ISSN 1000-1239 CN 11-1777/TP

计算机研究与发展 ›› 2016, Vol. 53 ›› Issue (10): 2173-2188.doi: 10.7544/issn1000-1239.2016.20160483

所属专题: 2016网络空间共享安全研究进展专题

• 信息安全 • 上一篇    下一篇



  1. 1(北京大学信息科学技术学院 北京 100871); 2(福建师范大学数学与计算机科学学院 福州 350117); 3(北京大学软件与微电子学院 北京 102600) (
  • 出版日期: 2016-10-01
  • 基金资助: 
    国家重点研发计划项目(2016YFB0800603);国家自然科学基金项目(61472016,61472083) This work was supported by the National Key Research Program of China (2016YFB0800603) and the National Natural Science Foundation of China (61472016,61472083).

Advances in Password Security

Wang Ping1,3, Wang Ding1, Huang Xinyi2   

  1. 1(School of Electronics Engineering and Computer Science, Peking University, Beijing 100871); 2(School of Mathematics and Computer Science, Fujian Normal University, Fuzhou 350117); 3(School of Software and Microelectronics, Peking University, Beijing 102600)
  • Online: 2016-10-01

摘要: 身份认证是确保信息系统安全的第一道防线,口令是应用最为广泛的身份认证方法.尽管口令存在众多的安全性和可用性缺陷,大量的新型认证技术陆续被提出,但由于口令具有简单易用、成本低廉、容易更改等特性,在可预见的未来仍将是最主要的认证方法.因此,口令近年来引起了国内外学者的广泛关注,涌现出了一大批关于口令安全性的研究成果.从用户生成口令时的脆弱行为入手,介绍了中英文用户口令的特征、分布和重用程度;总结了近30年来提出的几个主流口令猜测算法,并根据它们所依赖的攻击对象的信息不同进行了分类;然后,回顾了当前广泛使用的基于统计学的口令策略强度评价标准;此外,对比了当前主流的几个口令强度评价器.最后,对当前研究现状进行了总结,并对未来研究方向进行了展望.

关键词: 身份认证, 口令安全, 脆弱行为, 猜测攻击, 强度评价

Abstract: Identity authentication is the first line of defense for information systems, and passwords are the most widely used authentication method. Though there are a number of issues in passwords regarding security and usability, and various alternative authentication methods have also been successively proposed, password-based authentication will remain the dominant method in the foreseeable future due to its simplicity, low cost and easiness to change. Thus, this topic has attracted extensive interests from worldwide researchers, and many important results have been revealed. This work begins with the introduction of users’ vulnerable behaviors and details the password characteristics, distribution and reuse rate. Next we summarize the primary cracking algorithms that have appeared in the past 30 years, and classify them into groups in terms of the difference in dependence on what information is exploited by the attacker. Then, we revisit the various statistical-based evaluation metrics for measuring the strength of password distributions. Further, we compare the state-of-the-art password strength meters. Finally, we summarize our results and outline some future research trends.

Key words: identity authentication, password security, vulnerable behavior, guessing attack, strength evaluation