Creative Commons License

Creative Commons License
This work is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 4.0 License.

Date of Award

Spring 2015

Document Type

Thesis

Degree Name

Master of Science (MS)

Department

Department of Computer Science

Advisor(s)

Xunhua Wang

Abstract

Textual passwords have dominated all other entity authentication mechanisms since they were introduced in the early 1960’s. Despite an inherent weakness against social engineering, keylogging, shoulder surfing, dictionary, and brute-force attacks, password authentication continues to grow as the Internet expands. Existing research on password authentication proves that dictionary attacks are successful because users make poor choices when creating passwords. To make passwords easier to remember, users select character strings that are shorter in length and contain memorable content, like personal identity information, common words found in a dictionary, backward spellings of common words, recognizable sequences, and easily guessed mnemonic phrases.

A number of these studies identify weaknesses found in passwords on social media sites [1] [2] [3] [4] [5]. However, this body of work fails to explore whether users choose more secure passwords on accounts that protect their professional online identity than they choose on accounts that are used for personal entertainment. In this study, we first cracked passwords from the over 6.4 million unsalted, SHA-1 hashed passwords stolen from the professional, social media site, LinkedIn. Next, we analyzed the length, character set composition, and entropy score of the passwords recovered. Then, we compared our results to the analysis of passwords performed by Weir, et al. on the RockYou! dataset to determine whether professionals protecting their online presence chose wiser passwords than social media site users who play online games.

In our analysis we found that the users of the professional, social media site, LinkedIn, chose more secure passwords than the users of the social media gaming site, RockYou!. LinkedIn passwords contained a greater percentage of numbers, special characters, and uppercase letters than RockYou!. We also found that the LinkedIn passwords utilized special characters more frequently, but RockYou! passwords applied special character less predictably.

Share

COinS