Cracking Passwords in Forensic Investigations - Scholarly ...
Cracking Passwords in Forensic Investigations - Scholarly ...
Cracking Passwords in Forensic Investigations - Scholarly ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
3.1.4 Password Strength: an Empirical Analysis<br />
The researchers Dell‟Amico, Michiardi and Roudier (2010) conducted a study to<br />
compare and evaluate the effectiveness of various password crack<strong>in</strong>g attacks us<strong>in</strong>g<br />
known datasets of passwords. The empirical analysis study was conducted to answer<br />
the research question: “given a number of guesses, what is the probability that a state-<br />
of-the-art attacker will be able to break a password?”(Dell‟Amico et al., 2010, p.1).<br />
Based on the study, the researchers found the „dim<strong>in</strong>ish<strong>in</strong>g returns‟ pr<strong>in</strong>ciple to hold<br />
true. They found that weak passwords are cracked easily; however, as the attack goes<br />
on, the probability of f<strong>in</strong>d<strong>in</strong>g the correct passwords decreases. Dell‟Amico et al.<br />
propose that the results of the study would help to evaluate the security of passwords<br />
and serve as a basis for develop<strong>in</strong>g effective pro-active password checkers and<br />
security audit<strong>in</strong>g tools.<br />
Dell‟Amico et al. (2010) discuss the importance of evaluat<strong>in</strong>g the resilience of<br />
passwords to guess<strong>in</strong>g attacks. The resilience can be measured by compar<strong>in</strong>g the<br />
number of guesses (i.e., the search space size) aga<strong>in</strong>st the percentage of passwords<br />
successfully cracked. The attack model used would determ<strong>in</strong>e the cost of each guess<br />
for the attacker. Comb<strong>in</strong><strong>in</strong>g the cost of each guess with the size of the search space<br />
would result <strong>in</strong> a cost-benefit analysis for guess<strong>in</strong>g-based attacks on password<br />
authentication systems. Dell‟Amico et al. also conducted a literature review of the<br />
previous work done <strong>in</strong> the area. They compared search space size versus number of<br />
cracked passwords us<strong>in</strong>g various attack methods, <strong>in</strong>clud<strong>in</strong>g dictionary attacks, brute-<br />
force attacks, dictionary mangl<strong>in</strong>g, probabilistic context-free grammars, and Markov<br />
cha<strong>in</strong>s. They conducted the experiments on three large datasets of passwords, which<br />
differed <strong>in</strong> terms of application, doma<strong>in</strong>, and user localisation.<br />
The three datasets of passwords obta<strong>in</strong>ed by the researchers were the „Italian<br />
dataset‟, „F<strong>in</strong>nish dataset‟ and „MySpace dataset‟. The Italian dataset conta<strong>in</strong>ed<br />
unencrypted passwords from an Italian <strong>in</strong>stant messag<strong>in</strong>g server runn<strong>in</strong>g on the<br />
XMPP protocol. The F<strong>in</strong>nish dataset conta<strong>in</strong>ed a publicly released password set <strong>in</strong><br />
encrypted and unencrypted format from different F<strong>in</strong>nish forum websites. The<br />
researchers considered the unencrypted passwords from this dataset for the purpose<br />
of their study. The MySpace dataset conta<strong>in</strong>ed disclosed passwords that were<br />
37