Password Checkers Research Articles

Mitigating Online Password Attacks: A Comprehensive Review of Password Models

Most authentication systems rely on alphanumeric passwords as a first line of defense. This review outlines various online password attacks and evaluates models proposed to mitigate them. A secondary aim is to explore ways to improve password selection and memorability without user inconvenience. Nine articles from 2019 to 2023 were reviewed, focusing on password checkers, entropy values, and password structures to ensure system security against online attacks, while analyzing usability and security aspects of the models. Most of these models were implemented in controlled environments rather than in real-time scenarios. Future work includes surveying user preferences for password and authentication systems.

How to Improve the Security of Password Checkers

After years of the attempt to replace password with other alternatives such as biometrics and smart cards, password is still the most pervasive user authentication mechanism. The password checking authentication is widely used for financial services, online social networks, and many other applications. This paper aims to analyze the security of a <i>password checker</i> qualitatively and quantitatively, and show how to improve it. <i>Qualitative</i> security analysis, in which it does not allow any information flow from secret date to public data, considers that the password checker is not a secure process. Therefore, an alternative analysis for the password checker is to analyze <i>quantitatively,</i> i.e., quantifying its information flow and determining how much secret information has been leaked. This method can be used to decide whether we can tolerate small leakages. A quantitative security analysis can be seen as a generalization of a qualitative one. To improve the security of the password checker, we propose a <i>noisy-output</i> policy, i.e., a situation where a system operator is able to add noise to the output: instead of always producing the exact outcomes, the system sometimes reports noisy outcomes. The noisy outcomes reduce the correlation between the output and the input, and thus reduce the leakage.

Highly Secure and Easy to Remember Password-Based Authentication Approach

Everyone connected and using the Internet is concerned regarding the security and also the privacy of their sensitive information available on the Internet. As authentication is the fundamental part of security, there are different authentication mechanisms through which the systems can be secured. The password-based authentication mechanism is a cheap and easy method for enforcing authentication in the systems for many years. The weakest aspect in password security is human, as they choose weak and easy to guess passwords or a highly secure and complex password which might be difficult to remember and recover the password. On the other hand, Dictionary and Brute force attacks are widely used to compromise the passwords of the users over the Internet. In this paper, a password generation system is proposed which generates a password based on the user’s input like, time and location data. The system generates a password that is highly secure, easy to remember, easy to recover, and can effectively defend against Brute force and dictionary attacks. The generated passwords have been checked in three online password checkers, which verifies that the system is generating highly secure and crack resistant passwords. The system is implemented using PHP scripting language with a user-friendly environment.

An IoT-fuzzy based password checker system for wireless video surveillance system

Wireless video surveillance systems (WVSS) are deployed in large environments for use in strategic places such as town centers, public streets, and airports and play an essential role in protecting critical infrastructure. However, WVSSs are vulnerable to unauthorized access due to weak login credentials, which leads to their exploitation to launch cyberattacks on other systems, such as distributed denial-of-service attacks. Hence, it is essential to secure these systems from unauthorized access. This paper proposes the Mamdani fuzzy inference system (FIS)-based password checker algorithm to estimate the password strength ratio (PSR) of internet protocol (IP) cameras and internet of things (IoT) devices. This algorithm composes three stages, the password extraction stage, which evaluates the input parameters of FIS from the real-time streaming protocol (RTSP) protocol using a counter of password characters. Then, the processing stage uses Mamdani FIS to optimize the input parameters to calculate the PSR. Finally, the alarm stage will notify the system administrator about weak IoT nodes. Unlike the existing approaches, this algorithm improves detection accuracy by informing the system administrator about threatened nodes. Extensive experiments are carried out to determine the efficiency of the proposed algorithm. The results confirm the efficiency of the proposed algorithm with high accuracy, which outperforms existing schemes.

Client-Side Hashing for Efficient Typo-Tolerant Password Checkers

Credential leaks still happen with regular frequency, and show evidence that, despite decades of warnings, password hashing is still not correctly implemented in practice. The common practice today, inherited from previous but obsolete constraints, is to transmit the password in cleartext to the server, where it is hashed and stored. This allows some usability improvements, such as typo-tolerant password checkers — which can correct up to 32% of typos, with no negative impact on security — formally introduced by Chatterjee et al. in 2016, but used in some preliminary forms since 2012. This article investigates the advantages and drawbacks of the alternative of hashing client-side, and shows that it is present today exclusively on Chinese websites. It introduces an alternative typo-correction framework based on client-side hashing, which corrects up to 57% of typos without affecting user experience, at no computational cost to the server. Finally, it proposes some potential ways to improve the industry standards by enforcing accountability on password security.

Strength Analysis of Real-Life Passwords Using Markov Models

Recent literature proposes the use of a proactive password checker as method for preventing users from creating easy-to-guess passwords. Markov models can help us create a more effective password checker that would be able to check the probability of a given password to be chosen by an attacker. We investigate the ability of different Markov models to calculate a variety of passwords from different topics, in order to find out whether one Markov model is sufficient for creating a more effective password checker. The results of our study show that multiple models are required in order to be able to do strength calculations for a wide range of passwords. To the best of our knowledge, this is the first password strength study where the effect of the training password datasets on the success of the model is investigated.

Implementation of a Secured Authentication System using a Policy Generator with Email Notifications

For securing the login, passwords of users from intruders and hackers, the website owners and administrators are providing certain guidelines to the users to create secure and strong passwords using a mechanism called Password Checkers. These guidelines which are provided helps the users to create strong passwords, these guidelines are also becoming the raw input for the hackers as they clearly show based on which policy the password was generated which increases the risk for brute force attacking with more ease. There by increasing the success rate probability for the brute force attackers. To overcome and to decrease the success probability for brute force attacking the Dynamic Password Policy Generator is being devised.The profiles of users are built and maintained by the system automatically bases on the interaction with the monitored database in training phase. This DBSAFE system will help both the administrator as well as the users to feel secured in terms with their data security. Also whenever, an unsuccessful attempts leaving a notification through an email will always add a extra layer of security to the system. When the system’s critical files were all under watch and someone try to access those, concerned people will be intimated to verify the system security keeping the system and database safe and healthy.

Hybritus: a password strength checker by ensemble learning from the query feedbacks of websites

Password authentication is vulnerable to dictionary attacks. Password strength measurement helps users to choose hard-to-guess passwords and enhance the security of systems based on password authentication. Although there are many password strength metrics and tools, none of them produces an objective measurement with inconsistent policies and different dictionaries. In this work, we analyzed the password policies and checkers of top 100 popular websites that are selected from Alexa rankings. The checkers are inconsistent and thus they may label the same password as different strength labels, because each checker is sensitive to its configuration, e.g., the algorithm used and the training data. Attackers are empowered to exploit the above vulnerabilities to crack the protected systems more easily. As such, single metrics or local training data are not enough to build a robust and secure password checker. Based on these observations, we proposed Hybritus that integrates different websites’ strategies and views into a global and robust model of the attackers with multiple layer perceptron (MLP) neural networks. Our data set is comprised of more than 3.3 million passwords taken from the leaked, transformed and randomly generated dictionaries. The data set were sent to 10 website checkers to get the feedbacks on the strength of passwords labeled as strong, medium and weak. Then we used the features of passwords generated by term frequency-inverse document frequency to train and test Hybritus. The experimental results show that the accuracy of passwords strength checking can be as high as 97.7% and over 94% even if it was trained with only ten thousand passwords. User study shows that Hybritus is usable as well as secure.

Human-Generated and Machine-Generated Ratings of Password Strength: What Do Users Trust More?

Proactive password checkers have been widely used to persuade users to select stronger passwords by providing machine-generated strength ratings of passwords. If such ratings do not match human-generated ratings of human users, there can be a loss of trust in PPCs. In order to study the effectiven

DPPG: A Dynamic Password Policy Generation System

To keep password users from creating simple and common passwords, major websites and applications provide a password-strength measure, namely a password checker. While critical requirements for a password checker to be stringent have prevailed in the study of password security, we show that regardless of the stringency, such static checkers can leak information and actually help the adversary enhance the performance of their attacks. To address this weakness, we propose and devise the Dynamic Password Policy Generator , namely DPPG , to be an effective and usable alternative to the existing password strength checker. DPPG aims to enforce an evenly-distributed password space and generate dynamic policies for users to create passwords that are diverse and that contribute to the overall security of the password database. Since DPPG is modular and can function with different underlying metrics for policy generation, we further introduce a diversity-based password security metric that evaluates the security of a password database in terms of password space and distribution. The metric is useful as a countermeasure to well-crafted offline cracking algorithms and theoretically illustrates why DPPG works well.

Efficient Plain Password Cryptanalysis Techniques

In this research work, some low complexity and efficient cryptanalysis approaches are proposed to decrypt password (encryption keys). Passwords are still one of the most common means of securing computer systems. Most organizations rely on password authentication systems, and therefore, it is very important for them to enforce their users to have strong passwords. They usually ignore the importance of usability of the password for the users. The more complex they are the more they frustrate users and they end up with some coping strategies such as adding “123” at the end of their passwords or repeating a word to make their passwords longer, which reduces the security of the password, and more importantly there is no scientific basis for these password creation policies to make sure that passwords that are created based on these rules are resistance against real attacks. The current research work describes different password creation policies and password checkers that try to help users create strong passwords and addresses their issues. Metrics for password strength are explored in this research and efficient approaches to calculate these metrics for password distributions are introduced. Furthermore, efficient technique to estimate password strength based on its likelihood of being cracked by an attacker is described. In addition, a tool called PAM has been developed and explained in details in this paper to help users have strong passwords using these metrics; PAM is a password analyzer and modifier.

Neural Network Techniques for Proactive Password Checking

This paper deals with the access control problem. We assume that valuable resources need to be protected against unauthorized users and that, to this aim, a password-based access control scheme is employed. Such an abstract scenario captures many applicative settings. The issue we focus our attention on is the following: password-based schemes provide a certain level of security as long as users choose good passwords, i.e., passwords that are hard to guess in a reasonable amount of time. In order to force the users to make good choices, a proactive password checker can be implemented as a submodule of the access control scheme. Such a checker, any time the user chooses/changes his own password, decides on the fly whether to accept or refuse the new password, depending on its guessability. Hence, the question is: how can we get an effective and efficient proactive password checker? By means of neural networks and statistical techniques, we answer the above question, developing suitable proactive password checkers. Through a series of experiments, we show that these checkers have very good performance: error rates are comparable to those of the best existing checkers, implemented on different principles and by using other methodologies, and the memory requirements are better in several cases. It is the first time that neural network technology has been fully and successfully applied to designing proactive password checkers

H yppocrates: a new proactive password checker

In this paper, we propose a new proactive password checker, a program which prevents the choice of easy-to-guess passwords. The checker uses a decision tree, constructed applying the minimum description length principle and a pessimistic pruning technique. Experimental results show a substantial improvement in performance of this checker compared to previous proposals. Moreover, the whole software package we provide has a user-friendly interface, enabling the system administrator to configure an ad hoc password proactive checker, in order to satisfy certain policy requirements.

Improving system security via proactive password checking

As the Internet has grown, its user community has changed from a small tight-knit group of researchers to a loose gathering of people on a global network. The amazing and constantly growing numbers of machines and users ensures that untrustworthy individuals have full access to that network. High speed inter-machine communication and even higher speed computational processors have made the threats of system “crackers”, data theft, and data corruption very real. This paper outlines some of the problems of current password security by demonstrating the ease by which individual at counts may be broken. Various techniques used by crackers are outlined, and finally one solution to this point of system vulnerability, a proactive password checker, is documented.