户输入的口令,还原为基础字符片段并记录字符转换和口令结构;用神经网络计算基础字符片段构造概率,并从字典中查找字符转换和口令结构对应概率,概率连乘得到口令构造概率;向用户反馈口令的绝对强度、相对强度和相似于用户口令但足够安全的候选口令。本发明将用户口令重用特征归纳为大写转换、字符跳变与分隔。神经网络结合模糊匹配算法,能够更准确、鲁棒地评估口令强度。用户通过相对强度了解其口令相对于其他用户的口令的强度,从候选口令中选择更安全易记口令。

Figure 202010625153

A password strength evaluation method based on password reuse, character jumping and separation, belonging to the technical field of information security. The password input by the user is restored to the basic character fragment and the character conversion and password structure are recorded; the basic character fragment construction probability is calculated by the neural network, and the corresponding probability of the character conversion and the password structure is searched from the dictionary, and the probability is multiplied to obtain the password construction probability; The user feedbacks the absolute strength, relative strength of the password, and candidate passwords that are similar to the user password but sufficiently secure. The present invention summarizes the reuse features of user passwords into capital conversion, character jumping and separation. Neural network combined with fuzzy matching algorithm can more accurately and robustly evaluate password strength. The user learns the strength of his password relative to other users' passwords through relative strength, and selects a more secure and easy-to-remember password from candidate passwords.

Figure 202010625153

Description

Password strength evaluation method based on password reuse, character jump and separation
Technical Field
The invention belongs to the technical field of information security, relates to the field of password security authentication, and more particularly relates to a password strength evaluation method.
Background
The password is the most widely used identity authentication mode at present, and is the first line of defense for maintaining the safety of an information system and protecting the privacy of a user. Many users tend to set weak passwords that are low in strength, easy to guess, for easy remembering, or to reuse passwords in multiple websites, which creates serious security risks for both the website and the user.
In order to protect the security of the system and the user, the mainstream internet service provider feeds back the password strength to the user through a password strength evaluator (PSM) when the user registers the website service or modifies the password. Only the PSM which can accurately feed back the password intensity can obviously improve the password intensity of the user, thereby protecting the security of the user account.
However, various PSMs widely used at present often give inaccurate and misleading feedback, and the evaluation results of different websites have great conflict, so that the claimed security is difficult to guarantee. Inaccurate intensity feedback causes the user to misunderstand that the end of the password needs to be added with a number or special character, or simply capitalize on the first letter to raise the original weak password to a strong one. Such PSMs fall far behind the true level of current attackers and do not help users to increase password strength. Therefore, the scholars propose a new idea for designing PSM according to the attack difficulty level, and Markov based on the attack algorithm[5]、PCFG[6]、RNN[9]、fuzzyPSM[4]The operation is carried out at the same time. Unfortunately, except for fuzzyPSM[4]In addition, the existing PSM based on the attack algorithm defaults that the password of the user is completely constructed, which obviously does not conform to the actual password use habit of the user.
Therefore, there is a need for: and feeding back the accurate password strength to the user on the basis of fully considering the user password reuse behavior.
Disclosure of Invention
In order to overcome the defects of the technology, the invention provides a password strength evaluation method based on password reuse, character jump and separation. The purpose of the invention is realized by the following technical scheme:
1. a password strength evaluation method based on password reuse, character jump and separation is composed of a dictionary construction module, a password preprocessing module, a probability calculation module and a strength feedback module, and specifically comprises the following steps:
A. in a dictionary construction module, selecting a password set S matched with the service type as a training set, constructing a character conversion dictionary and a password structure dictionary through a fuzzy matching algorithm, and specifically executing the following operations:
A1. counting the frequency of occurrence of each capital letter and the basic character in S, and calculating the probability of converting the lower case letters into the capital letters and the probability of keeping the basic character unchanged;
A2. converting capital letters contained in each password in the S into corresponding lowercase letters to obtain a new data set Slower
A3. According to the character composition, SlowerPartitioning into two subdata sets: set SmatchIs composed of character strings only containing basic characters and having frequency number more than or equal to 10, SspecialIs composed of a character string containing special characters;
A4. after setting a proper confidence coefficient CR, executing a fuzzy matching algorithm, wherein the algorithm comprises the following steps:
selecting SspecialString str1 in (S)matchExtracting character strings str2 with the length meeting the condition that len (str2) is less than or equal to len (str1), and constructing a set S to be matchedmatch′
Matching S with str1match′Str2 in (1), i.e., character-by-character comparing str1 with str 2; if str1 and the basic characters in str2 cannot be in one-to-one correspondence, the matching is considered to be failed, str1 is shifted to the left by one character, and the str2 is tried to be matched again; if the special character in str1 corresponds to the base character in str2, the temporary match is considered to be successful;
and for the str1 and str2 which are successfully matched temporarily, calculating the matching rate MR to judge whether fuzzy matching is successful or not, and further judging whether the corresponding special character is obtained by jumping the basic character or not. If it is
Figure BDA0002566326580000031
(count is the number of characters successfully matched), the fuzzy matching between str1 and str2 is considered to be failed, the corresponding special character in str1 is a separator, otherwise, the fuzzy matching between str1 and str2 is considered to be successful, and the special character in str1 is obtained by jumping of the corresponding basic character in str 2;
A5. and (3) regarding the successful fuzzy matching as the special character obtained by jumping the basic character, and changing the 'debounce' into the corresponding basic character according to a regular expression [ < Lambda > B? (S)nB)*Sn?$]In a format in which B represents a base character, SnA special string of length n representing what is considered a separator;
A6. recording all the conditions of capitalization conversion, character jumping and character separation and storing the corresponding probability in a character conversion dictionary; recording all the presented password structures, and calculating corresponding probability to store in a password structure dictionary;
B. in the password preprocessing module, the password input by the user is restored into a basic password segment and the conversion type and the password structure are recorded, and the following operations are specifically executed:
B1. converting capital letters in the user password into corresponding lower case letters, and recording the conversion;
B2. using the algorithm described in A4, the converted password is set at S constructed in A3matchCarrying out fuzzy matching; corresponding the fuzzy matching successful special character 'reverse jump' to the basic character, recording the password structure and the jump conversion;
B3. cutting the password into a plurality of basic character segments by taking the special character with the failure fuzzy matching as a separator, and recording the special character as the separator at the moment;
C. in the probability calculation module, the construction probability of the basic password is calculated through a neural network, the construction probability of the user password is calculated by combining the password format probability and the character conversion probability of the dictionary record, and the following operations are specifically executed:
C1. s with A3 constructionmatchTraining an LSTM, taking the basic character segment obtained by B3 as the input of the LSTM, and calculating the corresponding construction probability of the basic character segment;
C2. looking up the capitalization transformation probability recorded in B1, the character jump probability recorded in B2 and the character separation probability recorded in B3 in a character transformation dictionary constructed by A6;
C3. looking up the password structure corresponding probability recorded by B2 in a password structure dictionary constructed by A6;
C4. multiplying the probabilities to obtain the construction probability of the password input by the user;
D. in the strength feedback module, the absolute strength and the relative strength of the password are fed back to the user, and meanwhile, the user is provided with a candidate password which is similar to the input password but is safer, and the following operations are specifically executed:
D1. the password construction probability calculated by C4 is used as the absolute strength of the password and is fed back to the user;
D2. calculating the difference between the password construction probability obtained by C4 and the benchmarking password construction probability, and feeding back the difference as the relative strength of the password to the user;
D3. based on the character conversion dictionary constructed by A6, randomly selecting a conversion condition, and modifying the user password so as to generate a plurality of safer candidate passwords for the user to select;
further, in the above-disclosed scheme, through step a, the present invention generalizes the user's password reuse behavior into three types, namely, upper case conversion, special character hopping, and special character separation, and calculates the probabilities respectively.
Further, in the above-disclosed scheme, through step B, the present invention restores the user password reuse process and divides the user password into a plurality of basic character segments.
Further, in the above-disclosed scheme, through step C, the invention multiplies the probability of the basic character segment calculated by LSTM, the conversion type looked up from the dictionary, and the probability corresponding to the password structure, to finally obtain the construction probability of the user input password;
further, in the above-disclosed solution, through step D, the present invention generates a candidate password similar to the password input by the user but sufficiently secure through simple steps while using the benchmarking password to show the user the relative strength of the password, for the user to select.
The invention has the advantages and beneficial effects that:
(1) the invention summarizes the user password reuse behavior into three conditions of capitalization transformation, character jump and separation, designs a fuzzy matching algorithm and can accurately give the corresponding probability of various conversion conditions. Through a fuzzy matching algorithm, the invention overcomes the defects of lack of important conversion, lack of probability calculation and the like in the prior scheme.
(2) The invention uses LSTM to calculate the construction probability of the basic character string and combines fuzzy matching algorithm to calculate the probability of special character and password structure, thus the inventionThe invention can obtain good balance between the accuracy of strength evaluation and the operation efficiency. Experimental results show that the password evaluation method is used for evaluating the password with medium strength (the guess number is more than or equal to 10)10) The coverage ratio fuzzyPSM calculated by the method has the best effect under the same experimental environment[4]The corresponding coverage rate is averagely 18.9 percent; markov order of 3[5]The corresponding coverage rate is averagely 16.9 percent; specific to RNN[9]The corresponding coverage was on average 6.1% higher. Meanwhile, compared with other PSM algorithm models, the robustness of the invention is also the best.
(3) The invention provides the absolute password strength to the user, and simultaneously feeds back the relative strength of the password of the user by using the four benchmarking passwords, thereby facilitating the user to fully know the strength of the password relative to the passwords of other users. Meanwhile, the invention generates the candidate password which is similar to the user password but is safe enough through few steps, thereby helping the user construct a safer password. The invention also provides a parameter setting method under different scenes by comprehensively considering the difference of the service types, the economic value, the password strategy and the like.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings used in the description of the embodiments will be briefly introduced below. The drawings in the following description are only some embodiments of the invention, and other drawings can be derived from them by a person skilled in the art without inventive exercise.
FIG. 1 is the overall module composition of the password strength evaluation method of the present invention;
FIG. 2 is the overall flow design of the password strength evaluation method of the present invention;
FIG. 3 is an exploded view of a password pre-processing module flow;
FIG. 4 is an example of preprocessing a command P @ ssword # # 12;
FIG. 5 is a schematic flow diagram of a probability calculation module;
FIG. 6 is an exploded view of the intensity feedback module flow.
Detailed Description
The invention is described in detail below with reference to the accompanying drawings so that the advantages and features of the invention will be more readily understood by those skilled in the art, and the scope of the invention will be clearly and clearly defined.
The embodiments of the present invention will be better understood by those skilled in the art with reference to the following explanation of concepts and terms used throughout the specification.
Password reuse: with the increase of the number of accounts, in order to reduce the memory burden, when setting the password, the user can directly use the old password or simply modify the old password to obtain a new password, and the behavior is called password reuse.
Basic character: lower case letters and numbers for constructing passwords.
Special characters: in addition to lower case letters, upper case letters, and numbers, other ASCII characters are used to construct the password.
Jumping: when constructing a password, users often replace some basic characters in the password with special characters similar to the shape and pronunciation of the password, and the replacement process is called jumping. Meanwhile, the process of restoring the special character obtained by jumping into the corresponding basic character is called 'reverse jumping'.
Separation: in constructing passwords, many users choose to add special characters before, between, or after the semantic string, which often act as separators.
Guessing number: guess number C for any password alphaΔCan pass through CΔ{ β ∈ Γ: r (beta) < R (alpha) }, where Γ is the guessed password set generated by the PSM built-in algorithm, and R (beta) is the rank of beta in Γ.
And (3) carrying out online guessing attack: a password attack that requires interaction with the server to be implemented.
And (3) off-line guessing attack: a password attack mode that can be implemented without interaction with a server.
Breadth-first off-line guessing attack: an attacker conducts an offline guessing attack in order to break as many user passwords as possible.
Coverage rate: and generating a certain number of guessed password sets by using a PSM built-in password attack algorithm, wherein the ratio of the guessed password sets to the passwords covering the test set is the coverage rate.
Monte Carlo method (Monte Carlo): dell and Filippone[7]The Monte Carlo method was designed to emulate password guessing numbers. The method requires that each PSM built-in algorithm participating in the test generates a sample password set theta with the size of n, and the probability of sampling the password beta in the sample password set is equal to the construction probability P of the password beta(β). Guess number C for any password alphaΔIs composed of
Figure BDA0002566326580000071
And (3) ideal strength ranking: the guess set generated by the optimal attacker is considered to be identical to the test set, so the frequency ordering of each password in the test set is the ideal strength ranking corresponding to the password.
Weighted Spearman Correlation (wspearman): and taking the occurrence frequency of each password in the test set as a weight, accumulating the occurrence frequency to the PSM output password strength ranking and the ideal PSM strength ranking, and obtaining the Spearman correlation coefficient between the two strength ranking results as wspearman. Maximiian and Markus[8]It is confirmed that the index can well measure the robustness of the PSM.
As shown in fig. 1, the method for evaluating the strength of a user password according to the present invention comprises four modules: a dictionary construction module, a password preprocessing module, a probability calculation module and an intensity feedback module, and referring to fig. 2, the modules are described in detail as follows:
1. dictionary construction module
The character conversion dictionary and the password structure dictionary are the core of the invention. The character conversion dictionary contains the probability of converting lower case letters into upper case letters, the probability of jumping from the basic character to the special character and the probability of using the special character as a separator. The password structure dictionary records various possible password structures and corresponding probabilities.
The concrete construction steps are as follows:
firstly, selecting a password set as a training set S, converting capital letters contained in each password in the training set S into corresponding lowercase letters, and acquiring a new subdata set Slower. Count the frequency of each capital and base character in S (e.g., the frequency of occurrence of character A is recorded as n(A)The frequency of occurrence of the character a is recorded as n(a)) Calculating the probability of each lower case letter being converted into an upper case letter
Figure BDA0002566326580000081
And probability of remaining unchanged
Figure BDA0002566326580000082
Secondly, according to the character type contained, S is divided intolowerThe method is divided into two groups: set SbasicA character string set only containing basic characters; sspecialIs a set of character strings containing special characters. We need to set the appropriate confidence CR and use the fuzzy matching algorithm to pair SspecialEach password in (1) attempts a match. S is extracted because the user usually converts the commonly used password to obtain the final passwordbasicConstructing a data set S for fuzzy matching by using character strings with the medium frequency number more than or equal to 10match
The implementation details of the fuzzy matching algorithm are as follows: selecting SspecialString str1 in (S)matchExtracting character strings str2 with the length meeting the condition that len (str2) is less than or equal to len (str1), and constructing a set S to be matchedmatch′. Str1 demaps S in high to low frequency ordermatch′Each str 2. Character-by-character comparison of str1 with str2, if str1 cannot correspond to the basic characters in str2 one-to-one, considering that matching fails, str1 shifts left by one character, and tries to match str2 again; if the special character in str1 corresponds to the base character in str2, the tentative match is considered successful. For str1 and str2 with temporally successful matching, the matching rate MR is calculated to judge fuzzy matchingAnd if the special character is successful, judging whether the special character can be obtained by jumping the basic character. If it is
Figure BDA0002566326580000083
(count is the number of characters successfully matched), the fuzzy matching between str1 and str2 is considered to be failed, the special character in str1 is a separator, otherwise, the special character in str1 is considered to be obtained by jumping from the corresponding basic character in str 2.
And (3) regarding the successful fuzzy matching as the special character obtained by jumping the basic character, and changing the 'debounce' into the corresponding basic character according to a regular expression [ < Lambda > B? (S)nB)*Sn?$]In a format in which B represents a base character, SnRepresenting a special string of length n that is considered as a separator. Repeating the above process until SspecialAll the character strings in (1) complete fuzzy matching.
As mentioned above, the confidence level CR is used to adjust the effect of the special character on the password strength, and different requirements of the application scenario on the password security can be adjusted.
Recording all the conditions of character jumping and character separation and storing corresponding probabilities in a character conversion dictionary; and recording all the presented password structures, calculating corresponding probabilities and storing the probabilities in a password structure dictionary.
We present here a simple example to illustrate the implementation steps of the fuzzy matching algorithm. Assuming that the confidence CR is 0.5 at this time, the password P @ ssword # ##12 exists in S. For the password P @ ssword # ##12, the capital letter transformation P → P is recorded, and the capital letter is converted into the corresponding small letter, so as to obtain the character string P @ ssword # # # #12, and since the character string contains special characters, the P @ ssword # # #12 should be located at SspecialIn the collection. When fuzzy matching is performed, str1 ═ p @ ssword # ##12 and length len (str1) ### 14 are selected, and then S is performedmatchThe character strings str2 meeting the condition of len (str2) less than or equal to len (str1) form a new set Smatch′{123456, password, 000012 }. We first use str1 ═ p @ ssword # ##12 to match str2 ═ 123456. In the first round of matching, stThe first character of r1 is p, and the first character of str2 is 1, both of which are basic characters but different, indicating that the first round of matching fails, so that the second round of matching is performed after p @ ssword # # # #12 is shifted left by one bit and updated to @ ssword # # # # 12; in the second round of matching, str1 @ ssword # #12, str2 123456, the first character of str1 is the special character @ and the first character of str2 is 1, the @ is tentatively considered a successful match with 1, and then the str1 is compared to the second character of str2, which still fails because s cannot correspond to 2. The steps are repeated, and finally the p @ ssword # #12 and 123456 cannot be successfully matched. Switching str2 to Smatch′The second password passcode is obtained by using str1 ═ p @ ssword # #12 to match str2 ═ passcode. It can be found that, except the but character @ the base character in str2 corresponds to the base character at the corresponding position of str1 one by one, it can be considered that str1 matches str2 temporarily successfully, and when the matching rate MR 7/8 0.875 > CR 0.5, this means that str1 matches str2 successfully, it can be considered that @ in p @ ssword # #12 is obtained by a jump, therefore, the jump conversion a → @isrecorded, and @ "jump back" in str1 is changed to a, and str1 is updated. And subsequently, using str1 ═ passcode # #12 to dematch str2 ═ passcode, repeating the matching step, and finally finding that str1 ═ passcode # #12 cannot be successfully matched with str 2. Finally, we switch str2 to Smatch′The last password 000012 in the matching process, it can be found that when str1 is updated to str1 ####12 by continuously moving left, the str1 ###### 12 and str2 ## 000012 are temporarily matched successfully, but the matching rate MR therebetween is 2/6 anger 0.333.333 < CR is 0.5, which means that the matching fails. At this time, Smatch′All the passwords in p @ ssword # ##12 are exhausted, the fragment # # # in p @ ssword # #12 still cannot match the available transition, and therefore, the special character in the fragment can be considered as a separator. The password obtained after performing various conversions (P → P, a → @) recorded in the above process on the password P @ ssword # ##12 is P @ ssword # ##12, so the password structure of P @ ssword # ##12 is BS @4B。
2. Password preprocessing module
The password preprocessing module restores the password input by the user into a basic password and records the transformation type and the password structure. In this module, the invention quantifies the impact of capitalized English characters, special characters, etc. on the password strength by probability. FIG. 3 is an exploded view of the password pre-processing module.
Assume that the user enters a password P @ ssword # ##12 that contains both base characters, capital letters, and special characters. In the preprocessing module, all capital letters are converted into corresponding lowercase letters to obtain a password P @ ssword # ##12, and the corresponding capital probability P is searched and obtained in a character conversion dictionary(p→P). For the converted character string p @ ssword # #12, an attempt is made to match it with the S meeting the requirements by using a fuzzy matching algorithmmatch′Matching, recording character jump and character separation, and searching in character conversion dictionary to obtain corresponding probability P(a→@)And P(####). Converting the successfully matched special characters into corresponding basic characters to obtain a character string password # # #12, and searching the probability corresponding to the password structure in a password structure dictionary
Figure BDA0002566326580000111
And finally, cutting the password by taking # # as a separator as a reference to obtain basic character fragments password and 12. Fig. 4 shows a process of preprocessing the password P @ ssword # # # # 12.
3. Probability calculation module
At the end of the password preprocessing module, the user entered password is cut into segments containing only the underlying characters, which are used as inputs to the neural network LSTM. Through SmatchThe trained LSTM can output the probability of the next character according to the prefix character sequence, and continuously carry out iterative operation, and finally the construction probability of the basic character segment can be obtained. By utilizing the capital letter conversion probability, the character hopping probability, the character separation probability and the probability corresponding to the password structure obtained by the password preprocessing module and combining the construction probability of the basic character segment output by the neural network, the construction probability of the password input by the user can be obtained by multiplying the probabilities. For example, the password P @ ssword # # # #12 has a construction probability of
Figure BDA0002566326580000112
Figure BDA0002566326580000113
Figure 5 shows a schematic flow decomposition of the probability calculation module.
4. Intensity feedback module
Accurate calculation of the password construction probability can help the user to know the strength of the password set by the user, but the user cannot have more comprehensive knowledge of the security of the password due to lack of reference. The invention displays the password intensity to the user more intuitively from the two aspects of the absolute intensity feedback and the relative intensity feedback of the password by setting the flagpole password. The absolute strength reflects the actual strength of the password, and the relative strength is the difference between the actual strength and the strength of the website banner password. As a benchmarked password, pw1 is the bottom line of the password strength, passwords with probabilities lower than pw1 should be denied passage; pw2 is the basic security and relatively secure line of demarcation; pw3 is a relatively secure and sufficiently secure dividing line; pw4 is the strongest password preset by the system. The website administrator can set the benchmarking password according to the actual application requirements, and the basic setting principle is as follows:
pw 1: guess number is more than or equal to 104The password of (2). Consider that modern network servers of large service providers are equipped with malicious traffic detection mechanisms and tend to limit the number of daily logins of IP. If the password cracking time acceptable to the attacker is assumed to be 4 months, the upper limit of guessing number for the attacker to make large-scale online guesses is 104[10]. Therefore, most service sites employ suspicious login detection (suspicious login detection)[11]And account locking (l0ckout policies)[12]Is effective enough to withstand most online guessing attacks. The strength of pw1 may be considered to be the password strength floor that the web site allows to pass through, and this strength may be reached as long as the password set by the user is not on the blacklist.
pw 2: guess number is more than or equal to 107The password of (2). When the guess number is greater than 107The gain of the attacker cannot be increased along with the increase of guess numberHas remarkable promotion[10]. Therefore, the password with the strength of pw2 can basically meet the requirements of most websites on the password length and character type, and can also resist most online guessing attacks.
pw 3: guess number is more than or equal to 1014The password of (2). The number of guesses that can be implemented by an offline guessing attack is much higher than that of an online guessing attack, and can often reach 1011Or even 1012The above[10]. It has been documented that an attacker has an upper bound on the number of guesses for implementing a breadth-first offline guessing attack of 1014[13][14]Meanwhile, experiments show that the guess number of most passwords is [10 ]6,1014]Within a region[14]Therefore, the guess number of the present invention setting pw3 is greater than or equal to 1014. It can be considered that the guess number is 10 or more14The password of (2) can basically protect the security of the user account.
pw 4: guess number is more than or equal to 1020The password of (2). Using Monte Carlo[7]The method calculates guess numbers of each password in the test set and coverage rates corresponding to different guess numbers. In this experiment we found the PCFG of the invention[6]、Markov[5]、RNN[9]And fuzzyPSM[4]Five PSM built-in algorithms with good effect are provided, and the guess number is more than or equal to 1020The coverage rate reaches the highest and keeps stable. Therefore, the guess number is considered to be 10 or more20The password of (2) is very secure.
To reduce the computational burden, the guess number for the benchmarked password may be converted to a corresponding probability interval.
Although the password with the strength between pw2 and pw3 can be accepted by the website, but is still not safe enough, the invention randomly selects an available transformation to modify the password input by the user according to the character conversion dictionary, and generates a plurality of candidate passwords for the user to select and refer. The above measures can ensure that the generated candidate password is safe enough (strength is not lower than pw3) and is convenient for the user to remember. Fig. 6 shows a schematic flow chart of the intensity feedback module.
The embodiment ensures that the password strength evaluation result provided by the invention is accurate and robust, and the conclusion is proved by two groups of experiments.
Setting the same training set and test set by using the coverage rate as an evaluation index, and operating PCFG[6]、 Markov[5]、RNN[9]、fuzzyPSM[4]JtR four algorithms with better effect[15]And HashCat[16]Two common password cracking tools and the invention. We used Monte Carlo[7]The method calculates a guess number for each password in the test set. Experimental results prove that the password evaluation method has the password evaluation strength (guess number is more than or equal to 10) above medium4) The time performance is always best and is obviously better than other algorithms.
Setting the same training set and test set by using wspearman as evaluation index, and actually operating the invention and PCFG[6]、Markov[5]、fuzzyPSM[4]、zxcvbn[3]Five algorithms with better robustness are used for evaluating the strength of the password with the frequency greater than 10 in the test set. And calculating a wspearman coefficient between the strength sorting result output by the algorithm and the strength result of ideal strength sorting, wherein experimental results show that the robustness of the password strength evaluation result output by the method is obviously superior to that of other algorithms.
Therefore, the password strength evaluation method disclosed by the invention has the following advantages:
the invention has the advantages and beneficial effects that:
(1) the invention summarizes the user password reuse behavior into three conditions of capitalization transformation, character jump and separation, designs a fuzzy matching algorithm and can accurately give the corresponding probability of various conversion conditions. Through a fuzzy matching algorithm, the invention overcomes the defects of lack of important conversion, lack of probability calculation and the like in the prior scheme.
(2) The invention uses LSTM to calculate the construction probability of the basic character string, and combines the fuzzy matching algorithm to calculate the probability of the special character and password structure, thus leading the invention to obtain good balance between the accuracy of the strength evaluation and the operation efficiency. Experimental results show that the password evaluation method is used for evaluating the password with medium strength (the guess number is more than or equal to 10)10) The effect is the best. Under the same experimental environment, the coverage rate calculated by the inventionBifzzyPSM[4]The corresponding coverage rate is averagely 18.9 percent; markov order of 3[5]The corresponding coverage rate is averagely 16.9 percent; specific to RNN[9]The corresponding coverage was on average 6.1% higher. Meanwhile, compared with other PSM algorithm models, the robustness of the invention is also the best.
(3) The invention provides the absolute password strength to the user, and simultaneously feeds back the relative strength of the password of the user by using the four benchmarking passwords, thereby facilitating the user to fully know the strength of the password relative to the passwords of other users. Meanwhile, the invention generates the candidate password which is similar to the user password but is safe enough through few steps, thereby helping the user construct a safer password. The invention also provides a parameter setting method under different scenes by comprehensively considering the difference of the service types, the economic value, the password strategy and the like.
The above description is only an embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes performed by the present specification and drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.
Reference to the literature
[1]Egelman S,Sotirakopoulos A,Muslukhov I,et al.Does my password go up to elevenThe impact of password meters on password selection[C]//Proceedings of the SIGCHI Conference on Human Factors in Computing Systems.2013: 2379-2388.
[2]Ur B,Kelley P G,Komanduri S,et al.How does your password measure upthe effect of strength meters on password creation[C]//Presented as part of the 21st USENIX Security Symposium(USENIX Security 12).2012:65-80.
[3]Wheeler D L.zxcvbn:Low-budget password strength estimation[C]//25th USENIX Security Symposium(USENIX Security 16).2016:157-173.
[4]Wang D,He D,Cheng H,et al.fuzzyPSM:A new password strength meter using fuzzy probabilistic context-free grammars[C]//2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks(DSN).IEEE, 2016:595-606.
[5]Ma J,Yang W,Luo M,et al.A study of probabilistic password models[C]//2014 IEEE Symposium on Security and Privacy.IEEE,2014:689-704.
[6]Weir M,Aggarwal S,De Medeiros B,et al.Password cracking using probabilistic context-free grammars[C]//2009 30th IEEE Symposium on Security and Privacy. IEEE,2009:391-405.
[7]Dell'Amico M,Filippone M.Monte Carlo strength evaluation:Fast and reliable password checking[C]//Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security.2015:158-169.
[8]Golla M,Dürmuth M.On the accuracy of password strength meters[C]//Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security.2018:1567-1582.
[9]Melicher W,Ur B,Segreti S M,et al.Fast,lean,and accurate:Modeling password guessability using neural networks[C]//25th USENIX Security Symposium(USENIX Security 16).2016:175-191.
[10]Florêncio D,Herley C,Van Oorschot P C.An administrator's guide to internet password research[C]//Proceedings of the 28th USENIX conference on Large Installation System Administration(LISA14).2014:35-52.
[11]Freeman D,Jain S,Dürmuth M,et al.Who Are YouA Statistical Approach to Measuring User Authenticity[C]//NDSS.2016:1-15.
[12]Alsaleh M,Mannan M,Van Oorschot P C.Revisiting defenses against large-scale online password guessing attacks[J].IEEE Transactions on dependable and secure computing,2011,9(1):128-141.
[13]Weir M,Aggarwal S,Collins M,et al.Testing metrics for password creation policies by attacking large sets of revealed passwords[C]//Proceedings of the 17th ACM conference on Computer and communications security.2010:162-175.
[14]Mazurek M L,Komanduri S,Vidas T,et al.Measuring password guessability for an entire university[C]//Proceedings of the 2013 ACM SIGSAC conference on Computer&communications security.2013:173-186.
[15]PESLYAK,A.:John the Ripper(1996),http://www.openwall.com/john/
[16]STEUBE:J.Hashcat(2018),https://hashcat.net/hashcat/。

Claims (1)

1.一种基于口令重用、字符跳变与分隔的口令强度评估方法,由字典构造模块、口令预处理模块、概率计算模块与强度反馈模块组成,具体包括下列步骤:1. A password strength assessment method based on password reuse, character jumping and separation, is composed of a dictionary construction module, a password preprocessing module, a probability calculation module and a strength feedback module, and specifically comprises the following steps: A.在字典构造模块,选取与服务类型相契合的口令集S作为训练集,通过模糊匹配算法,构造字符转换字典及口令结构字典;A. In the dictionary construction module, select the password set S that matches the service type as the training set, and construct a character conversion dictionary and a password structure dictionary through a fuzzy matching algorithm; B.在口令预处理模块,将用户输入的口令,还原为基础口令片段并记录转换类型和口令结构;B. In the password preprocessing module, the password input by the user is restored to the basic password fragment and the conversion type and password structure are recorded; C.在概率计算模块,通过神经网络计算基础口令片段的构造概率,结合字典记录的口令格式概率与字符转换概率,计算用户口令的构造概率;C. In the probability calculation module, the construction probability of the basic password segment is calculated through the neural network, and the construction probability of the user password is calculated by combining the password format probability and character conversion probability recorded in the dictionary; D.在强度反馈模块,反馈给用户其口令的绝对强度与相对强度,同时提供给用户与其输入口令相似但更安全的候选口令;D. In the strength feedback module, the absolute strength and relative strength of the password are fed back to the user, and at the same time, the user is provided with a candidate password that is similar to its input password but more secure; 步骤A具体执行如下操作:Step A specifically performs the following operations: A1.统计每个大写字母和基础字符在S中的出现频数,计算得到小写字母转换为大写字母的概率,以及基础字符保持不变的概率;基础字符包括小写字母和数字;A1. Count the frequency of occurrence of each uppercase letter and basic characters in S, and calculate the probability of converting lowercase letters to uppercase letters, as well as the probability that the basic characters remain unchanged; basic characters include lowercase letters and numbers; A2.将S中每条口令包含的大写字母转换为对应小写字母,得到新的数据集SlowerA2. Convert the uppercase letters contained in each password in S into corresponding lowercase letters to obtain a new data set S lower ; A3.根据字符组成,将Slower划分为两个子数据集:集合Smatch由仅含基础字符且频数≥10的字符串构成,Sspecial由包含特殊字符的字符串构成;特殊字符包括除大写字母和基础字符外的ASCII字符;A3. According to the composition of characters, S lower is divided into two sub-data sets: the set S match is composed of strings containing only basic characters and the frequency is ≥ 10, and S special is composed of strings containing special characters; special characters include capital letters except uppercase letters. and ASCII characters other than the base characters; A4.设置适当的置信度CR后执行模糊匹配算法,算法步骤为:A4. After setting the appropriate confidence level CR, execute the fuzzy matching algorithm. The algorithm steps are: 选取Sspecial中的字符串str1,在Smatch中提取长度满足len(str2)≤len(str1)条件的字符串str2,构造待匹配集合Smatch′Select the string str1 in S special , extract the string str2 whose length satisfies the condition of len(str2)≤len(str1) in S match , and construct the set to be matched S match' ; 利用str1匹配Smatch′中的str2,即逐字符比较str1与str2;若str1与str2中的基础字符无法一一对应,认为匹配失败,str1左移一个字符,并再次尝试匹配str2;若str1中的特殊字符与str2中的基础字符相对应,认为暂时匹配成功;Use str1 to match str2 in S match' , that is, compare str1 and str2 character by character; if the basic characters in str1 and str2 cannot be one-to-one correspondence, it is considered that the matching fails, str1 is shifted to the left by one character, and try to match str2 again; The special characters in str2 correspond to the basic characters in str2, and the temporary matching is considered successful; 对于暂时匹配成功的str1与str2,计算匹配率MR来判断模糊匹配是否成功,进而判断对应特殊字符是否为基础字符跳变所得,若
Figure FDA0003190988740000021
其中count为成功匹配的字符个数,则认为str1与str2模糊匹配失败,str1中的对应特殊字符为分隔符,反之则认为str1与str2模糊匹配成功,str1中的特殊字符是由str2中对应基础字符跳变所得;For str1 and str2 that have been successfully matched temporarily, calculate the matching rate MR to judge whether the fuzzy matching is successful, and then judge whether the corresponding special character is the result of the jump of the basic character.
Figure FDA0003190988740000021
Where count is the number of successfully matched characters, it is considered that str1 and str2 fail to match fuzzy, and the corresponding special character in str1 is a separator, otherwise, it is considered that str1 and str2 are fuzzy matched successfully, and the special characters in str1 are based on the corresponding basis in str2 Character jump result; A5.将模糊匹配成功,即认为是基础字符跳变所得的特殊字符,“反跳变”为对应的基础字符,并按照正则表达式[^B?(SnB)*Sn?$]的格式来记录口令结构,其中B代表基础字符,Sn代表被认为是分隔符的长度为n的特殊字符串;A5. The fuzzy matching is successful, that is, it is considered to be the special character obtained by the jump of the basic character, and the "de-jump" is the corresponding basic character, and according to the regular expression [^B? (S n B)*S n ? $] format to record the password structure, where B represents the basic character, S n represents a special string of length n that is considered to be a delimiter; A6.记录所有出现过的大写转换、字符跳变、字符分隔的情况并将相应的概率存储于字符转换字典;记录所有出现过的口令结构,并计算相应的概率存储于口令结构字典;A6. Record all the occurrences of capital conversion, character jumping, and character separation and store the corresponding probability in the character conversion dictionary; record all the password structures that have occurred, and calculate the corresponding probability and store them in the password structure dictionary; 步骤B具体执行如下操作:Step B specifically performs the following operations: B1.将用户口令中的大写字母转换为对应的小写字母,并记录此次转换;B1. Convert the uppercase letters in the user password to the corresponding lowercase letters, and record the conversion; B2.利用A4所述算法,将转换后的口令在A3构造的Smatch中进行模糊匹配,将模糊匹配成功的特殊字符“反跳变”为对应基础字符,记录此时的口令结构以及进行的跳变转换;B2. Using the algorithm described in A4, perform fuzzy matching on the converted password in the S match constructed by A3, "de-jump" the successful special character of the fuzzy matching into the corresponding basic character, and record the password structure at this time and the jump conversion; B3.以模糊匹配失败的特殊字符为分隔符,将口令切割为若干基础字符片段,记录此时作为分隔符的特殊字符;B3. Use the special characters that fail fuzzy matching as separators, cut the password into several basic character segments, and record the special characters that are used as separators at this time; 步骤C具体执行如下操作:Step C specifically performs the following operations: C1.利用A3构造的Smatch,训练长短期记忆网络LSTM,并以B3得到的基础字符片段作为LSTM的输入,计算基础字符片段对应构造概率;C1. Use the S match constructed by A3 to train the long short-term memory network LSTM, and use the basic character fragment obtained by B3 as the input of the LSTM to calculate the corresponding construction probability of the basic character fragment; C2.在A6构造的字符转换字典中查找B1记录的大写转换概率、B2中记录的字符跳变概率和B3中记录的字符分隔概率;C2. Find the uppercase conversion probability recorded in B1, the character transition probability recorded in B2 and the character separation probability recorded in B3 in the character conversion dictionary constructed by A6; C3.在A6构造的口令结构字典中查找B2记录的口令结构对应概率;C3. Find the corresponding probability of the password structure recorded by B2 in the password structure dictionary constructed by A6; C4.将上述概率连乘,得到用户输入口令的构造概率;C4. Multiply the above probabilities to obtain the construction probability of the user's input password; 步骤D具体执行如下操作:Step D specifically performs the following operations: D1.将C4计算得到的口令构造概率作为口令绝对强度,反馈给用户;D1. Use the password construction probability calculated by C4 as the absolute strength of the password and feed it back to the user; D2.计算C4得到的口令构造概率与标杆口令构造概率之间的差值,将该差值作为口令的相对强度,反馈给用户;D2. Calculate the difference between the password construction probability obtained by C4 and the benchmark password construction probability, and use the difference as the relative strength of the password and feed it back to the user; D3.基于A6构造的字符转换字典,随机选择一种转换情况,对用户口令进行修改,从而生成若干条更安全的候选口令,供用户选择。D3. Based on the character conversion dictionary constructed by A6, randomly select a conversion situation and modify the user password, thereby generating several safer candidate passwords for the user to choose.
CN202010625153.0A 2020-07-02 2020-07-02 Password Strength Evaluation Method Based on Password Reuse, Character Jump and Separation Active CN111786796B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010625153.0A CN111786796B (en) 2020-07-02 2020-07-02 Password Strength Evaluation Method Based on Password Reuse, Character Jump and Separation

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010625153.0A CN111786796B (en) 2020-07-02 2020-07-02 Password Strength Evaluation Method Based on Password Reuse, Character Jump and Separation

Publications (2)

Publication Number Publication Date
CN111786796A CN111786796A (en) 2020-10-16
CN111786796B true CN111786796B (en) 2021-10-12

Family

ID=72757839

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010625153.0A Active CN111786796B (en) 2020-07-02 2020-07-02 Password Strength Evaluation Method Based on Password Reuse, Character Jump and Separation

Country Status (1)

Country Link
CN (1) CN111786796B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114647839A (en) * 2020-12-17 2022-06-21 中移(苏州)软件技术有限公司 Password dictionary generation method and device and storage medium
CN113094696A (en) * 2021-06-09 2021-07-09 中国电子信息产业集团有限公司第六研究所 Password cracking effect evaluation method and device, electronic equipment and storage medium
CN113111329B (en) * 2021-06-11 2021-08-13 四川大学 Method and system for generating password dictionary based on multi-sequence long short-term memory network
CN115220913B (en) * 2022-06-23 2025-06-10 复旦大学 PCFG password guessing method based on hashcat and GPU parallel computing
CN115563604B (en) * 2022-10-19 2025-08-29 四川大学 Password strength assessment method and system based on deep neural network and feature fusion
CN115941179B (en) * 2023-02-14 2023-05-16 山东戎安智能科技有限公司 Method for realizing password conversion on ASIC chip

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109885829A (en) * 2019-01-24 2019-06-14 北京大学 A word-based password strength evaluation method
CN110245488A (en) * 2019-05-21 2019-09-17 平安普惠企业管理有限公司 Cipher Strength detection method, device, terminal and computer readable storage medium

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7367053B2 (en) * 2002-10-11 2008-04-29 Yamatake Corporation Password strength checking method and apparatus and program and recording medium thereof, password creation assisting method and program thereof, and password creating method and program thereof
US8918836B2 (en) * 2012-04-23 2014-12-23 Microsoft Corporation Predicting next characters in password generation

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109885829A (en) * 2019-01-24 2019-06-14 北京大学 A word-based password strength evaluation method
CN110245488A (en) * 2019-05-21 2019-09-17 平安普惠企业管理有限公司 Cipher Strength detection method, device, terminal and computer readable storage medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"基于概率上下文无关文法的口令强度评估方法";陈颖 等;《物联网技术》;20170430;59-61 *

Also Published As

Publication number Publication date
CN111786796A (en) 2020-10-16

Similar Documents

Publication Publication Date Title
CN111786796B (en) Password Strength Evaluation Method Based on Password Reuse, Character Jump and Separation
Tang et al. Zerowall: Detecting zero-day web attacks through encoder-decoder recurrent neural networks
Wang et al. Password guessing using random forest
US9524393B2 (en) System and methods for analyzing and modifying passwords
Weir et al. Password cracking using probabilistic context-free grammars
Perito et al. How unique and traceable are usernames?
Yang et al. Detecting stealthy domain generation algorithms using heterogeneous deep neural network framework
EP2585962B1 (en) Password checking
Darling et al. A lexical approach for classifying malicious URLs
Wang et al. {Pass2Edit}: A {Multi-Step} generative model for guessing edited passwords
CN106803035A (en) A kind of password conjecture set creation method and password cracking method based on username information
CN115987615A (en) Network behavior safety early warning method and system
Zhang et al. Toward unsupervised protocol feature word extraction
Ji et al. Pars: A uniform and open-source password analysis and research system
Garcia-Teodoro et al. Automatic generation of HTTP intrusion signatures by selective identification of anomalies
Xiu et al. {PointerGuess}: Targeted Password Guessing Model Using Pointer Mechanism
Su et al. Pagpassgpt: Pattern guided password guessing via generative pretrained transformer
Yu et al. Anomaly detection in unstructured logs using attention-based bi-LSTM network
Dong et al. RLS-PSM: A robust and accurate password strength meter based on reuse, leet and separation
Tran et al. A Survey on Password Guessing
Li et al. TCM-KNN scheme for network anomaly detection using feature-based optimizations
Marchal et al. Semantic exploration of DNS
Thai et al. A study on markov-based password strength meters
Zhang et al. A preliminary analysis of password guessing algorithm
Almousa et al. Introducing a machine learning password metric based on EFKM clustering algorithm

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant