Understanding digit‐only financial account passwords: ID card, structure, and security

Abstract

Password-based authentication is widely used in website access. Current studies on password security have focused considerable attention on letter-only passwords or passwords that include both letters and digits. However, little research has been conducted on commercial and digit-only passwords. In this paper, we comprehensively evaluate digit-only passwords by analyzing approximately 130,000 passwords from the 12306 data set. We observe that approximately 20% of six-digit passwords belonging to Chinese users include the user's identity document (ID) card information. Most of the passwords are found to be related to the user's birth dates. Additionally, we demonstrate that male users are more likely to set passwords with digits extracted from their ID card numbers than female users. It is the first time that the relation between real-user passwords and ID card series numbers was considered. It focuses on actual attack methodologies and real-user passwords, which renders this study an explicit study on digit-only password security. We propose a password-encryption authentication model based on FF3-1 to implement secure storage of passwords. We experiment with ciphertext and plaintext passwords using three–three and four–two structures combined with probabilistic context-free grammars. The cracking success rates of ciphertext passwords are found to be 0.086% and 1.06%, and they can recover 59.83% and 33.2% of the passwords in the test set. Conversely, using plaintext passwords results in the recovery of 98% and 85% of passwords in the test set. Our results demonstrate that the use of encryption for password storage can significantly reduce the cracking success rate of attackers.