Welcome to Ding Wang's Homepage -- Password   Cryptography
  • Home
  • Researches
  • Publications
  • FuzzyVerifier
  • Password Policy
  • miscellanea

Related paper:  Two Birds with One Stone: Two-Factor Authentication with Security Beyond Conventional Bound    Main.pdf     Appendix.pdf


Ethics considerations:  Though the two password datasets (32.58 million Rockyou, 6.43 million CSDN) herein have  been publicly disclosed and collectively used by a number of scientific works that study passwords (see the proceedings of IEEE S&P 2012, ACM CCS 2013, ISOC NDSS 2014, etc.), this nevertheless creates an ethical conundrum:  Should  our  research  use  passwords  leaked publicly? Since this data has already been made public and is easily available, using it in our research does not increase the harm to the victims. We use these passwords (without any identifiable information such as user name, email) only for scientific use (e.g., train and test guessing algorithms to evaluate attackers' capabilities.). Furthermore, as attackers are likely to use these password sets as training sets or cracking dictionaries, our use of them to evaluate password strength implies our results are more likely to be of practical relevance to security administrators and common users.


Fuzzy Verifier:  To overcome the dilemma of maintaining usability while achieving two-factor security even the smart card can be tampered, here we propose a tradeoff between security and usability: Instead of storing {h(PWi)} in the card memory, we store  {h(PWi) mod N}, where PWi stands for user Ui's password, h() is a Hash function (e.g., SHA-1 in the following experiments), and N the balance factor (a moderate integer, e.g. N=256 ). Then, user Ui can change her password locally, yet this user-friendliness comes at the prices of security: the chances of an adversary to guess Ui's password is roughly 256t/D, where D is the password space from which each user's password is uniformed drawn and t is the number of adversary's online attempts. Generally, D is moderately limited, e.g., |D|=1000, 000 [1,2]. That's to say, the modified protocol using this new method is able to meet the Level 1 security of  NIST SP800-63-2 [3] even if the smart card has been compromised, which guarantees that the success probability of one online guessing attempt by the adversary is no more than 1/1024. As is well known, online guessing can be effectively thwarted by locking the account after several failed login attempts or by  only allowing a probabilistic number of failed guesses [9]. In two other cases, the security is improved: (1) the chances of an adversary to change Ui's password is 1/256; (2) the chances of Ui to accidentally make the card unusable is  1/256 when inputs an unintended new password in the password change phase,  reduced to 1/65536 if users are required to type the new password twice.  

     In the above analysis, the value of 256t/D is obtained on the basis of the assumption that, user passwords are uniformly distributed. However, in practice, this is generally not the case——user passwords have strong bias towards similarity! This can be evidenced by the following statistics. For example, the top 20 most popular passwords from Rockyou dataset [4] account for 2.54% of the entire set. To evaluate the practical effectiveness of our proposed ``fuzzy verifier'' when user password space is greatly biased, we use four real-life publicly available password datasets (i.e.,  top 1 million most popular passwords from 32 million Rockyou dataset, top 2 million most popular passwords from 32 million Rockyou dataset, top 1 million most popular passwords from 6.43 million CSDN dataset [5], top 1 million most popular passwords from 6.43 million CSDN) to carry out the following two explorations:

(1) How many passwords in D fall into the same password pool with PWi? As a complement, we say PWj falls into the same pool with PWi only if the value of h(PWj) mod 256 equals h(PWi) mod 256. We say the resulting password pool is POOLi.
(2) How many password finally remained if we remove these passwords from POOLi that are unlikely to be Ui's password PWi? Without any specific information about Ui's personal information (e.g., hobbies, name, birthday), it is really difficult (probably impossible) to accurately define what's the character(s) that are unlikely to be hold by Ui's password PWi. As a result, we can only use the statistical information of POOLi to detect whether there is any abnormality. An effective  metric  is  the  expected  number  of guesses required to find any password in POOLi if the attacker proceeds an optimal online attack (i.e., testing the most likely passwords first), known as guesswork or guessing entropy [2,6] . 
   Admittedly, we have obtained two large  dataset with user ID and password, yet such information is definitively sensitive, and may cause subtle sufferings to victims if such dataset are illustrated publicly, for users tend to reuse their IDs and passwords [7,8].   As far as we know, using guessing entropy to characterize a password dataset is currently the best strategy that can be adopted while corresponding user-specific information is unavailable (or cannot be appropriately used).  Assume password pool POOLi includes x entries. Each of the entry is of the <Password, Count, Popularity> form, see POOL0 of the top 2 million CSDN dataset 0.txt. Note that, the term "Count" stands for the popular count of the corresponding password. For example, if the password "shanshan" occurs 210 times in the entire 6 million CSDN dataset, we say the popular count of password "shanshan" is 210.  The "Popularity" of password "shanshan" is 210/(total count in the current pool=210/13262=0.0158347.  For simplicity, we denote the popularities of each password pool  in decreasing order P1, P2, P3, ...... Px. 
      Accordingly, we can determine the guessing entropy [2] of POOL0 by computing E=1 * P1 + 2 * P2 + 3 * P3 + ....+ x * Px = 2492.49, which is larger than 1024. This means POOL0 is a valid pool, and the success probability of one online guessing attempt using password candidates in POOL0 by the adversary is 1/2492.49, no more than 1/1024. 

Our empirical results demonstrate that the distribution bias of password space D does not significantly degrade our proposed method, and it ensures the Level 1 security of  NIST SP800-63-2. 

Experimental 1. Results from top 1 million most popular passwords of Rockyou dataset
Note: Since h(123456) mod 256 =(7C4A8D09CA3762AF61E59520943DC26494F8941B) mod 256 = 27, the password pool of 123456 is denoted by 27.txt

Rank
(top 20)
1
2
3
4
5
6
7
8
 9
10
11
12
13
14
15
16
17
18
19
20
Password

123456
12345 123456789 Password
iloveyou
princess rockyou
1234567 12345678
abc123
Nicole
Daniel
babygirl
monkey
Jessica
Lovely
michael
Ashley
654321 Qwerty
Total counts of passwords
290731 
 79078 
 76790 
 61958 
 51622 
 35231 
 22588 
 21726 
 20553 
 17542 
 17168 
 16409 
 16094 
 15294 
 15162 
 14950 
 14898 
 14329 
 13984 
 13856
                         Hash value of the password 
                                                 (SHA-1)
7C4A8D09CA3762AF61E59520943DC26494F8941B
8CB2237D0679CA88DB6464EAC60DA96345513964
F7C3BC1D808E04732ADF679965CCC34CA7AE3448
BE3C943B1609FFFBFC51AAD666D0A04ADF83C9D
EE8D8728F435FD550F83852AABAB5234CE1DA528
775BB961B81DA1CA49217A48E533C832C337154A
F1CF651CE1A2191A760C0B2F161234F7958E26E4
20EABE5D64B0E216796E834F52D61FD0B70332FC
7C222FB2927D828AF22F592134E8932480637C0D
6367C48DD193D56EA7B0BAAD25B19455E529F5EE
17305A2F2AED9D58C73FB12AD27831799DE28B90
7B37259E149636E3330D530CBF408F2B8C1EDA6A
B03B74363BBB6EE42CE248C7A5344E92FFE76CC7
AB87D24BDC7452E55738DEB5F868E1F16DEA5ACE
15D834B328BB637EEEF49B6624774BDED566B659
2B791F512C4F94B43153DA78FD70066BEE61D27B
17B9E1C64588C7FA6419B4D29DC1F4426279BA01
0B2D293306511D90B3A9F23424FB9836760018CC
DD5FEF9C1C1DA1394D6D34B248C51BE2AD740840
36810ED90AA5DE17CBC1B471B999EC6B53B7C602
 Password  Pool


27.txt

100.txt
72.txt
157.txt
40.txt
74.txt
228.txt
252.txt
13.txt
238.txt
144.txt
106.txt
199.txt
206.txt
88.txt
123.txt
1.txt
204.txt
64.txt
2.txt


Guessing entropy computed from top 1 million most popular passwords of Rockyou dataset

(1) The minimum password number of the 256 password pools is 3739, and the maximum is 4141; 
(2) The minimum guessing expectation (entropy) of the 256 password pools is 111.300, and the maximum is 750.603, which fails to guarantee that the success probability of one online guessing attempt using password candidate in any pool by the adversary is no more than 1/1024. 
(3) Due to storage space constraints of this site, we only upload 10% of the password pool files.
Password Pool 
(0~255)

0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255


          Password num
    in the corresponding pool

3931
3875
3782
3881
4030
3852
3901
4001
3877
3788
4025
3881
3848
3969
3815
3953
3874
3902
3907
3873
3894
3964
3839
3861
3818
3914
4141
3927
3858
3914
3955
3920
3869
3791
3860
3849
3917
3939
3844
3829
3828
3749
3867
3924
3874
4015
3883
3908
3896
3935
3861
4010
3876
3927
3927
3941
3840
3987
3884
3905
3830
3923
3849
3923
3928
3874
3927
3933
3949
3941
4027
3946
3928
3949
3885
3832
3970
3926
3856
3896
4017
3957
3908
3901
3809
3836
3983
4009
4080
3950
3913
3876
3887
3984
3909
3883
3933
3999
3846
3844
3869
3972
3955
3887
3862
3850
3815
4040
3822
3928
3947
3853
3962
3961
3998
3918
3949
3931
3889
3941
3925
3884
3964
3815
3883
3962
3925
3875
3857
3847
3859
3866
4021
3902
3927
3951
3951
3871
3848
3923
3848
3919
3886
3869
3978
3813
3884
3910
3800
3855
3900
3932
3901
3963
3961
3883
4036
3924
3828
3873
3835
3857
3774
3981
3912
3890
3980
3910
3836
3923
3906
3937
3892
3929
3986
3853
3817
3973
3880
3850
3861
3912
3841
3823
3843
3950
4004
3948
3843
3939
3889
3883
3876
3975
3906
4027
3967
3943
3846
3739
4030
3855
3847
3944
4009
3865
4027
3880
3983
3905
3913
3927
3978
3898
3911
3930
3858
3907
3915
3937
3845
3834
3991
3861
3926
4005
3897
3960
3995
3892
3783
3963
3938
3841
3873
3839
3828
3892
3821
4019
3847
3993
3869
3909
3814
3846
3759
4011
3931
3898
3856
3854
3972
3986
3983
3925
 Guessing entropy of
the pool
456.066 
 521.564
 498.563 
 554.362 
 472.87 
 643.952
574.169 
 702.578 
 596.034 
 500.743 
 682.818
 632.69 
 647.824 
 486.495
 608.904 
 698.454
 597.571 
 647.534 
 598.177
 534.058 
 664.992 
 603.214 
 474.044 
 593.656 
 607.935
 593.425
 664.88 
 111.3 
 572.974
 622.416 
 501.364 
 495.271 
 464.473
 592.997 
 692.832 
 541.271
 625.334
 662.513 
 634.925 
 639.935
 311.414 
 594.134 
 608.478 
 605.582
 653.44 
 501.028 
 655.739 
 546.459
 677.766 
 558.897 
 663.958
 601.677 
 608.394 
 550.599
 559.54 
 637.972 
 631.933 
 475.395 
 597.019
 569.33 
 636.877 
 423.499 
 573.829 
 652.133 
 451.094 
 263.067
 571.743 
 643.201 
 594.527
 588.869 
 554.366 
 565.557 
 575.827
 710.436
 399.675 
 589.058 
 750.603 
 526.321
 603.976 
 463.028
 708.205 
 486.732
 570.216
 659.026 
 507.314 
 486.013 
 669.729
 438.173
 618.926
 559.893
 490.117 
 572.569
 662.192
 666.496 
 507.759
 595.845
 428.416 
 543.855 
 461.857
 585.047
 232.813
 417.765
 516.289 
 626.966
 580.481
 582.588 
 581.895 
 696.303 
 604.468 
 615.6 
 680.602 
 600.108
 523.174 
 594.623 
 599.626 
 511.183
 529.86 
 560.826 
 623.315 
 660.448 
 547.043 
 639.473 
 608.662 
 510.854 
 690.687 
 675.416
 573.798 
 603.544
 642.477 
 583.051
543.291 
 669.657 
 591.792 
 684.257 
 537.564
 587.22 
 459.759
 579.866 
 608.875 
505.186
 631.696 
 610.539
 624.757 
 710.828 
 601.756
 607.281
 569.825 
 598.154 
 537.823 
 504.419 
 562.327
 549.272
 605.497 
 616.133 
 538.165 
 662.244 
 550.988
 639.737 
 542.163
 528.312 
 608.581 
 652.625 
 594.604 
 458.436 
 530.653 
 513.925 
 617.109 
 504.761 
 549.107
 583.592 
 545.297
 635.797 
 632.178
 552.963 
 568.902 
 639.06 
 600.586 
 548.063 
 630.309 
 502.308
 597.059 
 627.078
 552.114 
 676.98 
 639.281 
 562.584 
 489.626 
 509.436 
 651.086 
 572.476 
 558.431
 502.478 
 630.916 
 706.682 
 567.064 
 616.758 
 589.749
 617.527 
 494.735 
 422.52 
 669.813 
 709.969 
 556.276 
 624.069 
 661.869 
 647.862 
 566.016
 573.859
 658.469
 609.915 
 587.225 
 504.236
 547.315 
 490.275
535.505 
 540.023
 283.764
 491.886 
 603.031
 583.232 
 559.397 
 574.724 
 695.071 
 701.263 
 702.556 
 540.569 
 568.862 
 565.412 
 461.794
 504.16 
 613.332 
 592.394
 547.443 
 571.479 
 452.013 
 729.95 
 592.3 
 591.438 
 489.14 
 573.706 
 516.164 
 445.698 
 547.257
 510.122 
 547.455 
 597.447
 524.559 
 561.081 
 643.724 
 661.723 
 467.799 
 467.906 
 425.096 
 627.084 
 665.496 
 633.988
 Detailed information
 of the pool
0.txt (detailed explanation)
1.txt(detailed explanation)
2.txt(detailed explanation)
3.txt
4.txt
5.txt
​
6.txt
7.txt
8.txt
9.txt
10.txt
11.txt
12.txt
13.txt
14.txt
15.txt
16.txt
17.txt
18.txt
19.txt
20.txt
21.txt
22.txt
23.txt
24.txt
25.txt
26.txt
27.txt
28.txt
29.txt
30.txt
31.txt
32.txt
33.txt
34.txt
35.txt
36.txt
37.txt
38.txt
39.txt
40.txt
41.txt
42.txt
43.txt
44.txt
45.txt
46.txt
47.txt
48.txt
49.txt
50.txt
51.txt
52.txt
53.txt
54.txt
55.txt
56.txt
57.txt
58.txt
59.txt
60.txt
61.txt
62.txt
63.txt
64.txt
65.txt
66.txt
67.txt
68.txt

69.txt
70.txt
71.txt
72.txt
73.txt
74.txt
75.txt
76.txt
77.txt
78.txt
79.txt
80.txt
81.txt
82.txt
83.txt
84.txt
85.txt
86.txt
87.txt
88.txt
89.txt
90.txt
91.txt
92.txt
93.txt
94.txt
95.txt
96.txt
97.txt
98.txt
99.txt
100.txt
101.txt
102.txt
103.txt
104.txt
105.txt
106.txt
107.txt
108.txt
109.txt
110.txt
111.txt
112.txt
113.txt
114.txt
115.txt
116.txt
117.txt
118.txt
119.txt
120.txt
121.txt
122.txt
123.txt
124.txt
125.txt
126.txt
127.txt
128.txt
129.txt
130.txt
131.txt
132.txt
133.txt
134.txt
135.txt
136.txt
137.txt
138.txt
139.txt
140.txt
141.txt
142.txt
143.txt
144.txt
145.txt
146.txt
147.txt
148.txt
149.txt
150.txt
151.txt
152.txt
153.txt
154.txt
155.txt
156.txt
157.txt
158.txt
159.txt
160.txt
161.txt
162.txt
163.txt
164.txt
165.txt
166.txt
167.txt
168.txt
169.txt
170.txt
171.txt
172.txt
173.txt
174.txt
175.txt
176.txt
177.txt
178.txt
179.txt
180.txt
181.txt
182.txt
183.txt
184.txt
185.txt
186.txt
187.txt
188.txt
189.txt
190.txt
191.txt
192.txt
193.txt
194.txt
195.txt
196.txt
197.txt
198.txt
199.txt
200.txt
201.txt
202.txt
203.txt
204.txt
205.txt
206.txt
207.txt
208.txt
209.txt
210.txt
211.txt
212.txt
213.txt
214.txt
215.txt
216.txt
217.txt
218.txt
219.txt
220.txt
221.txt
222.txt
223.txt
224.txt
225.txt
226.txt
227.txt
228.txt
229.txt
230.txt
231.txt
232.txt
233.txt
234.txt
235.txt
236.txt
237.txt
238.txt
239.txt
240.txt
241.txt
242.txt
243.txt
244.txt
245.txt
246.txt
247.txt
248.txt
249.txt
250.txt
251.txt
252.txt
253.txt
254.txt
255.txt

Experimental 2. Results from the top 1 million most popular passwords of CSDN dataset
(1) The minimum password number of the 256 password pools is 3756, and the maximum is 4079; 
(2) The minimum guessing expectation of the 256 password pools is 39.799, the maximum is 1122.18, and the majority is below 1024, which
fails to guarantee that the success probability of one online guessing attempt using password candidate in any pool by the adversary is no more than 1/1024. 
(3) Due to storage space constraints of this site, we only upload 10% of the password pool files.

Password Pool 
(0~255)

0 
 1 
 2 
 3
 4 
 5
 6 
 7 
 8 
 9
 10 
 11 
 12
 13 
 14 
 15
 16 
 17 
 18
 19 
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32 
 33 
 34
 35
 36 
 37
 38 
 39
 40
 41 
 42
 43
 44 
 45 
 46 
 47 
48
 49 
 50
 51 
 52 
 53 
 54 
 55 
 56
57 
 58
 59 
 60 
 61 
 62
 63
 64 
 65
 66 
 67 
 68
 69 
 70
 71
 72 
 73
 74 
 75 
 76 
 77
 78 
 79
 80
 81
 82 
 83
 84 
 85 
 86 
 87 
 88 
 89
 90 
 91
 92 
 93 
 94 
 95 
 96
 97
 98 
 99 
 100 
 101
 102
 103
 104 
 105 
 106 
 107 
 108
 109 
 110
 111
 112 
 113 
 114
 115 
 116 
 117 
 118 
 119 
 120 
 121 
 122 
 123 
 124 
 125 
 126
127 
 128
 129
 130
 131 
 132 
 133
 134
 135 
 136 
 137 
 138
 139 
 140 
 141 
 142
 143 
 144 
 145 
 146
 147 
 148 
 149 
 150
 151
 152
 153 
 154 
 155 
 156 
 157 
 158 
 159 
 160 
 161 
 162
 163
 164 
 165 
 166 
 167 
 168 
169
170
171
 172 
 173 
 174
 175
 176 
 177 
 178
 179 
 180 
 181 
182
183 
 184
 185 
 186 
 187 
188
189
190
 191
 192
 193
 194 
195
 196
 197 
 198
 199
 200 
 201 
 202 
 203
 204
 205 
 206
 207 
 208
 209 
 210
 211
 212 
 213
 214
 215 
 216 
 217 
 218
 219
 220 
 221
 222
 223 
 224 
 225
 226
 227 
 228 
 229 
 230
 231 
 232
 233
 234
 235
 236 
 237
 238 
 239 
 240
 241 
 242
 243 
 244
 245 
 246 
 247 
 248 
 249
 250 
 251 
 252 
 253 
 254
 255
              Password num
    in the corresponding pool
  3867
 3964
 3862 
 3983
 3840
 3846 
 4039 
 3917 
 3890 
 3866
 3928 
 4063
 3870 
 3980 
 3935 
 3892
 3914 
 3963
 3888 
 3977 
 3925 
 3756 
 3997
 3860
3910 
 3771 
 3929
 4004
 3934 
 3888 
 3866 
 3853
 3978 
 3905
3819
 3864 
 3967
 4022
 3895 
 3818 
 3767 
 3977 
 3941 
 3906 
 3969 
 3826 
 3903 
 3806 
 3969
 3993 
 3858 
 3876 
 3831 
 3864 
 3930
 3907
 3815
 3956 
 3877
 3808
 3849 
 3976 
 3895 
 3864 
 3945 
 3901
 4014
 3905
 3859 
 3937 
 3928 
3909 
 3867 
 3828
 3848 
 3959 
 3839 
 3938 
3828
 3905 
 3926
3824 
 3989 
 3951
 3889
3915 
 3931
 3878
 3800
 3909 
3907
 4014 
 3975
 3832 
 3885
3939 
 3984 
 3944
 3892 
 4028 
 3858 
 3878 
3850
3920
 3871 
 3853 
 3853
 3825
3920
 3837 
 3952 
 3897 
 3845 
 3830
 3885 
 3887 
 3982 
 3893 
 3981 
 3847
3993 
2982
 3873
 3904 
 4051 
 3925 
 3924
 4009 
 3883 
3791
 3900
 3897
 3988
 3890
 3951 
 3959 
 3952 
 3876 
 3871 
 3899 
 3898 
 3867 
 3832 
 3974 
 3909 
 3841
 3914 
 4016
 3888 
 3914
 3929 
 3786
 3930 
 3966
 3897 
 3877 
 3915
 3803 
 3892
 3792 
 3945
 3962
3861 
 3981
 3842
 3898 
 3951 
 3802
 3887 
 3900
 3930 
 3929 
 3959
 3957 
 4025 
 3895 
 3881 
 4004 
3880 
 3913 
 3853 
 3937 
 3950
 3970 
 3967
 3878 
 3927 
 3925
 3890 
 3824 
 3924
 3907 
 3931 
 3846 
 3907 
 3768 
 3877
 3990 
 3930 
 3891
3871 
 3857 
 3901 
 3828
 3894 
 3900 
 3825 
 4000 
 4079
 3946
 3871 
 3887 
 3939 
 3905 
 3926
 3857 
 3934 
 3936 
 3934
 3887
 4006
 3830 
 3836
 3892
 3903 
 3982 
 3926 
 3981 
 3851 
 4007 
 3854 
 3868 
 3872 
 3845 
 3909
 3860 
 3854
 3928 
 3897
 3923 
 3976 
 3919 
 3993 
 3881 
 3824
 3813
 4004 
 3823 
 3943
 3995 
 3936 
 3857
 3949
 3808 
 3822 
 3856
Guessing entropy of 
the pool 
 1023.08 
 1098.26 
 925.523 
 941.73
 794.435
 901.394
 1087.68 
 972.911
 1009.77 
 858.732
 999.082 
 1109.14 
 1049.21 
 44.6363
 867.563 
 920.604 
 988.872 
 1014.56 
 830.814 
 745.67
 1014.87 
 965.85 
 764.209
 941.439 
 611.132 
 829.924
968.136 
 799.307 
 933.432
 848.446 
 986.977 
 895.338 
 869.98 
 960.332 
 999.75 
 1073.17 
 863.53 
 987.565
 1011.13 
 946.33 
 680.162 
 907.832 
 624.903
 808.396 
 1053.7 
 902.647 
 945.085 
 774.794 
 719.332 
 973.003 
 949.001 
 967.216
 998.753 
 819.275 
 585.703 
1040.53
958.778
954.395
893.225 
 899.602
 898.47
 866.772 
 826.439
 356.453 
 985.61 
 39.799 
 833.039 
 1047.26 
 961.809 
 1052.69 
 1003.16 
 839.485
 865.656
 983.468
 908.574 
 952.067
 950.681 
 1009.26 
 884.069 
 909.355 
 736.991 
 1094.41 
 1028.08 
 1017.11 
 992.073
 920.012 
 930.292 
 960.317 
 934.424
 600.663 
 831.663
 961.935
 1119.53 
 908.274 
 824.777 
 952.701 
 1009.26 
 950.768 
 1027.77
 1038.96
 828.609 
 741.538
 803.875 
 789.72 
 898.089 
 1068.52 
 912.529 
 934.853 
 983.014
 865.35 
 901.935 
 903.448 
 899.633 
 1043.83
 903.039
 875.021 
 872.072
 638.946 
 851.745 
 1122.18 
 866.963 
 804.427 
 647.657 
 951.451
 971.499
 958.3
 941.554 
 662.393 
 940.499
 934.895 
 1025.51 
 1020.02 
 1100.26 
 839.834 
 785.791
891.99 
 661.061
 961.444
 975.089 
 214.501 
 1073.61 
 1017.99 
 966.581 
 961.599
 909.897
 934.665 
 326.428
 1021.39 
 906.718 
 966.049
659.408
 765.57 
 978.291
 905.503 
 347.717 
 992.109 
 707.52 
 1005.88 
 947.792 
 914.298 
 910.566 
 990.181 
 963.387 
 956.621
 930.853
 874.573
 984.39
 996.653 
 938.229
 735.129 
 849.921 
 743.855 
 1080.14 
 982.268 
 1051.92 
 905.216
 895.464 
 1108.33
 900.98 
 796.451
 166.335 
 1050.23 
 891.338
 918.536 
 108.176 
 1015.28
 1026.36 
 955.664 
1006.5 
 948.722
776.401
 927.392 
 995.856 
 951.855
 881.966
 887.775 
 887.982 
 966.887 
 772.4 
 782.534
 984.967 
 767.491 
 983.269 
 848.062
788.417 
 1018
849.715
 1006 
 961.384
 934.371 
 973.616
 960.934 
 1014.03 
 994.589 
 1048.58 
 786.385
 752.627 
 834.084 
 868.844
 1058.02 
 753.148 
 979.968 
 1046.12 
 894.386 
 827.192 
 957.222 
 905.089
1056
 987.687
 938.495
 1006.82 
 664.966 
 727.424 
 1034.63
 945.694
 877.16 
 921.328 
 910.01
 700.225 
 872.794 
 1035.42 
 891.872 
 831.549 
 890.755 
 975.506 
 944.213
 688.494 
 932.537 
 902.889 
 630.396 
 892.572 
 813.427 
 733.097 
 764.895
 1034.69 
 932.788
 Detailed information
 of the pool 
0.txt (detailed explanation)
1.txt(detailed explanation)
2.txt(detailed explanation)
3.txt
4.txt
5.txt
6.txt
7.txt
8.txt
9.txt
10.txt
11.txt
12.txt
13.txt
14.txt
15.txt
16.txt
17.txt
18.txt
19.txt
20.txt
21.txt

22.txt

23.txt

24.txt
25.txt
26.txt
27.txt
28.txt
29.txt
30.txt
31.txt
32.txt
33.txt
34.txt
35.txt
36.txt
37.txt
38.txt
39.txt
40.txt
41.txt
42.txt
43.txt
44.txt
45.txt
46.txt
47.txt
48.txt
49.txt
50.txt
51.txt
52.txt
53.txt
54.txt
55.txt
56.txt
57.txt
58.txt
59.txt
60.txt
61.txt
62.txt
63.txt
64.txt
65.txt
66.txt
67.txt
68.txt
69.txt
70.txt
71.txt
72.txt
73.txt
74.txt
75.txt
76.txt
77.txt
78.txt
79.txt
80.txt
81.txt
82.txt
83.txt
84.txt
85.txt
86.txt
87.txt
88.txt
89.txt
90.txt
91.txt
92.txt
93.txt
94.txt
95.txt
96.txt
97.txt
98.txt
99.txt
100.txt
101.txt
102.txt
103.txt
104.txt
105.txt
106.txt
107.txt
108.txt
109.txt
110.txt
111.txt
112.txt
113.txt
114.txt
115.txt
116.txt
117.txt
118.txt
119.txt
120.txt
121.txt
122.txt
123.txt
124.txt
125.txt
126.txt
127.txt
128.txt
129.txt
130.txt
131.txt
132.txt
133.txt
134.txt
135.txt
136.txt
137.txt
138.txt
139.txt
140.txt
141.txt
142.txt
143.txt
144.txt
145.txt
146.txt
147.txt
148.txt
149.txt
150.txt
151.txt
152.txt
153.txt
154.txt
155.txt
156.txt
157.txt
158.txt
159.txt
160.txt
161.txt
162.txt
163.txt
164.txt
165.txt
166.txt
167.txt
168.txt
169.txt
170.txt
171.txt
172.txt
173.txt
174.txt
175.txt
176.txt
177.txt
178.txt
179.txt
180.txt
181.txt
182.txt
183.txt
184.txt
185.txt
186.txt
187.txt
188.txt
189.txt
190.txt
191.txt
192.txt
193.txt
194.txt
195.txt
196.txt
197.txt
198.txt
199.txt
200.txt
201.txt
202.txt
203.txt
204.txt
205.txt
206.txt
207.txt
208.txt
209.txt
210.txt
211.txt
212.txt
213.txt
214.txt
215.txt
216.txt
217.txt
218.txt
219.txt
220.txt
221.txt
222.txt
223.txt
224.txt
225.txt
226.txt
227.txt
228.txt
229.txt
230.txt
231.txt
232.txt
233.txt
234.txt
235.txt
236.txt
237.txt
238.txt
239.txt
240.txt
241.txt
242.txt
243.txt
244.txt
245.txt
246.txt
247.txt
248.txt
249.txt
250.txt
251.txt
252.txt
253.txt
254.txt
255.txt


Experimental 3. Results from the top 2 million most popular passwords of Rockyou dataset

(1) The minimum password number of the 256 password pools is 7612, and the maximum is 8018; 
(2) The minimum guessing expectation of the 256 password pools is 247.935, the maximum is 1418.31, and
about 16% of the pools are below 1024, which fails to guarantee that the success probability of one online guessing attempt using password candidate in any pool by the adversary is no more than 1/1024. 
(3) Due to storage space constraints of this site, we only upload 10% of the password pool files.
Password Pool 
(0~255)

0 
 1 
 2 
 3
 4 
 5
 6 
 7 
 8 
 9
 10 
 11 
 12
 13 
 14 
 15
 16 
 17 
 18
 19 
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32 
 33 
 34
 35
 36 
 37
 38 
 39
 40
 41 
 42
 43
 44 
 45 
 46 
 47 
48
 49 
 50
 51 
 52 
 53 
 54 
 55 
 56
57 
 58
 59 
 60 
 61 
 62
 63
 64 
 65
 66 
 67 
 68
 69 
 70
 71
 72 
 73
 74 
 75 
 76 
 77
 78 
 79
 80
 81
 82 
 83
 84 
 85 
 86 
 87 
 88 
 89
 90 
 91
 92 
 93 
 94 
 95 
 96
 97
 98 
 99 
 100 
 101
 102
 103
 104 
 105 
 106 
 107 
 108
 109 
 110
 111
 112 
 113 
 114
 115 
 116 
 117 
 118 
 119 
 120 
 121 
 122 
 123 
 124 
 125 
 126
127 
 128
 129
 130
 131 
 132 
 133
 134
 135 
 136 
 137 
 138
 139 
 140 
 141 
 142
 143 
 144 
 145 
 146
 147 
 148 
 149 
 150
 151
 152
 153 
 154 
 155 
 156 
 157 
 158 
 159 
 160 
 161 
 162
 163
 164 
 165 
 166 
 167 
 168 
169
170
171
 172 
 173 
 174
 175
 176 
 177 
 178
 179 
 180 
 181 
182
183 
 184
 185 
 186 
 187 
188
189
190
 191
 192
 193
 194  
195
 196
 197 
 198
 199
 200 
 201 
 202 
 203
 204
 205 
 206
 207 
 208
 209 
 210
 211
 212 
 213
 214
 215 
 216 
 217 
 218
 219
 220 
 221
 222
 223 
 224 
 225
 226
 227 
 228 
 229 
 230
 231 
 232
 233
 234
 235
 236 
 237
 238 
 239 
 240
 241 
 242
 243 
 244
 245 
 246 
 247 
 248 
 249
 250 
 251 
 252 
 253 
 254
 255
 Password num
    in the corresponding pool
   7764 
 7738 
 7671 
 7824
 8018
 7753 
 7789
 7844
 7806
 7817 
 7847 
 7780 
 7703 
 7760 
 7775 
 7730 
 7778
 7823 
 7848 
 7761 
 7840 
 7883
7723 
 7757 
 7670 
 7838 
 7994
 7887
 7861 
 7890 
 7937 
 7821
 7722 
 7621 
 7764 
 7654 
 7874 
 7865
 7828 
 7862
 7766 
 7675 
 7775
 7748
 7776
 7869 
 7714 
 7820
 7778
 7896 
 7878 
 7840 
 7762
 7822
 7863
 7844
 7740 
 7842 
 7800 
 7828 
 7790 
 7946
 7724
 7822 
 7920
 7701 
 7796 
 7705 
 7760
 7788
 7870
 7822 
 7693 
 7836 
 7799 
 7682
 7777
 7821 
 7759
 7820 
 7958
 7901
 7950 
 7860
 7703
 7736
 7882 
 7933 
 7959 
 7868 
 7772 
7895
7830 
 7811
 7876
 7827 
 7901
 7969
 7666
 7848
 7840 
 7913 
 7872
 7811 
 7829 
 7684 
 7761 
 7876 
 7773 
 7932 
 7837
 7818 
 7864 
 7805 
 7949 
 7884 
 7926 
 7903 
 7848 
 7714 
 7756 
 7789 
 7761 
 7720 
 7901 
 7958
 7817 
 7817 
 7809 
 7666 
 7718 
 7723 
 7970 
 7886 
 7854 
 7855
 7698
 7859 
 7859
 7908
 7836 
 7929 
 7796 
 7716
 7859
 7679
7754 
 7856
 7644 
 7698 
 7796
 7820 
 7806 
 7721
 7851 
 7817 
 7937 
 7729 
 7616 
 7785
 7795 
 7768 
 7619 
 7947
 7833 
 7818 
 7945 
 7781 
 7612
 7803
 7766 
 7939 
 7812
 7895 
 7898 
 7647 
 7764 
 7802 
 7842 
 7776 
 7937 
 7840
 7726
 7681 
 7689 
 7911 
 7902 
 7867 
 7745
 7936 
 7656
 7789
 7748 
 7949 
 7845
7929 
 7838
 7733
 7750
 7630
 8015
 7757 
 7758 
 7826 
 7925 
 7841 
 8017 
 7763 
 7919 
 7895
 7881 
 7907 
 7823 
 7891 
 7842
 7815
 7711 
 7818 
7729 
 7784 
 7789
 7705
 7880 
 7893
7912 
 7922 
 7821 
 7883 
 7925
 7774 
 7779
 7779
7823
 7728
 7835
 7690
 7752
 7795 
 7730 
 7937
 7711
 7778 
 7692 
 7668
 7797 
 7835 
 7684 
 7820 
 7823 
 7803 
 7811 
 7836 
 7688
 7927 
  7898 
 7857
Guessing entropy of the pool 
918.705 
 1047.66
 1031.04 
 1125.91 
 960.567 
 1281.81 
 1148.27 
 1353.54 
 1204.09 
 1056.31 
 1313.91 
 1260.43 
 1284.16 
 963.588 
 1242.42 
 1336.28 
 1196.14 
 1280.54 
 1196.64 
 1079.67 
 1323.08 
 1191.74 
 964.332
 1192.62 
 1221.79 
 1186.49 
 1258.99 
 247.935 
 1182.24 
 1240.02 
 1030.74 
 1001.32 
 939.1 
 1190.93 
 1372.64
 1075.58
 1245.19
 1304.3
 1285.03 
 1318.66 
 671.304
 1227.87 
 1230.78
 1185.84 
 1295.78 
 991.927 
 1285.14 
 1095.93 
 1323.08 
 1125.93 
 1341 
 1182.15 
 1209.92 
 1105.43
 1134.15 
 1253.48 
 1268.94 
 961.555 
 1203.38
 1146.1 
 1298.18 
 883.748 
 1152.49
 1273.02
926.633 
 562.318 
 1137.47 
 1244.44 
 1160.52
 1166.77 
 1089.3 
 1116.49 
 1130.84 
 1382.29 
 828.109 
 1181.81 
 1418.31
 1054.68 
 1216.33 
 949.734
 1384.67 
 1000.26 
 1173.87 
 1301.27 
 1041.68 
 1002.37 
 1298.91 
 876.528 
 1206.83 
 1119.04 
 981.857 
 1186.88 
 1321.74 
 1293.58 
 1034.63 
 1203.07 
 872.998 
 1093.81 
 942.375 
 1207.78 
 505.849 
 863.928 
 1029.43 
 1269.98 
 1171.16 
 1154.01 
 1190.54
 1324.54 
 1237.48 
 1257.97
 1318.27 
 1222.94 
 1049.29 
 1163.29 
 1194.3 
 1048.6 
 1081.33
 1130.92 
 1257.09 
 1270.85 
 1085.62 
 1278.54
 1183.47
 1048.98 
 1395.01 
 1340.32 
 1143.36
 1211.04 
 1288.2 
 1158.95
 1091.42
 1321.2 
 1176.55
 1354.4 
 1085.79 
 1173.28 
 912.117 
 1180.49 
 1244.64 
 1042.65 
 1282.06
 1248.4
 1258.42 
 1380.12 
 1175.46
 1219.2
 1150.24 
 1189.53 
 1085.54 
 1024.95
1127.55
 1101.49 
 1214.48
 1181.21 
 1084.08 
 1324.82 
 1085.44 
 1250.64 
 1073.56 
 1083.14 
 1238.58 
 1296.44 
 1199.08 
 938.505
 1069.08
 1048.7 
 1221.22
1015.57
 1091.08 
 1165.82
 1090.68 
 1278.3 
 1265.51 
 1125.42
 1133.84 
 1247.82
 1230.83 
 1099.19 
 1279.85
 1046.66 
 1235.64
 1249.47 
 1107.42
 1348.77
 1256.01 
 1134.4 
 992.791 
 1038.36 
 1298.98 
 1160.41
 1094.23
1018.41 
 1248.52 
 1385.79 
 1149.58
 1196.9 
 1159.48
 1202.37 
 1008.23 
 889.762
 1320.09 
 1400.3 
 1137.77 
 1223.71 
 1280.96 
 1299.98 
 1149.65
 1152.59 
 1294.07 
 1234.98 
 1187.57 
 1026.52
 1079.16 
 1020.64 
 1072.42 
 1076.97 
 594.755 
 988.178
 1195.74
 1158.1
 1134.25 
 1149.77 
 1354.27
 1405.4 
 1390.27 
 1074.49 
 1150.97
 1145.39 
 932.713 
 1029.92
 1263.71 
 1168.54 
 1094.46 
 1146.77
 939.76 
 1412.4
 1192.53 
 1179.37 
 1017.02
 1139.56 
 1044.77 
 895.022 
 1103.16
 1018.9 
 1140.86 
 1224.55 
 1083.94 
 1088.94
 1261.51
 1301.6
 956.085 
 963.337 
 837.827
 1242.92 
 1307.7 
 1249.8
 Detailed information
 of the pool 
0.txt (detailedexplanation)
1.txt(detailed explanation)
2.txt(detailed explanation)
3.txt
4.txt
5.txt
6.txt
7.txt
8.txt
9.txt
10.txt
11.txt
12.txt
13.txt
14.txt
15.txt
16.txt
17.txt
18.txt
19.txt
20.txt

21.txt
22.txt
23.txt

24.txt
25.txt

26.txt
27.txt
28.txt
29.txt
30.txt
31.txt
32.txt
33.txt
34.txt
35.txt
36.txt
37.txt
38.txt
39.txt
40.txt
41.txt
42.txt
43.txt
44.txt
45.txt
46.txt
47.txt
48.txt
49.txt
50.txt
51.txt
52.txt
53.txt
54.txt
55.txt
56.txt
57.txt
58.txt
59.txt
60.txt
61.txt
62.txt
63.txt
64.txt
65.txt
66.txt
67.txt
68.txt
69.txt
70.txt
71.txt
72.txt
73.txt
74.txt
75.txt
76.txt
77.txt
78.txt
79.txt
80.txt
81.txt
82.txt
83.txt
84.txt
85.txt
86.txt
87.txt
88.txt
89.txt
90.txt
91.txt
92.txt
93.txt
94.txt
95.txt
96.txt
97.txt
98.txt
99.txt
100.txt
101.txt
102.txt
103.txt
104.txt
105.txt
106.txt
107.txt
108.txt
109.txt
110.txt
111.txt
112.txt
113.txt
114.txt
115.txt
116.txt
117.txt
118.txt
119.txt
120.txt
121.txt
122.txt
123.txt
124.txt
125.txt
126.txt
127.txt
128.txt
129.txt
130.txt
131.txt
132.txt
133.txt
134.txt
135.txt
136.txt
137.txt
138.txt
139.txt
140.txt
141.txt
142.txt
143.txt
144.txt
145.txt
146.txt
147.txt
148.txt
149.txt
150.txt
151.txt
152.txt
153.txt
154.txt
155.txt
156.txt
157.txt
158.txt
159.txt
160.txt
161.txt
162.txt
163.txt
164.txt
165.txt
166.txt
167.txt
168.txt
169.txt
170.txt
171.txt
172.txt
173.txt
174.txt
175.txt
176.txt
177.txt
178.txt
179.txt
180.txt
181.txt
182.txt
183.txt
184.txt
185.txt
186.txt
187.txt
188.txt
189.txt
190.txt
191.txt
192.txt
193.txt
194.txt
195.txt
196.txt
197.txt
198.txt
199.txt
200.txt
201.txt
202.txt
203.txt
204.txt
205.txt
206.txt
207.txt
208.txt
209.txt
210.txt
211.txt
212.txt
213.txt
214.txt
215.txt
216.txt
217.txt
218.txt
219.txt
220.txt
221.txt
222.txt
223.txt
224.txt
225.txt
226.txt
227.txt
228.txt
229.txt
230.txt
231.txt
232.txt
233.txt
234.txt
235.txt
236.txt
237.txt
238.txt
239.txt
240.txt
241.txt
242.txt
243.txt
244.txt
245.txt
246.txt
247.txt
248.txt
249.txt
250.txt
251.txt
252.txt
253.txt
254.txt
255.txt


Experimental 4. Results from the top 2 million most popular passwords of CSDN dataset (Satisfactory results)

(1) The minimum password number of the 256 password pools is 7584, and the maximum is 8146; 
(2) The minimum guessing expectation of the 256 password pools is 127.743, the maximum is 2600.56, and only about 2.34% of the pools are below 1024. More specifically, six pools are "bad", i.e. POOL
65 (127.743), POOL13(149.431), POOL184(343.376), POOL180(528.102), POOL139(652.968), POOL146(973.749). This means that, with an overwhelming probability, a pool selected from these 256 pools can guarantee a Level 1 of security. We further note that, if we eliminate only one most highly vulnerable password from each of these six bad pools (e.g., 123456 from POOL65, 123456789 from POOL65), then all the guess entropys of 256 password pools will have a guessing expectation larger than 1024.  In practice, this can be achieved by using a blacklist and preventing the users from choosing these highly vulnerable passwords (e.g., 123456, 123456789). 
(3) Due to storage space constraints of this site, we only upload 10% of the password pool files.
Password Pool 
(0~255)

0 
 1 
 2 
 3
 4 
 5
 6 
 7 
 8 
 9
 10 
 11 
 12
 13 
 14 
 15
 16 
 17 
 18
 19 
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32 
 33 
 34
 35
 36 
 37
 38 
 39
 40
 41 
 42
 43
 44 
 45 
 46 
 47 
48
 49 
 50
 51 
 52 
 53 
 54 
 55 
 56
57 
 58
 59 
 60 
 61 
 62
 63
 64 
 65
 66 
 67 
 68
 69 
 70
 71
 72 
 73
 74 
 75 
 76 
 77
 78 
 79
 80
 81
 82 
 83
 84 
 85 
 86 
 87 
 88 
 89
 90 
 91
 92 
 93 
 94 
 95 
 96
 97
 98 
 99 
 100 
 101
 102
 103
 104 
 105 
 106 
 107 
 108
 109 
 110
 111
 112 
 113 
 114
 115 
 116 
 117 
 118 
 119 
 120 
 121 
 122 
 123 
 124 
 125 
 126
127 
 128
 129
 130
 131 
 132 
 133
 134
 135 
 136 
 137 
 138
 139 
 140 
 141 
 142
 143 
 144 
 145 
 146
 147 
 148 
 149 
 150
 151
 152
 153 
 154 
 155 
 156 
 157 
 158 
 159 
 160 
 161 
 162
 163
 164 
 165 
 166 
 167 
 168 
169
170
171
 172 
 173 
 174
 175
 176 
 177 
 178
 179 
 180 
 181 
182
183 
 184
 185 
 186 
 187 
188
189
190
 191
 192
 193
 194  
195
 196
 197 
 198
 199
 200 
 201 
 202 
 203
 204
 205 
 206
 207 
 208
 209 
 210
 211
 212 
 213
 214
 215 
 216 
 217 
 218
 219
 220 
 221
 222
 223 
 224 
 225
 226
 227 
 228 
 229 
 230
 231 
 232
 233
 234
 235
 236 
 237
 238 
 239 
 240
 241 
 242
 243 
 244
 245 
 246 
 247 
 248 
 249
 250 
 251 
 252 
 253 
 254
 255
 Password num
    in the corresponding pool
 
7883 
 7918
 7739 
 7824
 7783 
 7807 
 7970 
 7856 
 7817
 7732 
 7883 
 7921
 7754 
 7980
7833
 7816 
7846 
 7805
 7800 
 7835 
7830 
 7730 
 7864 
 7745 
 7800 
 7708 
 7810 
 8001 
 7840 
 7718 
 7748 
 7775
 7863 
 7811 
 7728 
 7747 
 7852 
 7932 
 7680 
 7704 
 7718 
 7965 
 7892
 7716 
 8013
 7763 
 7855 
 7859 
 7909
 7749 
 7830 
 7706 
 7761 
 7634
 7979 
 7850 
 7662
 7954 
 7852
 7627 
 7770
 7800 
 7773 
 7709
 7781 
 7735 
 7906 
 7913
 7686 
 7850 
 7761 
 7829 
 7733 
 7695 
 7778 
 7825 
 7584 
 7823 
 7760 
 7768 
 7912
 7921
 7788 
 7900 
 7885 
 7772 
 7791
 7817 
 7751
 7745 
 7828 
 7727 
 7828
 7853 
 7700 
 7777 
 7872 
 7886 
 7845 
 7678
 8013 
 7743 
 7700
 7728
 7865
 7879 
 7708 
 7655 
 7718
 7799
 7800
 7829
 7722
 7686 
 7698 
 7713
 7770
 7902
 7804 
 7886 
 7734
 7877 
 7866 
 7705 
 7860
 7938
 7892 
 7782 
 8032 
 7714 
 7878
 7792
 7915 
 7861 
 7791
 7872
 7828
 7700 
 7803 
 7737 
 7654 
 7738
 7679
 7954 
 7786 
 7792 
 7807 
 7999
 7730 
 7804 
 7861
 7825 
 7836
 7989
 7779
 7745 
 7893 
 7658 
 7842
 7663
 7711 
 7893 
 7876 
 7861 
 7859 
 7882 
 7894 
 7853 
 7772 
 7875 
 7835 
 7906
 7840
 7832
 7966
 7722
 7809 
 7823 
 7822 
 7796 
 7724
 7860 
 7846 
 7837 
 7872 
 7884 
 7779 
 7773
 7755
 7694 
 7793 
 7796 
 7861 
 7686 
 7824 
 7693 
 7763 
 7904 
 7895
 7690 
 7829 
 7817
 7878 
 7732 
 7845 
 7812
 7731 
 7932 
 8146 
 7826 
 7805
 7837
 7822 
 7728 
 7920 
 7857 
 7740 
 7961 
 7750 
 7768
 7949 
 7706 
 7820
 7912
 7708 
 7893
 7755 
 7925
 7697 
 7849
 7736
 7751 
 7827 
 7738
 7786 
 7817 
 7895
 7904 
 7723
 7894 
 7929
 7861 
 7880
 7875 
 7652 
 7813 
 7862
 7755 
 7859
 7969
 7813
 7848
 7974
 7822 
 7671
 7674
Guessing entropy of the pool 
2492.49 
 2579.67
 2296.24 
 2259.22 
 2063.63
 2279.34 
 2531.83 
 2373.23 
 2433.03 
 2152.14 
 2410.49 
 2548.3 
 2501.83
 149.431
 2172.6 
 2287.59 
 2406.05 
 2396.62 
 2104.17 
 1901.98 
 2433.13 
 2429.94 
 1938.19 
 2313.25 
 1658.93
 2168.08
 2334.52
 2045.89 
 2280.03 
 2102.1
 2399.94 
 2241.2 
 2145.95 
 2344.72 
 2432.79
 2543.26 
 2139.27 
 2368.65 
 2381.07
 2333.21 
 1864.91 
 2254.54
 1691.96 
 2023.07 
 2541.11 
 2268.69 
 2337.6 
 2073.39 
 1880.68
 2278.71 
 2364.31 
 2330.13 
 2422.32 
 2044.6 
 1640.54 
 2498.21 
 2337.72
 2343.67
 2262.12 
 2217.1 
 2254.87 
 2117.3 
 2086.09 
 1051.8 
 2348.34 
 127.743 
 2083.03 
 2539.55
 2312.98
 2499.91
 2376.25 
 2132.02 
 2168.81
 2369.19 
 2251.13 
 2304.26 
 2270.72 
 2413.42 
 2220.25 
 2232.27
 1951.99 
 2570.2 
 2448.16
 2422.05 
 2385.26
 2258.31
 2267.15
 2323.96
 2277.5
 1662.81 
 2108.01
 2318.99
 2552.5 
 2215.18
 2105.23
 2325.58
 2435.1 
 2295.89 
 2448.32 
 2437.44 
 2097.57 
 1934.18 
 2032.76 
 2025.48 
 2241.76 
 2586.39
 2242.08 
 2261.55 
 2392.72
 2172.62
 2275.08 
 2213.7 
 2198.72
 2487.24 
 2231.2
 2160.63
 2173.56
 1703.89
 2136.2
 2600.56
 2178.71
 2029.4 
 1708.16
 2294.11 
 2370 
 2288.76
 2325.59
 1746.71
 2312.23
 2273.67
 2481.08
 2449.06
 2573.22
 2143.61
 1983.9
 2210.14
 1746.2 
 2313.03
 2389.22 
 652.968 
 2477.86 
 2437.25
 2333.01 
 2366.59
 2231.43
 2326.75
 973.749 
 2461.9
 2220.65
 2331.09
 1757.1
2058.41
 2347.33
 2274.99
 1028.43 
 2372.34
 1884.36 
 2417.59 
 2339.53 
 2280.01 
 2185.06 
 2393.79 
 2389.29
 2307.7
 2344.2 
 2221.08
 2391.29 
 2484.44
 2294.73 
 1945.62 
 2134 
 1947.36
 2530.77 
 2355.78
 2495.01
 2218.59
 2229.88
 2532.13
 2251.4 
 2022.26
 528.102
 2491.6 
 2204.38
 2228.95
 343.376
 2485.31 
 2423.89
 2303.37 
 2413.59
 2318.98 
 1983.78 
 2282.79 
 2410.65 
 2314.79
 2198.74
 2246.29
 2197.7 
 2331.07
 2000.11
 1969.36 
 2406.52
 2021.61 
 2402.89 
 2153.66 
 2034.37 
 2453.37 
 2170.14
 2413.26
 2370.65 
 2271.2 
 2384.69
 2363.41
 2416.1 
 2360.53 
 2514.61
 2061.25
 1900.22
 2147.4 
 2136.34
 2502.94
 1945.03
 2374.02
 2549.79 
 2271.35
 2063.53 
 2319.73
 2192.53
 2512.58 
 2381.02 
 2254.14
 2440.66
 1772.53
 1922.27
 2476.02
 2299.99 
 2213.99
 2341.53 
 2266.92
 1826.75 
 2186.95 
 2468.67
 2219.94 
 2082.09 
 2241.88
 2354.06
 2378.36 
 1789.43
 2317.02
 2238.31 
 1694.76
 2200.24
 2115.07 
 1956.37 
 2034.19
 2473.39
 2273.04
 Detailed information
 of the pool 
0.txt (detailedexplanation)
1.txt(detailed explanation)
2.txt(detailed explanation)
3.txt
4.txt
5.txt
6.txt
7.txt
8.txt
9.txt
10.txt
11.txt
12.txt
13.txt
14.txt
15.txt
16.txt
17.txt
18.txt
19.txt
20.txt
21.txt
22.txt
23.txt

24.txt
25.txt
26.txt
27.txt
28.txt
29.txt
30.txt
31.txt
32.txt
33.txt
34.txt
35.txt
36.txt
37.txt
38.txt
39.txt
40.txt
41.txt
42.txt
43.txt
44.txt
45.txt
46.txt
47.txt
48.txt
49.txt
50.txt
51.txt
52.txt
53.txt
54.txt
55.txt
56.txt
57.txt
58.txt
59.txt
60.txt
61.txt
62.txt
63.txt
64.txt
65.txt
66.txt
67.txt
68.txt
69.txt
70.txt
71.txt
72.txt
73.txt
74.txt
75.txt
76.txt
77.txt
78.txt
79.txt
80.txt
81.txt
82.txt
83.txt
84.txt
85.txt
86.txt
87.txt
88.txt
89.txt
90.txt
91.txt
92.txt
93.txt
94.txt
95.txt
96.txt
97.txt
98.txt
99.txt
100.txt
101.txt
102.txt
103.txt
104.txt
105.txt
106.txt
107.txt
108.txt
109.txt
110.txt
111.txt
112.txt
113.txt
114.txt
115.txt
116.txt
117.txt
118.txt
119.txt
120.txt
121.txt
122.txt
123.txt
124.txt
125.txt
126.txt
127.txt
128.txt
129.txt
130.txt
131.txt
132.txt
133.txt
134.txt
135.txt
136.txt
137.txt
138.txt
139.txt
140.txt
141.txt
142.txt
143.txt
144.txt
145.txt
146.txt
147.txt
148.txt
149.txt
150.txt
151.txt
152.txt
153.txt
154.txt
155.txt
156.txt
157.txt
158.txt
159.txt
160.txt
161.txt
162.txt
163.txt
164.txt
165.txt
166.txt
167.txt
168.txt
169.txt
170.txt
171.txt
172.txt
173.txt
174.txt
175.txt
176.txt
177.txt
178.txt
179.txt
180.txt
181.txt
182.txt
183.txt
184.txt
185.txt
186.txt
187.txt
188.txt
189.txt
190.txt
191.txt
192.txt
193.txt
194.txt
195.txt
196.txt
197.txt
198.txt
199.txt
200.txt
201.txt
202.txt
203.txt
204.txt
205.txt
206.txt
207.txt
208.txt
209.txt
210.txt
211.txt
212.txt
213.txt
214.txt
215.txt
216.txt
217.txt
218.txt
219.txt
220.txt
221.txt
222.txt
223.txt
224.txt
225.txt
226.txt
227.txt
228.txt
229.txt
230.txt
231.txt
232.txt
233.txt
234.txt
235.txt
236.txt
237.txt
238.txt
239.txt
240.txt
241.txt
242.txt
243.txt
244.txt
245.txt
246.txt
247.txt
248.txt
249.txt
250.txt
251.txt
252.txt
253.txt
254.txt
255.txt

5. Subtleties revealed from the above four experiments

   In the above four experiments, only top 2 million CSDN dataset can guarantee that every guessing entropy of its pools is larger than 1024, while the top 1 million CSDN dataset is unable to provide such a security level. This implies that, to provide the expected level of security, the underlying password space of these user selected passwords shall be large enough. In addition, top 2 million CSDN dataset is desired, while top 2 million RockYou dataset is insufficient. This implies that, besides a requirement for search space size of the passwords, there is also a requirement for the strength of individual passwords.  The difference in password strength between these two password dataset is mainly caused by the varied password creation policies. More specifically, Rockyou only enforces that a user selected password is of length no less than 5 characters, while CSDN requires that user passwords are at least 6 characters long.  Another contributing factor is that Rockyou passwords are used to protect social networking accounts and its users are mainly non-professionals, while CSDN passwords are used to protect personal technical notes and blogs and its users are mainly programmers.
     After all, we have shown that, there do exist a real-life password dataset (i.e., the CSDN dataset) that satisfies  a specified level of secuity, which further demonstrates the feasibility of our "Fuzzy Verifier".


6. Acknowledgements

        We would like to acknowledge the contributions  that Dr. Chen Zhu  and  Qianchen Gu  made  in  the development of the password statistics software tool used in the analysis of password dataset in this paper. We are also grateful to Dr. Haibo Chen for some constructive suggestions.

7. References

[1] M. Dell’Amico, P. Michiardi, and Y. Roudier, “Password strength: an empirical analysis,” in Proc. INFOCOM 2010. IEEE, 2010, pp. 1–9.
[2] J. Bonneau, “The science of guessing: Analyzing an anonymized corpus of 70 million passwords,” in Proc. IEEE S&P 2012. IEEE Computer Society, 2012, pp. 538–552.
[3] W. Burr, D. Dodson,  R. Perlner,  W. Polk,  S.  Gupta and E. Nabbus
: NIST SP800-63-2 – electronic authentication guideline. Tech. rep., National Institute of Standards and Technology, Reston, VA (August 2013), doi:http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf
[4] C. Allan, 32 million Rockyou passwords stolen, available at http://www.hardwareheaven.com/news.php?newsid=526 (Dec. 2009).
[5] Dazzlepod Inc., CSDN 6 million cleartext passwords, online news, Available at http://dazzlepod.com/csdn/ (Mar. 2013). 
[6] J. L. Massey, “Guessing and Entropy,” in Proceedings of the 1994 IEEE International Symposium on Information Theory, 1994, p. 204-208.
[7] D., Anupam,  J. Bonneau, M. Caesar, A. Nikita and X.F. Wang. Tangled Web of Password Reuse. Proc. NDSS 2014,  San Diego, CA, USA, 23-26 February 2014.
[8] D. Florencio, C. Herley, A large-scale study of web password habits, in: Proceedings of WWW 2007, ACM, 2007, pp. 657–666.
[9] M. Alsaleh, M. Mannan, and P. Van Oorschot, “Revisiting defenses against large-scale online password guessing attacks,” IEEE Trans. Depend. Secur. Comput., vol. 9, no. 1, pp. 128–141, 2012.

Powered by Create your own unique website with customizable templates.