INTRODUCTION

Information Security Department

gm@cnpo.ru 0

Department of Computing and IS

mrvo788@gmail.com 1 0 Bauman Moscow State Technical University , Moscow , Russia 1 University of Greenwich , London , Great Britain

79 82

-As the first protection line for a computer system, the authentication system is of critical importance in the information security area. Despite the steady development of information security mechanisms, the password is the most commonly used authentication tool. The key vulnerability of such a protection mechanism is selecting an insecure password. The period of 2014-2017 saw major Internet companies suffer a number of password database leaks, which followed by a study of real password security. It should be noted that password system protection has not advanced much over the past years; mainly, there has been a clear tendency for imposing stricter requirements on the password entry interface. This being the case, there is still a question, yet to be answered, which passwords can be considered secure and which cannot. The work offers examples of password system assessment and reviews leaked passwords for their security under the current requirements. Security was verified using metrics (password security indices). These metrics provided the basis for defining objective requirements for password system security.

identification authentication password metric information security information protection password system

INTRODUCTION

Even though the problems of password system security are subject to permanent studies, this issue remains yet to be dealt with in practice for subjective reasons. For example, some software system developers treat the password system security issue in different ways, while users often fail to meet in full the authentication system security policy.

Over the last two years, there have been a number of major leaks from password databases of communication Internet services (Twitter, Hotmail, Yandex, Google, Mail, Dropbox etc.). This allowed password security to be investigated using informal and formal indices.

II.

PASSWORD SECURITY STRENGTH CONCEPT Let’s consider the password mining probability formula: = ∙ | |

The above makes it possible to formulate simple substantive criteria whereby a password is considered secure:          

Password length must be at least 8 characters; Characters of various cases must be taken into account;

Numeral must be used; Special characters must be used; Password must not be based on a word; Password must not include words relating to the password owner.

Meanwhile, there is a discussion underway in literature as to formal requirements for password systems [ 1-5, 7-11 ].

III.

REGULATORY REQUIREMENTS

As is well known, the password requirements were set out in the Orange Book and were actually reduced to password length (6 and 8 characters depending on the system protection class). Current documents define the availability, as a minimum, of a password protection policy at an organization or in a computer system. Some requirements can be made more specific, while others are left in the hands of system administrators (Table 1).

IV.

PASSWORD SECURITY METRICS

Listed below are some of the best known password security index classes:

Numerical metrics (e.g. Orange Book);

Probabilistic metrics [2, 7, 8]; Shannon informational entropy [6]; Heuristic entropy modifications [3, 10, 11]; Probabilistic entropy modifications [9].

NIST-recommended password entropy can be calculated by statistics for specific systems, which is not always practicable.

This work will consider the Shannon entropy and heuristic entropy (recommended by NIST SP 800-22). The methods differ in that the Shannon entropy assumes a password to be generated by a random-number generator, while heuristic entropy implies a human created password.

The Shannon entropy is calculated as follows: = log2| | = ∙ log2| | = ln| | ln 2 , where |A| is alphabet capacity, n is password length.

The metric suggests that the more complicated the alphabet and the longer the password, the more secure the latter is.

Given below is the Shannon entropy calculation example (Table 2). of a password containing non-alphanumeric or uppercase characters.

This formula can be described as follows: the first password character receives a value of 4 bits, each subsequent character from the second to the eighth one receives 2 bits, from the ninth to the twentieth – 1.5 bits and each subsequent – 1 bit. If there are non-alphanumeric or uppercase characters, 6 bits are added to the obtained result.

For these metrics, a password is considered secure if it conforms to the entropy [ 11 ]: - according to Shannon – 56 bits or more; - on NIST recommendations – 24 bits or more.

The above criteria should be restricted, i.e. if a password is recorded in password brute forcing databases (dictionaries), entropy is reduced to zero. last year. Presented below is certain statistics obtained for each password

database. The outcomes of the study into the compromised password database of

Yandex (1,261,809 passwords) are listed in tables 3-5, Mail.ru (45,000) – tables 68, Google (4,926,673) – tables 9-11.

Used alphabet PWD including numerals only PWD composed of characters PWD composed of lowercase letters only PWD similar to mobile phone number PWD coinciding with login PWD similar to dates PWD suitable for secure password informal description PWD suitable as per Shannon security PWD suitable as per NIST security Number of passwords 774,669 1,968,873 1,968,873 22,751 45,010 156,142 0

Comparative analysis of the obtained and earlier known statistics [ 12, 13 ] showed a trend for slight strengthening of password protection. This is because some Internet services defined stricter rules for interfaces, for example, strengthened requirements for password length (at least 6 characters) and the use of a relatively complicated alphabet. The statistics suggests, however, that the above fact does not stop unorganized and careless users from choosing easily hackable passwords, and the number of Top 500 passwords has hardly changed over the years.

In general, the study confirmed that the authentication system remains highly vulnerable (only 10% of passwords can be considered reliable), which prompts the creation of integrated information protection systems and the improvement of information security management systems.

Finally, it should be noted that using entropic metrics instead of verbal descriptions is more practical in defining technical requirements for information security systems, as they are easier to automate and control. Besides, the use of formal indices helps diminish the degree of subjectivity inherent in system security analysis.

[1] Bonneau

Guessing human-chosen secrets . Technical Report UCAMCL-TR-819 . 2012 . 161 p.

[2] Bonneau

The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords . In 2012 IEEE Symposium on Security and Privacy , IEEE, 2012 , pp. 538 - 552 . DOI: 10 .1109/SP. 2012 . 49 .

[3] Boothroyd

, Chiasson

Writing down your password: Does it help?

In Proc. of the 2013 Eleventh Annual Conference on Privacy, Security and Trust , IEEE, 2013 , pp. 267 - 274 . DOI: 10 .1109/PST. 2013 . 6596062 .

[4] Burnett

Perfect Password : Selection, Protection, Authentication. Syngress Publishing, 2006 .194 p.

[5] Burr

W.E.

and etc . Electronic Authentication Guideline. NIST Special Publication 800-63-1 . 2011 . 110 p.

[6] Christiansen

M.M.

, Duffy

K.R.

Guesswork , Large Deviations, and Shannon Entropy, IEEE Transactions on Information Theory , 2013 , volume 59 , issue 2, pp. 796 - 802 DOI: 10.1109/TIT. 2012 . 2219036 .

[7] Galbally

, Coisel

, Sanchez

A probabilistic framework for improved password strength metrics . In Proc. of the 2014 International Carnahan Conference on Security Technology (ICCST) , IEEE, 2014 , pp. 1 - 6 . DOI: 10 .1109/CCST. 2014 . 6986985 .

[8] Galbally

, Coisel

, Sanchez

A New Multimodal Approach for Password Strength Estimation-Part I: Theory and Algorithms . IEEE Transactions on Information Forensics and Security , 2017 , volume 12 , issue 12, pp. 2829 - 2844 . DOI: DOI: 10.1109/TIFS. 2016 . 2636092 .

[9] Groza

Analysis of a Password Strengthening Technique and Its Practical Use . In Proc. of 2009 Third International Conference on Emerging Security Information, Systems and Technologies , IEEE, 2009 , pp. 292 - 297 . DOI: 10 .1109/SECURWARE. 2009 . 52 .

[10] Kelley

P.G.

and etc. Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms . In proc. of the 2012 IEEE Symposium on Security and Privacy , IEEE, 2012 , pp. 523 - 537 . DOI: 10 .1109/SP. 2012 . 38 .

[11] Markov

, Sharunov

. About Information Security of Email Services. Voprosy kiberbezopasnosti [Cybersecurity issues] , 2015 , No 5 ( 13 ), pp. 55 - 59 . DOI: 10 .21681/ 2311 -3456-2015-5- 55 -59.

[12] The Top 500 Worst Passwords of All Time , 2008 . URL: http://www.whatsmypass.com/the-top-500 - worst -passwords-of-all-time. (Last access : 01 /12/ 2017 ).

[13] The Top 500 Worst Passwords of All Time . 2010 . URL: https://www.symantec.com/connect/blogs/top-500 - worst-passwords-alltime. (Last access: 01 /12/ 2017 ).