WIXLIB

4Ding Wang and Ping WangConsequently, the question of how well these sites actually reject weak passwordsand withstand online guessing remains unanswered.Another limitation of existing works is that little attention has been given tonon-English web services. As typical hieroglyphics, Chinese has been the mainlanguage used in a total of over 3.64 million web services until 2014 and about0.95 million new web services that started up in 2014 (which means 0.95M newpassword policies come out and impact on common users.) [24]. What’s more,Chinese web users, who have reached 649 million by the end of 2014 [13], havebeen the largest Internet population in the world and account for a quarter of theworld’s total netizens. Therefore, it is important (and interesting) to investigatewhat’s the strengths and weaknesses of the current password policies in Chineseweb services as compared to their English counterparts.Our contributions. The main contributions of this work are as follows:(1) First, we propose a systematic, evidence-grounded methodology for measuring password creation policies and investigate the status quo of policiesenforced by 50 leading web services (with special emphasis on Chinese webservices) with a total of ten application domains. We find that, generally,gaming sites, email sites, e-commerce sites and non-profit organizationsmanage with the least restrictive password rules, while the sites of ITmanufacturers impose the most stringent ones; Web portals, email sites,e-commerce sites and technical forums tend to provide explicit feedbacksof the password strength to users, while sites of security companies, ITmanufacturers and academic services, ironically, often do not bother toprovide users with any piece of information about password strength.(2) Second, we explore the differences in password policy choices betweenEnglish sites and Chinese sites. Compared to their English counterparts,Chinese sites, in general, are more undaunted (audacious) in their password rule choices, while there is no significant difference between thesetwo groups of sites with regard to the password meter choices.(3) Third, we employ state-of-the-art password cracking techniques (including the probabilistic-context-free-grammar (PCFG) based and MarkovChain-based) to measure the strength of the 16 testing passwords thatare used to represent two primary types of online password guessingattempts. This provides a reliable benchmark (ordering) of the actualstrength of these testing passwords beyond intuitive (heuristic) estimatesas opposed to previous works like [11, 20]. We observe that most of themeters overestimate the strength of at least some of these 16 passwords,rendering the corresponding web services vulnerable to online guessing.The structure of this paper is as follows: Our methodology is elaborated inSec. 2; Our results are presented in Sec. 3. The conclusion is drawn in Sec. 4.2Our methodologyAs there is little research on studying password practices and the approachesused in the few pioneering works [8, 11, 18, 20] are far from systematic and may

The Emperor’s New Password Creation Policies5be demoded over the past five years, in the following we take advantage of stateof-the-art techniques and elaborate on a systematic methodology for measuringpassword policies. As far as we know, for the first time several new approaches(e.g., the use of large-scale real-life passwords as corroborative evidence, the useof targeted online guessing to measure password strength, and the classificationand selection of testing passwords) are introduced into this domain.2.1 Selecting representative sitesTo investigate the status quo of password creation policies deployed in today’sInternet (with special emphasis on Chinese web services), first of all we selectedten themes of web services that we are most interested in and that are alsohighly relevant to our daily online lives: web portal, IT corporation, email, security corporation, e-commerce, gaming, technical forum, social forum, academicservice and non-profit organization. Then, for each theme we choose its top5 sites according to the Alexa Global Top 500 sites list based on their trafficranking (http://www.alexa.com/topsites). Some companies (e.g., Microsoftand Google) may offer various services (e.g., email, search, news, product support) and have a few affiliated sites, fortunately they generally rely on the sameauthentication system (e.g., Windows Live and Google Account) to manage allconsumer credentials and we can consider all the affiliated sites as one. Similarly,for each theme we also choose its top 10 sites that are among the Alexa Top 500Chinese sites rank list. In this way, there are 15 leading sites selected for eachtheme: 5 from English sites and 10 from Chinese sites. Further, we randomlyselected 5 sites out of these 15 sites for each theme, resulting in 50 sites used inthis work (see Table 5): 20 from English sites and 30 from Chinese sites.We note that though our selected websites have a wide coverage, yet many other themes are still left unexplored, such as e-banking, e-health and e-government.The primary reason why we does not include them is that, they rely heavilyon multi-factor authentication techniques in which passwords play a much lesscritical role. In addition, the number of sites allocated for each theme is alsolimited. Nonetheless, our sample characterizes the current most recognised andleading portion of the online web services, which attract the majority of thevisit traffic [28, 31]. Therefore, the password practices used by these sites willimpact on the major fraction of end-users and may also became a model forother less leading sites (which generally are with less technical, capital andhuman resources). Further considering the amount of work incurred for onesite, an inspection of 50 sites is really not an easy task, let alone an initialstudy like ours (as there is no sophisticated procedure to follow, we have tocarry out an iterative process of data collection). In the future work, we areconsidering to increase the number of sites for each theme to 10 or possibly 20,and the investigation results as well as a set of evidence-supported, practicablepolicy recommendations will be made available at the companion site .2 Measuring password policy strengthThe task of measuring strength of a policy is generally accomplished by evaluating strength of the password dataset generated under this policy, and a number

6Ding Wang and Ping Wangof methods for tackling the latter issue have been proposed, including statisticalbased ones (e.g., guessing entropy and α-guesswork [6]) and cracking-based ones(e.g., [34, 53]). However, these methods all require access to a real passworddataset with sufficient size. Fortunately, we note that Florêncio and Herley [18]’ssimple metric —Nmin ·log2 Cmin — is not subject to this restriction and sufficientfor our purpose, where Nmin is the minimum length allowed and Cmin is thecardinality of the minimum charset imposed.5 For instance, the strength of apolicy that requires a user’s password to be no short than 6 and must contain aletter and a number is 31.02( 6 · log2 36) bits. This metric well characterizes theminimum strength of passwords allowed by the policy, providing a lower boundof the policy strength. We adopt this metric in our work.Table 1. Basic information about the seven password datasets used in this ServicesLocation inaChineseEcommerceChinaChineseProgramming ChinaChineseGamingChinaChinesePortalUSAEnglishWhen leakedDec. 14, 2009Dec. 4, 2011Dec. 2, 2011Dec. 3, 2011Dec. 2, 2011Dec. 1, 2011July 12, 2012How leaked Total passwordsSQL injection32,603,387Hacker breached30,233,633Hacker breached19,138,452Hacker breached16,231,271Hacker breached6,428,287Insider disclosed4,982,740SQL injection453,4912.3 Exploiting real-life password datasetsOur work relies on seven password datasets, a total of 124.9 million real-lifepasswords (see Table 1), to train the cracking algorithms and learn some basicstatistics about user password behaviors in practice. Five datasets of Chineseweb passwords, namely Tianya (31.7 million), 7k7k (19.1 million), Dodonew(16.3 million), Duowan (8.3 million) and CSDN (6.4 million), were all leakedduring Dec. 2011 in a series of security breaches [36]. Tianya is the largest socialforum in China, 7k7k, Dodonew and Duowan are all popular gaming forums inChina, and CSDN is a well-known technical forum for Chinese programmers.Two datasets of English web passwords, namely Rockyou (32.6 million) andYahoo (0.5 million), were among the most famous datasets in password research[35, 53]. Rockyou is one of the world’s largest in-game video and platform forpremium brands located in US, and its passwords were disclosed by a hackerusing a SQL injection in Dec. 2009 [3]. This dataset is the first source of largescale real-life passwords that are publicly available. Yahoo is one of the mostpopular sites in the world known for its Web portal, search engine and relatedservices like Yahoo Mail, Yahoo News and Yahoo Finance. It attracts “more thanhalf a billion consumers every month in more than 30 languages”. Its passwordswere hacked by the hacker group named D33Ds in July 2012 [55]. We will payspecial attention to this site because it has changed its password policy, as faras we can confirm, at least three times during the past five years.2.4 Measuring password strengthEssentially, the strength of a password is its guessing resistance against theassumed attacker. This equals the uncertainty this attacker has to get rid of,and naturally the idea of shannon entropy was suggested to measure password5This implicitly assumes that users are least-effort ones.

The Emperor’s New Password Creation Policies7strength, called NIST entropy [10]. Later, NIST entropy was found to correlatespoorly with guess resistance and can at best serve as a “rough rule of thumb” [34,53]. In contrast, the guess-number metric, which is based on password crackingalgorithms (e.g., PCFG-based and Markov-based [35]), was shown to be muchmore effective, and it has been used in a number of following works like [38, 47].However, we note that the traditional use of guess-number metric generallyimplicitly assumes that the attacker is a random, trawling attacker Atra (i.e.,not targeting a selected user). In many cases this is apparently not realistic. Fora targeted attacker Atar , with the knowledge of the name of the target user, shecan drastically reduce the guess number required to find the right password. Inthis work, we consider these two kinds of attacker and suppose that the targetedattacker know of the user’s name. This assumption is reasonable because, forAtar to launch a targeted attack, he must know some specific information aboutthe victim user Uv , and Uv ’s name is no-doubt the most publicly available data.To take advantage of name information in cracking, we slightly modify thePCFG-based and Markov-based algorithms by specially increasing the probability of the name-related letter segments. This can be easily achieved in PCFGbased attacks [35]. For instance, assuming the victim’s name is “wanglei”, afterthe PCFG-based training phase, one can increase the probability of the item“L4 wang” in the PCFG grammars to that of the most popular L4 segmentand similarly, the item “L7 wanglei” to that of the most popular L7 segment.Algorithm 1: Our Markov-Chain-based generation of targeted guesses1234567891011121314Input: A training set T S; A name list nameList; The victim user’s namevictimN ame; The size k of the guess list to be generated (e.g., k 107 )Output: A guess list L with the k highest ranked itemsPre-Training:for name nameList dotrieT ree.insert(name)for password T S dofor letterSegment splitT oLetterSegments(password) doif InT rieT ree(letterSegment) thenif isF ullN ame(letterSegment) thenpassword.replace(letterSegment, victimN ame.f ullN ame)if isSurN ame(letterSegment) thenpassword.replace(letterSegment, victimN ame.surN ame)if isF irstN ame(letterSegment) thenpassword.replace(letterSegment, victimN ame.f irstN ame)Ordinary Markov-Chain-based training on the pre-trained set T S usingGood-Turing smoothing and End-Symbol normalization (see [51]);Produce a list L with top-k guesses in decreasing order of probability.However, for Markov-based attacks since there is no concrete instantiationof “letter segments” during training, we substitute all the name segments (including full, sur- and first names) in training passwords (we use 2M Duowanpasswords and 2M CSDN passwords together as training sets) with the victim’scorresponding name segments before training. For instance, “zhangwei0327” is

8Ding Wang and Ping WangTable 2. Two types of passwords modeling two kinds of guessing attacks (‘Guess rank’is the order in which the corresponding attacker will try that guess; ‘–’ not exist)User PasswordGuess rank inGuess rank in Guess rank inGuess rank intrawling PCFG trawling Markov targeted PCFG targeted Markov1234561234567895201314Type 123wangleiwanglei123wanglei1Type Bwanglei12(Name-based) 5109206144Table 3. Popularity of Type A passwords in real-life password youYahoo(31.7M,2011) (16.3M,2011) (19.1M,2011) (8.3M,2011) (32.6M,2009) (0.5M,2012)Rank Freq. Rank Freq. Rank Freq. Rank Freq. Rank Freq. Rank ssword86woaini1314295password123 200453.98%10.59%30.19%50.09%260.04% 1060.02%230.01%180.00% 0.00% 70.00% 143823.43%1 0.89%1 0.38%0.62%3 0.24%6 0.05%0.28%415 0.01% 5090 0.00%0.07% 3626 0.00%– 0.00%0.03%5 0.15%16 0.03%0.02%4 0.18%2 0.18%0.03% 87348 0.00%– 0.00%0.00% 1384 0.00% 153 0.01%replaced with “wanglei0327”, “zhao@123” is replaced with “wang@123”, and“pingpku@123” is replaced with “leipku@123”, where “wang” and “lei” is Uv ’ssurname and first name in Chinese Pinyin, respectively. Our basic idea is thatthe popularity of name-based passwords in the training sets largely reflects theprobability of the targeted user to use a name-based password, and the cleverattacker Atar will base on this probability to exploit Uv ’s name. Our Markovbased algorithm for targeted online guessing is shown as Algorithm 1. One caneasily see that, based on our idea, besides Chinese Pinyin names, this algorithmcan be readily extended to incorporate names in any other language (e.g., “JamesSmith” in English), and to incorporate other user-specific data (such as accountname and birthdate) to model a more knowledgeable targeted attacker.To avoid ambiguity, we only consider name segments no shorter than 4. Todetermine whether a password picked from the training set includes a nameor not, we first build a name-based Trie-tree by using the 20 million hotelreservation data leaked in Dec., 2013 [22]. This name dataset consists of 2.73million unique Chinese full names and thus is adequate for our purpose. We alsoadd 504 Chinese surnames which are officially recognized in China into the Trietree. These surnames are adequate for us to identify the first names of Chineseusers in the Trie-tree to be used in PCFG-based targeted guess generation.

The Emperor’s New Password Creation Policies9Table 4. Popularity of Type B passwords in real-life datasetsName dictionaryTianya Dodonew 7k7kPinyin surname(len 4)6.34%Pinyin fullname(len 4)9.87%Pinyin name total(len 4) 10.91%2.5DuowanAverageAverageRockyou YahooChineseEnglish10.04% 7.14%8.44%7.99%15.90% 11.42% 13.42% 12.65%18.06% 14.81% 14.92% 14.68%1.38% 1.29%5.37% 3.61%5.36% 4.21%1.34%4.49%4.78%Selecting testing passwordsAs we have mentioned in Section 2.3, we measure how the 50 password policieswe are interested in are resistant to two types of guessing attacker, i.e., a trawlingattacker Atra and a targeted attacker Atar (with the victim’s name). The aimof Atra is to break as many accounts as possible with a few password trials [6],while Atar intends to break the single account of the given victim user Uv .To be effective, Atra would try the most popular passwords in decreasingorder of probability with regard to the targeting population, while Atar wouldtry the most popular passwords in decreasing order of probability with regardto the specific user. As shown in Table 2, we use Type A passwords (we callhotspot passwords) to represent the attempts Atra will try and Type B passwords(we call Chinese-Pinyin-name-based passwords) to represent the attempts Atarwill try, respectively. As revealed in [51], Chinese web users create a new typeof passwords, named “Chinese-style passwords”, such as woaini, 5201314 andwanglei123 based on their language. Note that, “wanglei” is not a randomstring of length 7 but a highly popular Chinese name, among the top-20 list ofChinese full names [49]; “520” sounds as “woaini” in Chinese, equivalent to “ilove you” in English; “1314” sounds as “for ever and ever” in Chinese. Thus,both “woaini1314” and “5201314” mean “I love you for ever and ever”. Suchpasswords are extremely popular among Chinese users (see Table 3) and thus areas dangerous as internationally bad passwords like iloveyou and password123.In the following we show why these two types of passwords are weak and canreally serve as representatives of password attempts that the aforementioned twotypes of attacker would try. Table 3 reveals that, all the eight Type A passwordsare among the top-200 rank list in at least one web services. More specifically,all the Type A passwords (except woaini1314 and password123) are amongthe top-100 rank list in the four Chinese web services, while woaini1314 is onlyslightly less popular (i.e., with a rank 295) in Tianya and English services, andpassword123 is comparatively much more popular in English services, i.e., with arank 153 in Yahoo and a rank 1384 in Rockyou, respectively. Besides popularity,these eight Type A passwords are also different in length, culture (language)and composition of charsets. Therefore, they well represent the characteristicsof potential passwords that a trawling attacker Atra would try.As stated in Section 2.4, to model a targeted guessing attacker Atar , we mainlyfocus on the case that Atar knows of the victim’s name. Without loss of muchgenerality, we assume the victim is a Chinese web user, named “wanglei”. FromTable 4 (and see more data in [51]) we can see that Chinese users really love toinclude their (Pinyin) names into passwords: an average of 14.68% of Chineseusers have this habit. That is, given a targeted user, it is confident to predict that

10Ding Wang and Ping Wangthere is a chance of 14.68% that she includes her name into her password, andAtar would gain great advantage by making use of this fact. We conservativelydeal with the ambiguities during the name matching. For instance, there aresome English surnames (e.g., Lina) may coincide with a Chinese full name, andwe take no account of such names when processing English datasets. Well, howdoes a user uses her name, which can be seen as a word, to build a password?There are a dozen of mangling rules to accomplish this aim, and the most popularones [14,30] include appending digits and/or symbols, capitalizing the first letter,leet etc. This results in our eight Type B passwords. One can see that the guessrank in Markov-based targeted attack (see the last column in Table 2) quiteaccords with the rank of general user behaviors as surveyed in [14]. This impliesthe effectiveness of our Markov-based targeted attacking algorithm.2.6 Collecting data from sitesTo obtain first-hand data on password policy practices, we create real accountson each site, read the html/PHP/Javascript source code of the registration page,and test sample passwords to see the reaction of the meter when available. Wenote that there are many unexpected behaviors of sites. For example, in somesites (e.g., Edas, Easychar and Yahoo) the descriptions of password policies arenot explicitly given (or the information explicitly given are not complete), andadditional data about policies can only be extracted from the feedbacks of theserver after one have actually clicked the “submit” button. Consequently, for allsites and every password testing instance, we press the “submit” button downand take note of the response to avoid missing anything important.Initially, considering the great amount of manual workload involved, we attempt to automate the collection of data from each site by using PHP/Pyth

(e.g., AOL) may violate the password rule of this site, finally it is still rejected by the site. In addition, many sites (e.g., Edas, AOL and Sohu) enforce mandatory password rules but suggestive meters, a password metered "weak" might pass the password rule of these sites, and finally this "weak" password is still accepted.