基于真实数据挖掘的口令脆弱性评估及恢复

Password Vulnerability Assessment and Recovery Based on Rules Mined from Large-Scale Real Data

通过对大规模的真实口令数据进行分析挖掘,获得若干统计特征及口令设置规则,并将这些统计特征和规则成功应用于口令的脆弱性评估及恢复系统.以83 454 724条真实明文口令为研究对象,详细统计了它们的长度、字符种类、组合类型等各项特征,分析了口令和账号、邮箱之间的关系,挖掘了同一个人的口令在不同网站之间的关系,并统计了常用黑客字典对真实口令库的覆盖情况,总结出若干条用户设置口令的真实规则.在这些规则和统计特征的基础上,提出并设计了基于规则的口令脆弱性评估算法和口令恢复系统.测试证明,该文算法计算的口令强度分数与专家打分的拟合度分别高达97.4%（误差小于等于5%）、82.7%（误差小于等于4%）.与共享软件相比,文中提出的口令恢复系统成功的概率平均提高了7.5%-66.7%.尽管文中的规则总结自中国口令库,但其统计挖掘方法可以适用于国际口令库.

Several password rules and statistical characteristics were mined from large-scale real password database, and were used to develop password vulnerability assessment system and password recovery systems. 83 454 724 real passwords of Chinese websites were exposed few years ago in this paper. We collected and analyzed them from different perspectives, such as length, composition, character, digital, the relationship of the passwords belonging to the same user and the relation between these passwords and hacker dictionary. Based on the analysis, pieces of password rules are mined and concluded, which can help to evaluate the vulnerability of password and recover the lost password quickly. Furthermore, a password recovery system based on the mining rules is designed and implemented. It is proved by experiments that it is similar between the password strength scores of the proposed algorithm and those being graded by experts, whose overlay ratios are 97.4% （relative error is less than or equal to 5%） and 82.7% （relative error is less than or equal to 4 %） respectively. Compared with shared software, the success rate is increased by the proposed recovery system with 7.5%--66.7%. Although this work is based on the real passwords collected from Chinese websites, these analysis methods and mining rules are inspirational to general password recovery method and vulnerability assessment algorithm all over the world.