Mail Service Password Security George Markov Vladislav Sharunov Information Security Department Department of Computing and IS Bauman Moscow State Technical University University of Greenwich Moscow, Russia London, Great Britain gm@cnpo.ru mrvo788@gmail.com Abstract—As the first protection line for a computer system, The above formula allows a conclusion that password the authentication system is of critical importance in the security is largely affected by password change frequency and information security area. Despite the steady development of password space capacity characterized by length and the information security mechanisms, the password is the most alphabet used to create a password. commonly used authentication tool. The key vulnerability of such a protection mechanism is selecting an insecure password. The The above makes it possible to formulate simple substantive period of 2014-2017 saw major Internet companies suffer a criteria whereby a password is considered secure: number of password database leaks, which followed by a study of real password security. It should be noted that password system  Password length must be at least 8 characters; protection has not advanced much over the past years; mainly,  Characters of various cases must be taken into there has been a clear tendency for imposing stricter requirements account; on the password entry interface. This being the case, there is still a question, yet to be answered, which passwords can be considered  Numeral must be used; secure and which cannot. The work offers examples of password system assessment and reviews leaked passwords for their security  Special characters must be used; under the current requirements. Security was verified using  Password must not be based on a word; metrics (password security indices). These metrics provided the basis for defining objective requirements for password system  Password must not include words relating to the security. password owner. Keywords— identification, authentication, password metric, Meanwhile, there is a discussion underway in literature as information security, information protection, password system to formal requirements for password systems [1-5, 7-11]. I. INTRODUCTION III. REGULATORY REQUIREMENTS Even though the problems of password system security are As is well known, the password requirements were set out subject to permanent studies, this issue remains yet to be dealt in the Orange Book and were actually reduced to password with in practice for subjective reasons. For example, some length (6 and 8 characters depending on the system protection software system developers treat the password system security class). Current documents define the availability, as a issue in different ways, while users often fail to meet in full the minimum, of a password protection policy at an organization or authentication system security policy. in a computer system. Some requirements can be made more specific, while others are left in the hands of system Over the last two years, there have been a number of major administrators (Table 1). leaks from password databases of communication Internet services (Twitter, Hotmail, Yandex, Google, Mail, Dropbox IV. PASSWORD SECURITY METRICS etc.). This allowed password security to be investigated using informal and formal indices. Listed below are some of the best known password security index classes: II. PASSWORD SECURITY STRENGTH CONCEPT  Numerical metrics (e.g. Orange Book); Let’s consider the password mining probability formula:  Probabilistic metrics [2, 7, 8]; 𝑉∙𝑇 𝑃= ,  Shannon informational entropy [6]; |𝐴|𝑛 where V is attacker’s password brute-forcing rate, T is password  Heuristic entropy modifications [3, 10, 11]; age, |𝐴|𝑛 is password space capacity, n is password length.  Probabilistic entropy modifications [9]. 79 Table 1. Information security regulatory documents NIST-recommended password entropy can be calculated by the following formula: Password Minimum 8 20 𝑛 updating password Document title frequency/ 𝑆 = 4 + ∑ 2 + ∑ 1.5 + ∑ 1 + 6𝜒𝐴 , length security control requirement 𝑖=2 𝑖=9 𝑖=21 requirement Payment Card Industry Data 7 characters + (90 days) where i≤ 𝑛, n is password length, χA is characteristic function Security Standard of a password containing non-alphanumeric or uppercase Australian Government - + (90 days) characters. Information Security Manual. Controls (Australia) This formula can be described as follows: the first password The IT-Grundschutz - + character receives a value of 4 bits, each subsequent character Catalogues (Germany) from the second to the eighth one receives 2 bits, from the ninth Cyber Essentials Scheme 8 characters + (60 days, 3 to the twentieth – 1.5 bits and each subsequent – 1 bit. If there Requirements for basic months, 6 are non-alphanumeric or uppercase characters, 6 bits are added technical protection from months) to the obtained result. cyber-attacks (Great Britain) Information Security 6, 8 + (180, 120, 90, For these metrics, a password is considered secure if it Provisions in Federal characters 60 days) conforms to the entropy [11]: Information Systems (Russia) - according to Shannon – 56 bits or more; Requirements for Information 6, 8 + (180, 120, 90, Security in Process Control characters 60 days) - on NIST recommendations – 24 bits or more. Systems… (Russia) The above criteria should be restricted, i.e. if a password is NIST SP 800-53/ NIST SP - + recorded in password brute forcing databases (dictionaries), 800-63B (USA) entropy is reduced to zero. Information Assurance 8 characters + (3, 6 months) Implementation. Department V. STUDY OUTCOMES of Defense Instruction 85002.2 2003 (USA) Password databases have been very often compromised of late. For example, such password databases became publicly available more recently Numerical metrics include password brute forcing time values. Unfortunately, this method takes no account of Research software was used to process a few password deliberate brute forcing and guessing. databases made publicly available by hackers on the Internet last year. Presented below is certain statistics obtained for each Probabilistic metrics are based on the available password password database. The outcomes of the study into the statistics for specific systems, which is not always practicable. compromised password database of Yandex (1,261,809 This work will consider the Shannon entropy and heuristic passwords) are listed in tables 3-5, Mail.ru (45,000) – tables 6- entropy (recommended by NIST SP 800-22). The methods 8, Google (4,926,673) – tables 9-11. differ in that the Shannon entropy assumes a password to be generated by a random-number generator, while heuristic entropy implies a human created password. Table 3. Password length (Yandex) The Shannon entropy is calculated as follows: Password length Number of passwords 6 380,732 ln|𝐴| 7 174,782 𝐻 = log 2 |𝐴|𝑛 = 𝑛 ∙ log 2 |𝐴| = 𝑛 , ln 2 8 282,641 9 130,676 where |A| is alphabet capacity, n is password length. 10 103,926 The metric suggests that the more complicated the alphabet 11 71,948 and the longer the password, the more secure the latter is. 12 45,387 13 20,127 Given below is the Shannon entropy calculation example 14 14,950 (Table 2). 15 9,895 16 7,646 Table 2. Entropy calculation example 17 3,487 Alphabet/length 5 6 7 8 18 3,104 Latin 23.5 28.2 32.9 37.6 19 1,747 Numerals 16.6 19.9 23.2 26.5 20 2,660 Latin + uppercase + numerals 29.7 35.7 41.6 47.6 Latin + Cyrillic + uppercase + 35 41.9 48.9 55.9 numerals 80 Table 4. Top 10 repeated passwords (Yandex) Table 8. Password alphabet (Mail.ru) Password Number of repetitions Number of Used alphabet 123456 39,177 passwords 123456789 13,892 PWD including numerals only 18,806 111111 9,826 PWD composed of characters 14,650 qwerty 7,926 PWD composed of lowercase letters only 13,835 1234567890 5,853 PWD composed of uppercase letters only 53 1234567 4,668 PWD similar to mobile phone number 138 7777777 4,606 PWD coinciding with login 3,619 123321 4,324 PWD similar to dates 9,287 000000 3,304 PWD suitable for secure password informal 5 123123 3,031 description PWD suitable as per Shannon security 3,916 PWD suitable as per NIST security 3,274 Table 5. Password alphabet (Yandex) Number of Table 9. Password length (Google) Used alphabet passwords Passwords (PWD) including numerals only 608,125 Password length Number of passwords PWD composed of characters 233,561 6 924,154 PWD composed of lowercase letters only 218,319 7 663,510 PWD composed of uppercase letters only 3,136 8 1,422,999 PWD similar to mobile phone number 40,980 9 683,315 PWD coinciding with login 1,489 10 682,811 PWD similar to dates 171,906 11 152,256 PWD suitable for secure password informal 345 12 93,202 description 13 42,387 PWD suitable as per Shannon security 143,802 14 24,853 PWD suitable as per NIST security 108,951 15 14,851 16 7,291 17 2,549 Table 6. Password length (Mail.ru) 18 1,781 Password length Number of passwords 19 1,082 6 17,484 20 1,166 7 4,155 8 12,562 Table 10. Top 10 repeated passwords (Google) 9 3,212 10 2,421 Password Number of repetitions 11 1,399 123456 47,918 12 1,106 password 11,554 13 627 123456789 11,160 14 438 12345 8,096 15 293 querty 5,918 16 205 12345678 5,250 17 12 111111 3,521 18 20 abc123 3,011 19 2 123123 2,972 20 15 1234567 2,911 Table 7. Top 10 repeated passwords (Mail.ru) Table 11. Password alphabet (Google) Password Number of repetitions Number of Used alphabet qwerty 4,291 passwords 987654321 1,385 PWD including numerals only 774,669 4815162342 661 PWD composed of characters 1,968,873 11111111 615 PWD composed of lowercase letters only 1,968,873 123123123 578 PWD similar to mobile phone number 22,751 789456123 448 PWD coinciding with login 45,010 12341234 408 PWD similar to dates 156,142 147852369 380 PWD suitable for secure password 0 444444 353 informal description q1w2e3 331 PWD suitable as per Shannon security 290,530 PWD suitable as per NIST security 157,475 81 VI. CONCLUSION [3] Boothroyd V., Chiasson S. Writing down your password: Does it help? In Proc. of the 2013 Eleventh Annual Conference on Privacy, Security and Comparative analysis of the obtained and earlier known Trust, IEEE, 2013, pp. 267 – 274. DOI: 10.1109/PST.2013.6596062. statistics [12, 13] showed a trend for slight strengthening of [4] Burnett M. Perfect Password: Selection, Protection, Authentication. password protection. This is because some Internet services Syngress Publishing, 2006.194 p. defined stricter rules for interfaces, for example, strengthened [5] Burr W.E. and etc. Electronic Authentication Guideline. NIST Special requirements for password length (at least 6 characters) and the Publication 800-63-1. 2011. 110 p. use of a relatively complicated alphabet. The statistics suggests, [6] Christiansen M.M., Duffy K.R. Guesswork, Large Deviations, and however, that the above fact does not stop unorganized and Shannon Entropy, IEEE Transactions on Information Theory, 2013, volume 59, issue 2, pp. 796 - 802 DOI: 10.1109/TIT.2012.2219036. careless users from choosing easily hackable passwords, and [7] Galbally J., Coisel I., Sanchez I. A probabilistic framework for improved the number of Top 500 passwords has hardly changed over the password strength metrics. In Proc. of the 2014 International Carnahan years. Conference on Security Technology (ICCST), IEEE, 2014, pp. 1 – 6. DOI: 10.1109/CCST.2014.6986985. In general, the study confirmed that the authentication [8] Galbally J., Coisel I., Sanchez I.A New Multimodal Approach for system remains highly vulnerable (only 10% of passwords can Password Strength Estimation—Part I: Theory and Algorithms. IEEE be considered reliable), which prompts the creation of Transactions on Information Forensics and Security, 2017, volume 12, integrated information protection systems and the improvement issue 12, pp. 2829 – 2844. DOI: DOI: 10.1109/TIFS.2016.2636092. of information security management systems. [9] Groza B. Analysis of a Password Strengthening Technique and Its Practical Use. In Proc. of 2009 Third International Conference on Finally, it should be noted that using entropic metrics Emerging Security Information, Systems and Technologies, IEEE, 2009, instead of verbal descriptions is more practical in defining pp. 292 – 297. DOI: 10.1109/SECURWARE.2009.52. technical requirements for information security systems, as they [10] Kelley P.G. and etc. Guess Again (and Again and Again): Measuring are easier to automate and control. Besides, the use of formal Password Strength by Simulating Password-Cracking Algorithms. In indices helps diminish the degree of subjectivity inherent in proc. of the 2012 IEEE Symposium on Security and Privacy, IEEE, 2012, pp. 523 – 537. DOI: 10.1109/SP.2012.38. system security analysis. [11] Markov G., Sharunov V. About Information Security of Email Services. REFERENCES Voprosy kiberbezopasnosti [Cybersecurity issues], 2015, No 5 (13), pp. 55-59. DOI: 10.21681/2311-3456-2015-5-55-59. [1] Bonneau J. Guessing human-chosen secrets. Technical Report UCAM- [12] The Top 500 Worst Passwords of All Time, 2008. URL: CL-TR-819. 2012. 161 p. http://www.whatsmypass.com/the-top-500-worst-passwords-of-all-time. [2] Bonneau J. The Science of Guessing: Analyzing an Anonymized Corpus (Last access: 01/12/2017). of 70 Million Passwords. In 2012 IEEE Symposium on Security and [13] The Top 500 Worst Passwords of All Time. 2010. URL: Privacy, IEEE, 2012, pp. 538 – 552. DOI: 10.1109/SP.2012.49. https://www.symantec.com/connect/blogs/top-500-worst-passwords-all- time. (Last access: 01/12/2017). 82