Abstract
While it is not recommended, Internet users tend to include personal information in their passwords for easy memorization. However, the use of personal information in passwords and its security implications have yet to be studied. In this paper, we dissect user passwords from several leaked data sets to investigate the extent to which a user’s personal information resides in a password. Then, we introduce a new metric called coverage to quantify the correlation between passwords and personal information. Afterward, based on our analysis, we extend the probabilistic context-free grammars (PCFGs) method to be semantics-rich and propose personal-PCFG to crack passwords by generating personalized guesses. Through offline and online attack scenarios, we demonstrate that personal-PCFG cracks passwords much faster than PCFG and makes online attacks much more likely to succeed. To defend against such semantics-aware attacks, we examine the use of simple distortion functions that are chosen by users to mitigate unwanted correlation between personal information and passwords.
Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callMore From: IEEE Transactions on Information Forensics and Security
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
