How Efficiency of Password Attack Based on a Keyboard

At present, dictionary attack has been the basic tool for recovering key passwords. In order to avoid dictionary attack, users purposely choose another character strings as passwords. According to statistics, about 14% of users choose keys on a keyboard (Kkey, for short) as passwords. This paper develops a framework system to attack the password chosen from Kkeys and analyzes its efficiency. Within this system, we build up keyboard rules using the adjacent and parallel relationship among Kkeys and then use these Kkey rules to generate password databases by depth-first search method. According to the experiment results, we find the key space of databases derived from these Kkey rules that could be far smaller than the password databases generated within brute-force attack, thus effectively narrowing down the scope of attack research. Taking one general Kkey rule, the combinations in all printable characters (94 types) with Kkey adjacent and parallel relationship, as an example, the derived key space is about 240 smaller than those in brute-force attack. In addition, we demonstrate the method's practicality and value by successfully cracking the access password to UNIX and PC using the password databases created

Authors:

• Hsien-cheng Chou
• Fei-pei Lai
• Hung-chang Lee

Keywords:

• Brute-force attack
• dictionary attack
• depth-firstsearch
• password attack.

References:

[1] Http://www.tech-faq.com/dictionary-attack.shtml.
[2] Password Cracking Wordlist. http: //www.openwall. com/wordlists/.
[3] Password Safe, http://passwordsafe. sourceforge.net/.
[4] Yahoo News. Favorite passwords: ÔÇÿÔÇÿ1234-- and ÔÇÿÔÇÿpassword--, http://
news. yahoo.com, Feb 2009.
[5] Alain Forget, Robert Biddle, Memorability of persuasive passwords, CHI
'08 extended abstracts on Human factors in computing systems, April
05-10, 2008, Florence, Italy.
[6] Mohammad Mannan, P. C. van Oorschot, Digital objects as passwords,
Proceedings of the 3rd conference on Hot topics in security, p.1-6, July
29, 2008, San Jose, CA.
[7] Lorrie Faith Cranor, A framework for reasoning about the human in the
loop, Proceedings of the 1st Conference on Usability, Psychology, and
Security, p.1-15, April 14-14, 2008, San Francisco, California.
[8] Vrizlynn L. L. Thing, Hwei-Meng Ying, A novel time-memory tradeoff
method for password recovery, June 2009.
[9] Project RainbowCrack website, http://project-rainbowcrack.com/.
[10] ElcomSoft password recovery tools, http://www.elcomsoft.com/.
[11] Password recovery software, http:// www.lostpassword.com/.
[12] Password recovery software, http:// www.wwwhack.com/.
[13] Lizuang, Feng Zhou, and J.D.Tygar, University of California, Berkeley,
Keyboard Acoustic Emanations Revisited, ACM Transactions on
Information and System Security, Vol. 13, No. 1, Article 3, October 2009.
[14] Thomas H. Cormen, Charles E. Leiserson, Ronald L. Rivest and Clifford
Stein, Introduction to Algorithm, 2nd Ed, 2001
[15] S. Russel and P. Norvig, Artificial Intelligence, a modern approach, 2nd
Ed, 2006
[16] John the Ripper. Password cracker, http://www.openwall.com. LCPSoft.
Lcpsoft programs, http://www.lcpsoft.com.
[17] Pwdump7 by Andres Tarasco Acuna, Windows NT family, up through
XP or Vista.
http://passwords.openwall.net/microsoft-windows-nt-2000-xp-2003-vist
a.