Authors K.A. Turin, R.V. Semin
Month, Year 05, 2015 @en
Index UDC 004.056.53
Abstract As is known, unauthorized access to critical information systems causes damage to many companies, and this damage grows year by year. Even if the technical protection is high, the human factor has a great influence on security of multi-user information system. The attacker is able to optimize the procedure of attacks on information systems by investigating the nature of this influence. This means that the influence of the human factor and the possibility of using user’s information for the attacks are important for researching. In most cases, information systems use the single-factor password authentication or some other method that includes this one (most two-factor authentication methods use the permanent password as one of the factors). Investigations show that users often use informative sequence of characters as their passwords. This is explained by the fact that such passwords are easier to remember. Information component allow passwords to contain fragments of natural languages words, keyboard layouts, and so on. Informative part makes passwords not completely random. This means that statistical information about the features of the used in practice passwords language can accelerate the process of information systems cracking. Thus, when a password is not automatically generated and created by the user, there is a specific threat because of the human factor. There are many ways to implement this threat for the unauthorized access attempts. The research of these methods allows developing rules that prevent such threats. In this paper, we review existent methods of authentication systems cracking and present the modification of the algorithm that optimizes the cracking of a password based on using of information about the statistics of the actual use of passwords. In addition, paper contains the concrete example of algorithm work and analysis of its efficiency. The algorithm can be used for testing the security of password systems, pentesting.

Download PDF

Keywords Information security; entropy; dictionary attack.
References 1. Burnett M. Perfect Password: Selection, Protection, Authentication, Syngress Publishing, 2006, pp. 194.
2. Zarkumova R.N. Issledovanie kolichestvennykh kharakteristik sistemy parol'noy zashchity informatsii [The study of quantitative characteristics of the system password protection information], Sbornik nauchnykh trudov NGTU [Proceedings of the NSTU], 2010, No. 2 (60), pp. 83-88.
3. Snegurov A.V. Chakryan V.Kh. Analiz ustoychivosti ko vzlomu sovremennykh mekhanizmov parol'noy zashchity operatsionnykh sistem [Analysis of the resistance to cracking modern mechanisms of password protection of operating systems], Vostochno-Evropeyskiy zhurnal peredovykh tekhnologiy [Eastern-European Journal of Eenterprise Technologies], 2011, Vol. 2, No. 10 (50), pp. 27-29.
4. Markov G.A. K voprosu ob opredelenii stoykosti parol'nykh sistem [To the question of determining the resistance of password systems], Sbornik trudov Tret'ey vserossiyskoy NTK «Bezopasnye informatsionnye tekhnologii» [Proceedings of the Third all-Russian research Institute of Secure information technology"], Under ed. V.A. Matveeva. Moscow: NII RL
MGTU im. N.E. Baumana, 2012, pp. 21-23.
5. Gufan K.Yu., Novosyadlyy V.A., Edel' D.A. Otsenka stoykosti parol'nykh fraz k metodam podbora [The evaluation of resistance passphrases to the methods of selection], Otkrytoe obrazovanie [Open Education], 2011, No. 2, pp. 127-130.
6. Kechedzhy K.E., Usatenko O.V., Yampol'skii V.A. Rank distributions of words in additive many-step Markov chains and the Zipf law, Phys. Rev. E, 2005, Vol. 72.
7. Hellman M. A cryptanalytic time-memory trade-off, IEEE Transactions on Information Theory, 1980, Vol. 26, pp. 401-406.
8. Ferguson Neils. Practical Cryptography, Indianapolis: John Wiley & Sons, 2003, pp. 230-243.
9. Gufan K.Yu., Novosyadlyy V.A., Edel' D.A. O metodakh otsenki stoykosti parol'nykh fraz [Methods for assessing passphrases], Materialy XIX nauchno-tekhnicheskoy konferentsii «Metody i tekhnicheskie sredstva obespecheniya bezopasnosti informatsii» 5-10 iyulya 2010 g [The materials of the XIX scientific and technical conference "Methods and technical tools of
information security" 5-10 July 2010]. St. Petersburg: Izd-vo Politekhn. un-ta, 2010, pp. 73-74.
10. Markov G.A. Metriki stoykosti parol'noy zashchity [Metrics password], Molodezhnyy nauchno-tekhnicheskiy vestnik [Youth Scientific and Technical Bulletin], 2013. Available at: (Accessed 27 December 2014).
11. 1 000 000 uzhe nerabotayushchikh paroley v otkrytom dostupe. Kak my zashchishchaem pol'zovateley Yandeksa [1 000 000 already broken passwords in open access. How do we protect users of Yandex]. Available at: (Accessed 15 December 2014).
12. Belenko A. Paroli: stoykost', politika naznacheniya i audit [Passwords: resistance, assignment policy and audit], Zashchita informatsii. Insayd [Protection of Information. Inside], 2009, No. 1, pp. 61-64.
13. Broder A., Mitzenmacher M. Network applications of Bloom filters: A survey, In Proc. of the 40th Annual Allerton Conference on Communication, Control, and Computing, 2002, pp. 636-646.
14. Kolodzey A.V. Kompromiss «vremya/pamyat'» v rekonfiguriruemykh vychislitel'nykh sistemakh [Time-memory trade-off on reconfigurable computer systems], Izvestiya YuFU. Tekhnicheskie nauki [Izvestiya SFedU. Engineering Sciences], 2014, No. 12 (161), pp. 46-52.
15. Evteev D. Analiz problem parol'noy zashchity v rossiyskikh kompaniyakh [Analysis of the problems of password protection in the Russian companies], ZAO «Pozitiv Tekhnolodzhiz» [CJSC "Positive technologies"], 2009, 33 p. Available at:
16. Spafford E.H. Opus: Preventing weak password choices, Computer and Security, 1992, No. 11, pp. 273-278.
17. Bonneau J. Guessing human-chosen secrets, Technical Report UCAM-CL-TR-819, 2012, pp. 161.
18. Markov A.S., Tsirlov V.L., Barabanov A.V. Metody otsenki nesootvetstviya sredstv zashchity informatsii [Methods to evaluate inconsistency means of information protection]. Moscow: Radio i svyaz', 2012, 192 p.
19. Information Assurance Implementation, Department of Defense Instruction 8500.2, 2003, 102 p.
20. PCI DSS Requirements and Security Assessment Procedures. Version 2.0. PCI Security Standards Council LLC, 2010, 75 p.

Comments are closed.