Analysis of real-world passwords for social media sites

Publication Year:
Usage 355
Downloads 279
Abstract Views 76
Repository URL:
Quinn, Mark J.
JMU Scholarly Commons
authentication; password; social media; hash; cracking
thesis / dissertation description
Textual passwords have dominated all other entity authentication mechanisms since they were introduced in the early 1960’s. Despite an inherent weakness against social engineering, keylogging, shoulder surfing, dictionary, and brute-force attacks, password authentication continues to grow as the Internet expands. Existing research on password authentication proves that dictionary attacks are successful because users make poor choices when creating passwords. To make passwords easier to remember, users select character strings that are shorter in length and contain memorable content, like personal identity information, common words found in a dictionary, backward spellings of common words, recognizable sequences, and easily guessed mnemonic phrases.A number of these studies identify weaknesses found in passwords on social media sites [1] [2] [3] [4] [5]. However, this body of work fails to explore whether users choose more secure passwords on accounts that protect their professional online identity than they choose on accounts that are used for personal entertainment. In this study, we first cracked passwords from the over 6.4 million unsalted, SHA-1 hashed passwords stolen from the professional, social media site, LinkedIn. Next, we analyzed the length, character set composition, and entropy score of the passwords recovered. Then, we compared our results to the analysis of passwords performed by Weir, et al. on the RockYou! dataset to determine whether professionals protecting their online presence chose wiser passwords than social media site users who play online games.In our analysis we found that the users of the professional, social media site, LinkedIn, chose more secure passwords than the users of the social media gaming site, RockYou!. LinkedIn passwords contained a greater percentage of numbers, special characters, and uppercase letters than RockYou!. We also found that the LinkedIn passwords utilized special characters more frequently, but RockYou! passwords applied special character less predictably.