A survey of Password Hacking for a Pragmatic

Practitioner
Ujjal Kumar Das, Shefalika Ghosh Samaddar, Pankaj Kumar Keserwani

Abstract—Introduction of various password management systems different kind of attacks over subnet and public network are
as provided in cloud services opens the gate of robustness of security investigated.
as well as increases the vulnerability of hacking. The password Section 2 deals with the brief literature survey of hacking
management services such as Open-Id may place the security mech-
anism to easy and functional mode, but at the same time a cracking and cracking of password from the beginning including the
of a single password puts all the security mechanism at stake. method of penetration testing and ethical hacking. Section 3
The paper analyses the approaches, modes, tools and techniques in provides the experimental detail with some shell programming
password hacking in a real world and its repercussion over various code to hack the password in a system of a subnet which
applicability from fun to finance. Everything in todays world is runs under Linux and Windows. At times, password hacking
a serious business; even a pure entertainment over Internet may
cultivate into ramifications that are no more entertainment. The paper requires register editing. A method has been suggested for
surveys all such manifestations of password hacking and also presents the same. Section 4 provides result and details of the data and
a ready-to-do experiment of password hacking in a subnet. The tools used. Section 5 provides the conclusive range of hacking
experiment, though not novel, is likely to build up the appreciation tools with theory behind it in which such experimentation
for the efforts of different authors and their achievements with the become successful. The section also deals with the suggestion
limitation of their studies.
The present paper show the vulnerability of identity theft over a under which password hacking is not possible. The failure is to
subnet and shows how the communication can be diverted to the indicate that there is always provision to stop hacking. Section
possible hacker. Even a denial of service (DoS) attack can easily be 6 gives the future section of work in this regard, so that even
launched in a subnet. The identity theft can also lead to impersonation with further growth of hacking prevention is available at hand.
and therefore, a threat to any password management through cloud
services. The experimentation can be extended over various sub-net
and super-net and an internet version can be envisaged on the basis of II. L ITERATURE S URVEY OF PASSWORD H ACKING WITH
present experimentation. The harmonious arrangement of tools and BACKGROUND S TUDY
techniques for optimized hacking with new tools emerging every day
is also a challenge. The paper also discusses some of the techniques Various e-commerce, email, online shopping, chat, video
with matching tools with due consideration of objective of hacking. conferencing etc. require identification of user and her corre-
A futuristic view is envisaged in automation of hacking and tracking
such problems with certain heuristics. sponding node with login and password. As the technology
advances, there is also increase in the tribe of malicious hack-
Keywords—Hacking, cracking, attack, denial of service, vulnera- ers who steal the credential information of others and transmit
bility, hacking tools, cracking tools, passwords.
it to the open internet for malicious exploitation. These types
of hackers are called black hat hackers. The hacker(s) who
I. I NTRODUCTION addresses these major issues termed as ethical hackers or white
NY system comes with rudimentary security mechanism hat hackers. Techniques of ethical hackers to help the users
A in the form of login and password with a connected user
id. Internet may cultivate into ramifications that are no more
and plug up security holes are explained earlier [1]. One key
component of ethical hacking is to always gain permission
entertainment. The paper surveys all such manifestations of from the data owner prior to accessing the computer system.
password hacking and also presents a ready-to-do experiment The hackers with ethical and malicious intention are known
of password hacking in a subnet. The experiment, though not as Gray Hat hackers [2]. The key techniques and tools are
novel, is likely to build up the appreciation for the efforts of generally used by the hacker community are Nmap, Nessus
different authors and their achievements with the limitation and Netcat and Denial-of-service (DoS), War Diallers, Trace-
of their study. There is various proven mechanism of hacking back avoidance. Hacking Web sessions are the methodologies
or cracking a password whereas user password can easily be used for hacking purpose and are also changing frequently
obtained in most of the cases in plain text format using a high with the passage of time [3]. There are some tools that scan
end cracking mechanism. Various work related to hacking and network in one to one and one to many scenarios successfully,
but not successful for many to many and many to one [4].
Mr. U. K. Das is with the Department of Computer Science Engineering, The various general methods of hacking are stealing password
Srikrishna College, Bagula,Dist-Nadia, West Bengal India. e-mail: ujjalmn-
nit@[Link] using key loggers, planting Trojan horses, performing Man-in-
S. G. Samaddar is with National Institute of Technology Sikkim, India. the Middle attacks, sensing wireless attacks etc. [5]. Method of
e-mail: shefalika99@[Link] selection of a right tool intended for ethical hacking has been
Mr. P. K. Keserwani is with the Department of Computer Science
and Engineering, National Institute of Technology Sikkim, India. e-mail: proposed in [6]. Those common approaches suggested against
[Link]@[Link] unauthorized security attacks are use of antivirus, firewall
programme, strong password building mechanism, hardware files as a matter of course in legal action.
firewall, encrypted file storage etc. [7]. Various phase of The common practice for guessing the password from a
hacking are reconnaissance, scanning, owning system, zombie password file is presented below: as a decision tree for guess-
system and evidence removal [8]. Methodology of hacking in ing related threats (Figure 1). There are usually three method
Linux environment are discussed in [9]. The main difference
between these two techniques is Hacking builds things and
Cracking breaks them [10].
Several studies and extensive research have been made for
cracking of the password. It has been shown that passwords
are often easy for attackers to get compromised [11], [12]
and [13]. It is focused in [14] that an intelligent program on
a simple personal computer could guess 86% of passwords
provided there had been an extensive reuse or modified reuse
of passwords and the program can be run repetatively on an
iterative mode. The time period envisaged is maximum one
week. Password reuse into different accounts of the same user
is a prevalent practice from the early days of password setting.
Once one password of an account of an user is cracked, the
same password could be tried again for other accounts of the
same user. The success rate is as high as 86%. The reuse of
password is a common and growing practice as users find it Fig. 1. Decision tree for guessing-related threats in common practice based
easy to remember a common password [15], [16]. The longer on password file details [24]
password may take the longer time to crack by the program
using brute force attack [17]. Six password breaking attack for cracking the password; Brute Force Attack, Differential
scenarios discussed in [18] The scenarios are very familiar Cryptanalysis, Linear Cryptanalysis. All attacking methods are
to the so-called attackers and hackers. The file for password in use from 1970 approximately and brute force attack is in
hashes can be obtained in an unauthorized manner by captur- use before 1970. Rather brute force attack happens to be an
ing the shadow file of password file. Or a number of guesses age-old method finding its association with Ceasar Cipher in
can be tried in case of a password where user is quite known by 100 BC. In general, the communication between the parties
her social and personal behavior. The password’s association to crack the password are needed. Though there are various
with social and personal attributes gives out generous clues cracking methods of passwords breaking, at times hardware
about guessable passwords. Or password can be made virtually are also used in unison with the techniques developed such as
visible by offering to save the password for the particular key logger, virtual key loggers, hacking tools (software). The
system and such scenario provides an opportunity to crack hardware and software together are able to carry successfully
passwords. Password reuse and its modified reuse can be un- man- in-middle attack and other passive attacks too.
derstood for guessing a password. Password can be stolen from There are many situations where explicit communications
user with ease by noting down the keystrokes from a distance, are not required between the parties i.e. attacker and victim.
A cracker who is familiar with keyboard; and guess input The techniques involved are in use for Linux password crack-
by observing the keystrokes from a distance. Such peeping ing, Windows password cracking, File password cracking and
Toms are good password crackers. Even a scenario changing a Server attack such DHCP mis-configuration; Wi-Fi password
password may leave a copy of password for the hacker without attack, SQL Injection etc.
any knowledge of the user that her password change has been Many researchers have proposed various mechanisms to
compromised. Some advance password breaking processes are overcome the threat of the cracking passwords. They focused
discussed and presented in [19]. It is believed that password on various algorithms for encryption [25], biometrics use [26]
composition policies make passwords harder to guess and they and graphics as a rescue from cracking vulnerability [27].
are termed as strong password. Commonly used methods for The major strategies to overcome the inherent weaknesses in
quantifying the effect of password-composition policies are password usage include the following:
estimation on of the entropy of the resulting passwords [20], 1) Password lengths should be of at least 8 characters:
[21], and with password guessing tools the resulting passwords longer passwords increase the time taken by software
are analyzed in detail empirically [22], [23]. cracking programs to determine it as hashing chain
There are two types of password cracking attacks that are becomes longer in Markov Model based cracking mech-
possible: online and offline. In an online password cracking anism.
attack, the attacker uses the targeted system like an oracle, 2) Passwords with mixed case/symbols: A good password
submitting guesses to it in an attempt to gain access. In an should consist of mixed characters, uppercase, digit and
offline attack, the attacker gains direct access to the password lowercase, digits and special characters, and should not
hashes or encrypted files. Offline attacks are also employed consist of words found in the dictionary, including both
in a forensics setting where law enforcement officers have upper/lower case and symbols such as % etc.). Such
obtained a computer hard-drive and must deal with encrypted password cracking attacks are required to use brute
 force methods and increases the number of character and entropy estimates. The study opens up the field for con-
permutations that must be tried in a rainbow look-up sidering password creation habits, cliches cultural background,
table. linguistic base, religiosity etc. of users. The simulation of
3) Non-Dictionary words: selecting non-dictionary pass- password cracking algorithm by Kelly et al. is an extensive
words prevents the use of dictionary-based attacks study and also provides a very good background study of the
though not necessarily. There can be a dictionary for purpose [29].
non-dictionary words as well. Making an attack using
such dictionary is an viable option of attack and the III. E XPERIMENTAL DETAIL
password breaking can be completed within 20 minutes
While assigning an IP to machine which is already existed
of use of a dictionary with up to one million non-
in the subnet, there is an IP address conflict error message.
dictionary words. The way of identification of non-
It means that there is a test performed for the assigned IP by
dictionary words is brute force attack. The approach of
applying IP to MAC mapping. In a subnet, if any user can
brute force attack is infeasible as the key space become
spoof IP and the MAC of another machine then there will be
vast and in a real time cannot be exhausted to test each
no IP address conflict error. In this case two possibilities may
and every combination of characters available with no
arise:
restriction on length and order.
4) Password ageing: By applying any of the methods, let 1) If layer-2 switches are maintaining only one entry for
us suppose that a hacker or cracker is able to obtain a each MAC then the traffic will be diverted to the recently
valid password. Most of the users get comfortable with updated machine.
their passwords, making them run for years together, 2) If layer-2 switches are maintaining more than one entry
if not more. The hacker or cracker go on sniffing the for a single MAC then both of the machines will get
account without any knowledge of the account holder packets.
creating damages and privacy loss. One such a damage is Many tools such as nmap, lanmap, etc are available to
noticed, the user or account holder is bothered to tackle analyze IP addresses and get MAC in a subnet. The experiment
the problem of password ageing. The problem of such has been run on Windows/ Linux OS that is currently available.
intrusion into the account, at times, may be attributed to
password ageing. If password is temporally young, then A. IP assignment to a machine
such intrusion cannot go on for an unlimited period of
Following pseudo-code/algorithm is proposed in the paper.
time as password gets changed frequently by its user.
Following two sets of commands are used for IP assignment
And the intruder faces the challenge of detecting the new
to a machine:
password every time she tries to intrude upon the ac-
• #If conf igeth0192.168.1.5netmask255.255.255.0up(Linux)
count of the user. Stating of passwords is another mech-
• Control panel − > network connections − > properties
anism to increase the complexity of password cracking.
Even if the users are only indexing their passwords, it of Local Area Connection − > general − > Properties
remains equally vulnerable to password cracking and of Internet Protocol − > IP address field(Windows)
such indexing does not increase the entropy.
B. MAC spoofing may be done with the following programs
An old survey of password security also contain certain
MAC spoofing may be done with the following programs:
experimentation to show the ease by which individual accounts
may be broken [28]. The outline of techniques of cracking 1) Technetium Mac Address Changer (Windows)
is another interesting part of this early study. The paper 2) SMAC (Windows)
suggests the strong formulation is one of the methods to the 3) Ifconfig (Linux)
solutions of the system vulnerability. The author proposes • #if conf igeth0down(turnsof f card)
a proactive password cracker [28]. Similar measurement of • #if conf igeth0hwether : : : : :
password strength by simulating password cracking algorithm (N ewM AC)
has been obtained by Kelley et al. [29]. They have studied • #if conf igeth0up(turnscardbackon)
mainly text-based passwords. Password composition policies 1) Method 1: (For Windows 10/ Windows 8.1/ Windows 8/
are becoming complex in the name of the increasing password Windows 7/Windows Vista/ Windows XP/ Windows 2000):
strength. But there are equally prudent analytical techniques. 1) This is depending on the type of Network Interface Card
The study of Kelley et al. analyses 12000 password col- (NIC) the machine or node is having. If it has a card
lected under seven different password composition policy via that does not support Clone MAC address, then second
an online study. They used several heuristic password guessing method is likely to give result.
algorithm to guess passwords. The passwords have been 2) Go to Start − > Settings − > Control Panel and double
used to investigate the resistance of passwords created under click on Network and Dial-up Connections.
different conditions to guessing, the performance analysis of 3) Right click on the NIC with the MAC address that is
guessing algorithms, relationship between passwords explicitly required to be changed and properties tabs should be
created under a given composition policy and other password clicked.
generating policy and the relationship between guess-ability 4) Under ”General” tab, click on the ”Configure” button
 5) Click on ”Advanced” tab
6) Under ”Property section”, an item called ”Network
Address” or ”Locally Administered Address”, should be
clicked.
7) On the right side, under ”Value”, type in the New MAC
address you want to assign to your NIC. Usually this
value is entered without the ”-” between the MAC
address numbers.
8) Go to command prompt and type in ”ipconfig /all” or
”net config rdr” to verify the changes. If the changes are
not materialized, then the second method is to be used
again.
9) If successful, reboot the system for furthering change to
make it effective.
2) Method 2: This should work on all Windows systems as
Fig. 3. Applying command to change the MAC Address
per the communication methods given below::
1) Go to Start > Run, type ”regedt32” to start registry
editor. Do not use ”Regedit”.
2) Go to ”HKEY LOCAL MACHINE − > SYSTEM
− > CurrentControlSet − > Control− > Class
− >{4D36E972-E325-11CE-BFC1-08002BE10318}”.
Double click on it to expand the tree. The subkeys
are 4-digit numbers, which represent particular network
adapters. You should see it starts with 0000, then 0001,
0002, 0003 and so on.
3) Find the wanted interface you want by searching for the
proper ”DriverDesc” key.
4) Edit, or add, the string key ”NetworkAddress” (has the
data type ”REG SZ”) to contain the new MAC address.
5) Disable then re-enable the network interface that was
changed (or reboot the system).
Fig. 4. Screen after changing the MAC address

• #nmapsST 4A172.31.103.11
The scanner was used in stealth mode so as to avoid
detection by intrusion detection software. The versions and
details of the services run by the target host could also be
detected usingsV option or An option available in NMAP. The
other switches of NMAP provide useful information for use
as well.
2) By using the traceroute: Traceroute is used to track the
route packets taken from an IP network on their way to the
destination host.
• #traceroute172.31.103.11
Fig. 2. Screen before changing the MAC address tracerouteto172.31.103.11([Link]),
30hopsmax, 60bytepackets
([Link])0.527ms0.505ms0.507ms
C. Hacking into the System ([Link])0.260ms0.238ms0.302ms
([Link])0.389ms0.330ms0.267ms
Scan the hosts for open ports to find out the services that
are running. Any tool such as NMAP, Open Map etc. may be Prior to connecting host to be attacked PROXYCHAINS
used. (a tool for TCP tunneling via HTTP/ HTTPS and SOCKS4/
1) By using the NMAP: NMAP Version 4.68: NMAP scans SOCKS5 proxy servers) is used in Linux to hide the identity
all ports from 1 1024 and ports specified in NMAP. Specify of the attacking host:
the higher ports using p option: • #proxychainssshusername@[Link]
D. Elevation of Privilege
This may be performed in both Windows and Linux
based machines. The system sequence diagram provide a
more generalized view rather than a typical command based
profile generation. The various manifestation of commands
are available due to the availability of various variants and
versions and there are always changes due to its adaptation into
different platform. Security Account Manager (SAM) file may
be generated after well-defined process but attackers system
may or may not gain access depending upon the strength of
para-password protection system such as salting.
1) Elevation privilege of windows system:
Fig. 6. Hacking into the system

#!/bin/sh
cp/bin/sh/tmp/.sh
chmod4755/tmp/.sh
fi
execls$@
#end
After getting the root privileges the password file and the
shadow file entries were taken down:
Password File entry- gphahu:x:1[Link] G P Sahu,
AP:/file/mail/FACULTY/gpsahu:/bin/sh, Shadow File entry
gpsahu:RvMm700MPBuQc:1[Link] : :
Fig. 5. Illustration of dictionary and brute force attack on windows
• U seJohntheRipperV er1.7.0.2
2) Elevation privilege of Linux system: The method used is #cat./run/ns
setuid (setuid and setgid for setting user ID upon execution gpsahu:RvMm700MPBuQc:1[Link]
and set group ID upon execution) are UNIX right access flags :::
that allow users to run an executable with permissions of #./johnsingle3ns
the executable owner or group. The Linux operating system Loaded 1 password hash (traditional DES [32/32 BS])
allows the users to run software or programs owned by the guesses:0 time: [Link] 100% c/s:
others when there is temporary elevation of privileges for 36900 trying:
performing task for the time being. Or in other words, the users S9999946 99999200, the password was good enough and was
other than owners are granted permission for authorized access not cracked in single crack mode.
for a limited period of time. When the time period is over, Hacking /Cracking the password
there is no switch with ’chmod’ command of Linux operating Use John the Ripper Ver [Link] in word list mode or in the
system to revoke the permission of authorized access. Thus, incremental brute force mode
the authorized users become authorized users once the time #./john − −session = gpsns
period of authorization is over. However, assumed user ID #./john − −restore = gpsns;
or group ID privileges provided are always very specific and
• Cracked password was printed to the terminal and
usually set a minimum level of access and usually is not
saved in the file called [Link]
elevated temporarily.
• cat./[Link]
The basic idea used is the /tmp directory in linux is
• RvM m700M P BuQc :????????
readable, writable and executable by all users (security
vulnerabilities with temporary files due to programs incorrect
file permissions or race conditions). If root user any time IV. R ESULT AND DETAILS OF THE DATA AND TOOLS USED
visits /tmp directory and does ls then as in linux the default
way of binary execution starts from finding the executable in The following are used as a base configuration to run the
current directory and then to /bin folder, the ls stored in /tmp system.
first gets executed. This is a program to set user id bit and • A system running with the windows 7 operating systems.
hence gain root privileges to access the shadow file in /etc. • A system running with Ubuntu Linux operating system.
Shell programming code • The systems are available over the same LAN or subnet-
work.
#Fake trojan ls • The access networks is up for all the time the experimen-
if chmod666/etc/passwd− > /dev/null2− > &1; then tation conducted.
 • The tools such NMAP, John the Ripper etc. are down-
loaded, installed tested and made into use in the experi-
mentation
• The following snapshots actually provide the experimen-
tation result (Figure 7)
Entering into the admin mode is the first taste of success
that a practitioner of hacking may have. The commands are
used to enter other system with resultant MAC spoofing and
target machine is accessed. Next monitor mode 1, 2 is enabled
using the requisite command and target machine in monitor
mode is accessed. The original MAC address of system can be
checked and may be compared to that of target machine. MAC
address can now be changed by using the aforesaid appropriate
command and changed MAC address can be seen (Figure 7).
The method can be practiced by both white hat and black
Fig. 7. Screenshot after changing the MAC Address
hat hackers. The section also deals with the suggestion under
which this method is likely to fail. The failure is to indicate
that the provision to stop hacking is always possible. There subnetwork. The methodology of hacking in a subnetwork
are still a percentage of password that cannot get broken under has been applied to a real life situation with the help of tools
any circumstances. Though it is a very small percentage of and operating system vulnerabilities of Windows and Ubuntu
passwords that do not get cracked but their study suggested Linux. The situations where such methods fail to provide
that the password formation policy must adhere to strong pass- result have been mentioned. These situations may be studied
word building and the salting process should be dynamic rather to incorporate the process of password formation to a stop
than static. The static salting process becomes ineffective in hacking venture.
practice and at times; only consumes resources (storage etc.)
rather than contributing to the strength of the password.
VI. F UTURE DIRECTION OF WORK
Section 5 gives the future direction of work in this regard, so
that growth of hacking should be curbed or minimized to some Password hacking or cracking is not new. Every day the
extent. The case against consuming user effort in attempts to crackers are posting the cracked passwords over various
resist offline guessing attacks, should be taken as a cue to curb websites and are publishing databases of cracked passwords.
the practices as per need. In spite of their best efforts, there are a small number of
Vulnerability towards attack should be tackled pro-actively passwords that do not get broken in spite of best efforts; such
using the practices of automatic password strength checker, passwords formation rules will be considered and is studied
stopping to use age-old password or passwords that are more in detail. A strong password formulation policy would be
than a week old. If the files are not protected or locked with a generated to stop the growth of hacking. Such policy in place
password, then the particular files become vulnerable and the will discourage the hacker to a great extent; if not able to cure
hackers or crackers may lay hands on the data contained in the them of their malpractices.
files. If the compromise of system password is compared with
a file locking system, the vulnerability in terms of damage and ACKNOWLEDGMENT
loss of privacy is much more in case of password cracking of The authors express deep sense of gratitude to Cloud
a system. Computing Laboratory, Dept. of Computer Science and Engi-
Considering the age-old saying, a proactive checker of neering, National Institute of Technology, Sikkim India, where
passwords is a need and should be made into the part of the work has been carried out.
system design by applying the rules of security engineering.
While it may not be actually true that good fences make R EFERENCES
good neighbours, a good fence at least help keep out the bad
[1] T. D. Rao, “Exploring the social engineering toolkit (set) using backtrack
neighbors. A proactive checker is one way to ensure that those 5r3,” International Journal of engineering Research and Applications,
fences are in place before a break. vol. 1, no. 4, pp. 240–244, 2014.
The same thing can be performed in wireless environment [2] K. Graves, CEH certified ethical hacker study guide. John Wiley &
Sons, 2010.
in a similar manner though it requires changes due to Wi-Fi [3] R. Barber et al., “Hacking techniques: The tools that hackers use, and
operating systems. how they are evolving to become more sophisticated.” Computer Fraud
& Security, vol. 2001, no. 3, pp. 9–12, 2001.
[4] H. Moh’d Said Hazem, “A review and comparing of all hacking tech-
V. C ONCLUSION niques and domain name system method,” Contemporary Engineering
Sciences, vol. 5, no. 5, pp. 239–250, 2012.
The paper discusses the hacking need of white hat, black hat [5] C. C. Palmer, “Ethical hacking,” IBM Systems Journal, vol. 40, no. 3,
and grey hat hackers and the various methods adopted by them. pp. 769–780, 2001.
[6] G. K. Juneja, “Ethical hacking: A technique to enhance information
A number of hacking tools and corresponding techniques are security,” International Journal of Innovative Research in Science,
studied with a purpose to devise a method of hacking in a Engineering and Technology, vol. 2, no. 12, pp. 7575–7580, 2013.
 [7] R. S. Patel, Kali Linux Social Engineering. Packt Publishing Ltd, 2013. Mr. Ujjal Kumar Das, Mr. Ujjal Kumar Das, an
[8] A. Ahmad, “Type of security threats and its prevention,” Int. J. Computer Assistant Professor, Department of Computer Sci-
Technology & Applications, ISSN, pp. 2229–6093, 2012. ence, Srikrishna College, Bagula,Dist-Nadia, West
[9] K. B. Chowdappa, S. S. Lakshmi, and P. P. Kumar, “Ethical hacking Bengal, India. He is currently pursuing his Phd on
techniques with penetration testing,” International journal of computer Image Authentication Techniques. His research in-
science and information technologies, vol. 5, no. 3, pp. 3389–3393, terest includes Information Security, Data Structure
2014. and Algorithms, Computer Networking etc
[10] A. P. Tekade, P. Gurjar, P. R. Ingle, and B. Meshram, “Ethical hacking
in linux environment,” International Journal of Engineering Research
and Applications (IJERA) ISSN, pp. 2248–9622, 2013.
[11] D. Florencio and C. Herley, “A large-scale study of web password
habits,” in Proceedings of the 16th international conference on World
Wide Web. ACM, 2007, pp. 657–666.
[12] M. Dell’Amico, P. Michiardi, and Y. Roudier, “Password strength: An
empirical analysis,” in INFOCOM, 2010 Proceedings IEEE. IEEE,
2010, pp. 1–9.
[13] M. Bishop and D. V. Klein, “Improving system security via proactive
password checking,” Computers & Security, vol. 14, no. 3, pp. 233–249,
1995.
[14] R. Morris and K. Thompson, “Password security: A case history,”
Communications of the ACM, vol. 22, no. 11, pp. 594–597, 1979.
[15] S. Gaw and E. W. Felten, “Password management strategies for online
accounts,” in Proceedings of the second symposium on Usable privacy
and security. ACM, 2006, pp. 44–55.
[16] R. Shay, S. Komanduri, P. G. Kelley, P. G. Leon, M. L. Mazurek,
L. Bauer, N. Christin, and L. F. Cranor, “Encountering stronger password
requirements: user attitudes and behaviors,” in Proceedings of the Sixth
Symposium on Usable Privacy and Security. ACM, 2010, p. 2. Dr. Shefalika Ghosh Samaddar, an Adjunct Fac-
[17] J. Yan, A. Blackwell, R. Anderson, and A. Grant, “Password memora- ulty at Department of Computer Science and Engi-
bility and security: Empirical results,” IEEE Security & privacy, vol. 2, neering at National Institute of Technology Sikkim,
no. 5, pp. 25–31, 2004. India. She is a passionate researcher in the field of
[18] A. Juels and R. L. Rivest, “Honeywords: Making password-cracking Information Sceurity, Cryptography, Digital Foren-
detectable,” in Proceedings of the 2013 ACM SIGSAC conference on sics, Intellectual Property Rights and Digital Right
Computer & communications security. ACM, 2013, pp. 145–160. Management.
[19] S. Marechal, “Advances in password cracking,” Journal in computer
virology, vol. 4, no. 1, pp. 73–81, 2008.
[20] L. S. Clair, L. Johansen, W. Enck, M. Pirretti, P. Traynor, P. McDaniel,
and T. Jaeger, “Password exhaustion: Predicting the end of password
usefulness,” in International Conference on Information Systems Secu-
rity. Springer, 2006, pp. 37–55.
[21] E. A. Guideline, W. E. Burr, D. F. Dodson, and W. T. Polk, “Archived
nist technical series publication,” NIST Special Publication, vol. 800,
pp. 63–1.
[22] R. W. Proctor, M.-C. Lien, K.-P. L. Vu, E. E. Schultz, and G. Salvendy,
“Improving computer security for authentication of users: Influence of
proactive password restrictions,” Behavior Research Methods, vol. 34,
no. 2, pp. 163–169, 2002.
[23] M. Weir, S. Aggarwal, M. Collins, and H. Stern, “Testing metrics
for password creation policies by attacking large sets of revealed
passwords,” in Proceedings of the 17th ACM conference on Computer
and communications security. ACM, 2010, pp. 162–175.
[24] D. Florêncio, C. Herley, and P. C. Van Oorschot, “An administrator’s
guide to internet password research.” in LISA, 2014, pp. 35–52.
[25] I.-E. Liao, C.-C. Lee, and M.-S. Hwang, “A password authentication
scheme over insecure networks,” Journal of Computer and System Mr. Pankaj Kumar Keserwani, Mr. Pankaj Kumar
Sciences, vol. 72, no. 4, pp. 727–740, 2006. Keserwani, an Assistant Professor, Department of
[26] K. Bryant and J. Campbell, “User behaviours associated with password Computer Science and Engineering at National In-
security and management,” Australasian Journal of Information Systems, stitute of Technology Sikkim, India. He is pursuing
vol. 14, no. 1, 2006. his Phd with active research interest in Information
[27] S. Wiedenbeck, J. Waters, J.-C. Birget, A. Brodskiy, and N. Memon, Security, Digital Forensics, Data Mining and Cloud
“Passpoints: Design and longitudinal evaluation of a graphical password Computing. He gets his inspiration form the works
system,” International journal of human-computer studies, vol. 63, no. 1, of pioneers in the field.
pp. 102–127, 2005.
[28] D. V. Klein, “Foiling the cracker: A survey of, and improvements
to, password security,” in Proceedings of the 2nd USENIX Security
Workshop, 1990, pp. 5–14.
[29] P. G. Kelley, S. Komanduri, M. L. Mazurek, R. Shay, T. Vidas, L. Bauer,
N. Christin, L. F. Cranor, and J. Lopez, “Guess again (and again and
again): Measuring password strength by simulating password-cracking
algorithms,” in Security and Privacy (SP), 2012 IEEE Symposium on.
IEEE, 2012, pp. 523–537.