패스워드 강도 측정 방법 연구 동향

  • 김경훈 (연세대학교 정보대학원 정보보호연구실) ;
  • 김승연 (연세대학교 정보대학원 정보보호연구실) ;
  • 권태경 (연세대학교 정보대학원 정보보호연구실)
  • 발행 : 2017.02.28


오랜 기간 널리 사용되어온 패스워드 인증 기법은 여전히 대표적인 사용자 인증 수단이지만 그 사용성과 안전성 측면에서 여러모로 부정적인 부분이 많다. 일반적으로 사용자는 기억하기 쉽도록 간단한 패스워드를 선택하는 반면 서버는 추측공격에 대해 비교적 안전하도록 복잡한 패스워드의 사용을 권장한다. 취약한 패스워드의 사용은 전체 시스템의 안전에 큰 영향을 미치게 되므로 사용자가 패스워드를 선택하는 시점에 미리 패스워드의 강도 즉 안전성을 측정하여 피드백하기 워한 기법에 관한 연구가 다각적으로 이루어져 왔다. 또한 그 일부를 다양한 방법으로 시각화하여 이미 상용시스템에 적용하고 있다. 하지만 여전히 정확한 강도 측정과 안전한 패스워드의 사용성 제고를 위한 해결이 필요하며 따라서 이와 같은 패스워드 강도 측정 방법의 일반화를 위한 연구가 꾸준히 진행되고 있다. 본 논문에서는 텍스트 기반의 패스워드 강도 측정에 관한 연구동향을 살펴보고 분석한다.



  1. B. Ur, F. Noma, J. Bees, S. M. Segreti, R. Shay, L. Bauer, N. Christin, and L. F. Cranor, ""I added '!' at the End to Make It Secure":Observing Password Creation in the Lab," in Proc. of SOUPS, 2015.
  2. R. Veras, C. Collins, and J. Thorpe, "On the Semantic Patterns of Passwords and their Security Impact," in Proc. of NDSS, 2014.
  3. A. Das, J. Bonneau, M. Caesar, N. Borisov, and X. F. Wang, "The Tangled Web of Password Reuse," In Proc. of NDSS, 2014.
  4. D. Florencio and C. Herley, "A Large-Scale Study of Web Password Habits," in Proc. of WWW, 2007.
  5. S. Gaw and E. W. Felten, "Password Management Strategies for Online Accounts," in Proc. of SOUPS, 2006.
  6. C. E. Shannon, "A mathematical theory of communication," ACM SIGMOBILE Mobile Computing and Communications Review, 5(1), pp. 3-55, 2001. https://doi.org/10.1145/584091.584093
  7. A. Rrnyi, RNYI, "On measures of entropy and information," In: Fourth Berkeley symposium on mathematical statistics and probability, pp. 547-561, 1961.
  8. R. V. Hartley, "Transmission of information1," Bell System technical journal, 7(3), pp. 535-563, 1928. https://doi.org/10.1002/j.1538-7305.1928.tb01236.x
  9. R. Shay, S. Komanduri, P. G. Kelley, P. G. Leon, M. L. Mazurek, L. Bauer and L. F. Cranor, "Encountering stronger password requirements: user attitudes and behaviors," In Proceedings of the Sixth Symposium on Usable Privacy and Security ACM. July, 2010.
  10. S. Egelman, A. Sotirakopoulos, I. Muslukhov, K. Beznosov, and C. Herley, "Does my password go up to eleven?: the impact of password meters on password selection," In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems ACM, pp. 2379-2388. April, 2013.
  11. J. Bonneau, "The science of guessing: analyzing an anonymized corpus of 70 million passwords," In 2012 IEEE Symposium on Security and Privacy, pp. 538-552, May, 2012.
  12. D. Malone, and K. Maher, "Investigating the distribution of password choices," In Proceedings of the 21st international conference on World Wide Web, ACM, pp. 301-310, April, 2012.
  13. S. Komanduri, R. Shay, P. G. Kelley, M. L. Mazurek, L. Bauer, N. Christin, and S. Egelman, "Of passwords and people: measuring the effect of password-composition policies," In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, ACM, pp. 2595-2604, May, 2011.
  14. W. E. Burr, D. F. Dodson, E. M. Newton, R. A. Perlner, W. T. Polk, S. Gupta, and E. A. Nabbus, "Sp 800-63-1. electronic authentication guideline," NIST, 2013.
  15. M. Weir, S. Aggarwal, M. Collins, and H. Stern, "Testing metrics for password creation policies by attacking large sets of revealed passwords," In Proceedings of the 17th ACM conference on Computer and communications security, pp. 162-175, October, 2010.
  16. P. G. Kelley, S. Komanduri, M. L. Mazurek, R. Shay, T. Vidas, L. Bauer, and J. Lopez, "Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms," In 2012 IEEE Symposium on Security and Privacy, pp. 523-537, May, 2012.
  17. M. Weir, S. Aggarwal, B. De Medeiros, B., and B. Glodek, "Password cracking using probabilistic context-free grammars," In 2009 30th IEEE Symposium on Security and Privacy, pp. 391-405, May, 2009.
  18. B. Ur, S. M. Segreti, L. Bauer, N. Christin, L. F. Cranor, S. Komanduri, R. Shay, "Measuring real-world accuracies and biases in modeling password guessability, "In 24th USENIX Security Symposium, pp. 463-481, 2015.
  19. A. Rao, B. Jha, and G. Kini, "Effect of grammar on security of long passwords," In Proceedings of the third ACM conference on Data and application security and privacy, pp. 317-324, February, 2013.
  20. A. Narayanan, and V. Shmatikov, "Fast dictionary attacks on passwords using time-space tradeoff," In Proceedings of the 12th ACM conference on Computer and communications security, pp. 364-372, Nov. 2005.
  21. Dell' Amico, Matteo, P. Michiardi, and Y. Roudier, "Password Strength: An Empirical Analysis," In INFOCOM, Vol. 10, pp. 983-991, March, 2010.
  22. C. Castelluccia, M. Dürmuth, and D. Perito, "Adaptive Password-Strength Meters from Markov Models," In NDSS, Feb., 2012.
  23. J. Ma, W. Yang, M. Luo, and N. Li, "A study of probabilistic password models," In 2014 IEEE Symposium on Security and Privacy, pp. 689-704, May, 2014.
  24. M. Durmuth, F. Angelstorf, C. Castelluccia, D. Perito, and A. Chaabane, "OMEN: Faster password guessing using an ordered markov enumerator," In International Symposium on Engineering Secure Software and Systems, pp. 119-132, March, 2015.
  25. Y. Zhang, F. Monrose, and M. K. Reiter, "The security of modern password expiration: An algorithmic framework and empirical analysis," In Proceedings of the 17th ACM conference on Computer and communications security, pp. 176-186, Oct., 2010.
  26. X. de C. de Carnavalet and M. Mannan, "From Very Weak to Very Strong: Analyzing Password-Strength Meters," In Proc. of NDSS, 2014.
  27. D. L. Wheeler, "zxcvbn: Lowbudget password strength estimation," In Proc. of 25th USENIX Security Symposium, pp. 157-173, 2016.
  28. B. Ur, P. G. Kelley, S. Komanduri, J. Lee, M. Maass, M. L. Mazurek, and L. Christin, "How does your password measure up? The effect of strength meters on password creation," In USENIX Security Symposium, pp. 65- 80, Aug., 2012.
  29. 김경훈, 권태경, "김경훈, 권태경, "국내 웹 사이트 패스워드 미터 분석," 정보보호학회논문지, Vol. 26, No. 3, pp. 757-767, 2016. https://doi.org/10.13089/JKIISC.2016.26.3.757