LAUSR

While it is not recommended, Internet users tend to include personal information in their passwords for easy memorization. However, the use of personal information in passwords and its security implications have yet to be studied. In this paper, we dissect user passwords from several leaked data sets to investigate the extent to which a user’s personal information resides in a password. Then, we introduce a new metric called coverage to quantify the correlation between passwords and personal information. Afterward, based on our analysis, we extend the probabilistic context-free grammars (PCFGs) method to be semantics-rich and propose personal-PCFG to crack passwords by generating personalized guesses. Through offline and online attack scenarios, we demonstrate that personal-PCFG cracks passwords much faster than PCFG and makes online attacks much more likely to succeed. To defend against such semantics-aware attacks, we examine the use of simple distortion functions that are chosen by users to mitigate unwanted correlation between personal information and passwords.