,
20 tweets,
3 min read
Read on Twitter
Next up at #usesec19 is Passwords: "Birthday, Name and Bifacial-security: Understanding Passwords of Chinese Web Users" by Ding Wang and Ping Wang, Peking University; Debiao He, Wuhan University; Yuan Tian, University of Virginia
Turns out that the passwords of Chinese users are really different than English-speaking user passwords, which means that we may need different protection mechanisms.
Passwords are influenced by one's native language. Unfortunately most studies are performed in English.
Passwords are influenced by one's native language. Unfortunately most studies are performed in English.
Used 9 password datasets from high-profile sites which were breached (6 Chinese, 3 English) across different types of sites (gaming, dev forum)
These are really different! Chinese passwords are mostly digits.
... but everyone likes 123456, regardless of language.
... but everyone likes 123456, regardless of language.
Some of these Chinese passwords may look really random to English speakers. 5201314 is really popular in Chinese passwords. Why? Because it sounds like "I love you forever"
Most Chinese users (>50% of passwords) use all-digit passwords. English-speaking users use letters.
They also fall into very different semantic categories. They use a lot more dates, for instance.
They also fall into very different semantic categories. They use a lot more dates, for instance.
They still have similar feature, like the length distribution of passwords. (Mostly 5-10 characters.)
How do you measure the strength of Chinese passwords? Are they stronger or weaker than English passwords?
How do you measure the strength of Chinese passwords? Are they stronger or weaker than English passwords?
Previous work disagreed on this front. The researchers used 2 password crackers: PCFG and Markov.
Made sure to compare passwords across service type, since users tend to make passwords according to the importance of the account.
Made sure to compare passwords across service type, since users tend to make passwords according to the importance of the account.
PCFG password cracker has an issue: it tries to parse passwords into letter-segment digit-segment and symbol-segments. But it's much more common to have interleaving in Chinese passwords and doesn't take into account the relation at all [ so it's not as good at cracking these ]
They also added Pinyin names and dates into PCFG, because those are commonly used in Chinese passwords.
With a small number of guesses, Chinese passwords are weaker than English passwords, but when they needed a lot of guesses, English passwords are weaker. (Both in PCFG and Markov)
[ I would also guess that making the password checkers even more sensitive to Chinese password patterns would make them more crackable as well ]
Conclusions:
* because Chinese passwords are more susceptible to online attacks, use a big password blacklist
* use a training set close to the language -- it works better!
* because Chinese passwords are more susceptible to online attacks, use a big password blacklist
* use a training set close to the language -- it works better!
Q: while you were digging through the patterns were you able to identify keyboard patterns, like we see in English? (like qwer)
A: yes, we saw them in Chinese as well
A: yes, we saw them in Chinese as well
Q: are the Chinese passwords weaker because they have less of a distribution bcause they're digits?
A: probably -- would need to look
A: probably -- would need to look
