{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,14]],"date-time":"2026-05-14T20:07:17Z","timestamp":1778789237863,"version":"3.51.4"},"reference-count":59,"publisher":"Springer Science and Business Media LLC","issue":"2","license":[{"start":{"date-parts":[[2021,8,23]],"date-time":"2021-08-23T00:00:00Z","timestamp":1629676800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springer.com\/tdm"},{"start":{"date-parts":[[2021,8,23]],"date-time":"2021-08-23T00:00:00Z","timestamp":1629676800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springer.com\/tdm"}],"funder":[{"DOI":"10.13039\/501100000038","name":"Natural Sciences and Engineering Research Council of Canada","doi-asserted-by":"publisher","award":["RGPIN-2013-402500"],"award-info":[{"award-number":["RGPIN-2013-402500"]}],"id":[{"id":"10.13039\/501100000038","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Int. J. Inf. Secur."],"published-print":{"date-parts":[[2022,4]]},"DOI":"10.1007\/s10207-021-00560-9","type":"journal-article","created":{"date-parts":[[2021,8,23]],"date-time":"2021-08-23T14:06:06Z","timestamp":1629727566000},"page":"409-425","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":4,"title":["Password guessers under a microscope: an in-depth analysis to inform deployments"],"prefix":"10.1007","volume":"21","author":[{"given":"Zach","family":"Parish","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Connor","family":"Cushing","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Shourya","family":"Aggarwal","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Amirali","family":"Salehi-Abari","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Julie","family":"Thorpe","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2021,8,23]]},"reference":[{"key":"560_CR1","volume-title":"Modern Information Retrieval","author":"RA Baeza-Yates","year":"1999","unstructured":"Baeza-Yates, R.A., Ribeiro-Neto, B.: Modern Information Retrieval. Addison-Wesley Longman Publishing Co., Inc, Boston, MA, USA (1999)"},{"key":"560_CR2","doi-asserted-by":"crossref","unstructured":"Berkhin, P.: Survey of clustering data mining techniques. In: Grouping multidimensional data, pp. 25\u201371 (2006)","DOI":"10.1007\/3-540-28349-8_2"},{"issue":"3","key":"560_CR3","doi-asserted-by":"publisher","first-page":"233","DOI":"10.1016\/0167-4048(95)00003-Q","volume":"14","author":"M Bishop","year":"1995","unstructured":"Bishop, M., Klein, D.V.: Improving system security via proactive password checking. Comput. Secur. 14(3), 233\u2013249 (1995)","journal-title":"Comput. Secur."},{"key":"560_CR4","doi-asserted-by":"crossref","unstructured":"Bonneau, J.: The science of guessing: analyzing an anonymized corpus of 70 million passwords. In: Proceedings of the 2012 IEEE symposium on security and privacy (S&P), pp. 538\u2013552 (2012)","DOI":"10.1109\/SP.2012.49"},{"key":"560_CR5","doi-asserted-by":"crossref","unstructured":"Bonneau, J., Herley, C., van Oorschot, P.C., Stajano, F.: The quest to replace passwords: a framework for comparative evaluation of web authentication schemes. In: Proceedings of the 2012 IEEE symposium on security and privacy (S&P), pp. 553\u2013567 (2012)","DOI":"10.1109\/SP.2012.44"},{"issue":"3","key":"560_CR6","doi-asserted-by":"publisher","first-page":"379","DOI":"10.1080\/0144929X.2010.492876","volume":"30","author":"J Campbell","year":"2011","unstructured":"Campbell, J., Ma, W., Kleeman, D.: Impact of restrictive composition policy on user password choices. Behav. Inf. Technol. 30(3), 379\u2013388 (2011)","journal-title":"Behav. Inf. Technol."},{"key":"560_CR7","unstructured":"Castelluccia, C., D\u00fcrmuth, M., Perito, D.: Adaptive password-strength meters from markov models. In: Proceedings of the 2012 network and distributed system security symposium (NDSS) (2012)"},{"key":"560_CR8","unstructured":"Cubrilovic, N.: Rockyou hack: From bad to worse\u2014techcrunch (2009). https:\/\/techcrunch.com\/2009\/12\/14\/rockyou-hack-security-myspace-facebook-passwords\/"},{"key":"560_CR9","doi-asserted-by":"crossref","unstructured":"Das, A., Bonneau, J., Caesar, M., Borisov, N., Wang, X.: The tangled web of password reuse. In: Proceedings of the 2014 network and distributed system security symposium (NDSS), pp. 23\u201326 (2014)","DOI":"10.14722\/ndss.2014.23357"},{"key":"560_CR10","unstructured":"Das, S.: 40 million fling.com users\u2019 passwords, sexual preferences stolen $$|$$ hacked: Hacking finance (2016). https:\/\/hacked.com\/40-million-fling-com-users-passwords-sexual-preferences-stolen\/"},{"key":"560_CR11","unstructured":"Databases today: twitter.7z (2019). https:\/\/databases.today\/search-nojs.php"},{"key":"560_CR12","doi-asserted-by":"crossref","unstructured":"de Carn\u00e9 de Carnavalet, X., Mannan, M.: From very weak to very strong: Analyzing password-strength meters. In: Proceedings of the 2014 network and distributed system security symposium (NDSS), pp. 23\u201326 (2014)","DOI":"10.14722\/ndss.2014.23268"},{"key":"560_CR13","doi-asserted-by":"crossref","unstructured":"Dell\u2019Amico, M., Filippone, M.: Monte carlo strength evaluation: fast and reliable password checking. In: Proceedings of the 22nd ACM SIGSAC conference on computer and communications security, pp. 158\u2013169 (2015)","DOI":"10.1145\/2810103.2813631"},{"key":"560_CR14","unstructured":"Designer, S.: John the ripper password cracker (2002). https:\/\/www.openwall.com\/john\/"},{"key":"560_CR15","volume-title":"Data Mining: Introductory and Advanced Topics","author":"MH Dunham","year":"2002","unstructured":"Dunham, M.H.: Data Mining: Introductory and Advanced Topics. Prentice Hall PTR, Upper Saddle River, NJ, USA (2002)"},{"key":"560_CR16","doi-asserted-by":"crossref","unstructured":"D\u00fcrmuth, M., Angelstorf, F., Castelluccia, C., Perito, D., Chaabane, A.: OMEN: Faster password guessing using an ordered markov enumerator. In: Proceedings of the international symposium on engineering secure software and systems, pp. 119\u2013132 (2015)","DOI":"10.1007\/978-3-319-15618-7_10"},{"key":"560_CR17","doi-asserted-by":"crossref","unstructured":"Florencio, D., Herley, C.: A large-scale study of web password habits. In: Proceedings of the 16th international conference on World Wide Web (WWW), pp. 657\u2013666 (2007)","DOI":"10.1145\/1242572.1242661"},{"key":"560_CR18","doi-asserted-by":"crossref","unstructured":"Flor\u00eancio, D., Herley, C.: Where do security policies come from? In: Proceedings of the Sixth symposium on usable privacy and security (SOUPS), pp. 10:1\u201310:14 (2010)","DOI":"10.1145\/1837110.1837124"},{"issue":"11","key":"560_CR19","doi-asserted-by":"publisher","first-page":"66","DOI":"10.1145\/2934663","volume":"59","author":"D Flor\u00eancio","year":"2016","unstructured":"Flor\u00eancio, D., Herley, C., Van Oorschot, P.C.: Pushing on string: The don\u2018t care region of password strength. Commun. ACM 59(11), 66\u201374 (2016)","journal-title":"Commun. ACM"},{"key":"560_CR20","unstructured":"Fox-Brewster, T.: 13 million passwords appear to have leaked from this free web host (2017). https:\/\/www.forbes.com\/sites\/thomasbrewster\/2015\/10\/28\/000webhost-database-leak\/"},{"key":"560_CR21","volume-title":"Information Retrieval: Data Structures and Algorithms","year":"1992","unstructured":"Frakes, W.B., Baeza-Yates, R. (eds.): Information Retrieval: Data Structures and Algorithms. Prentice-Hall Inc, Upper Saddle River, NJ, USA (1992)"},{"issue":"12","key":"560_CR22","doi-asserted-by":"publisher","first-page":"10","DOI":"10.1016\/S1361-3723(11)70123-3","volume":"2011","author":"S Furnell","year":"2011","unstructured":"Furnell, S.: Assessing password guidance and enforcement on leading websites. Comput. Fraud Secur. 2011(12), 10\u201318 (2011)","journal-title":"Comput. Fraud Secur."},{"key":"560_CR23","doi-asserted-by":"crossref","unstructured":"Golla, M., D\u00fcrmuth, M.: On the accuracy of password strength meters. In: Proceedings of ACM CCS, pp. 1567\u20131582 (2018)","DOI":"10.1145\/3243734.3243769"},{"key":"560_CR24","unstructured":"Goodin, D.: 6.6 million plaintext passwords exposed as site gets hacked to the bone (2016). https:\/\/arstechnica.com\/information-technology\/2016\/09\/plaintext-passwords-and-wealth-of-other-data-for-6-6-million-people-go-public\/"},{"key":"560_CR25","unstructured":"Hackett, R.: Linkedin lost 167 million account credentials in data breach (2016). http:\/\/fortune.com\/2016\/05\/18\/linkedin-data-breach-email-password\/"},{"key":"560_CR26","doi-asserted-by":"crossref","unstructured":"Hitaj, B., Gasti, P., Ateniese, G., Perez-Cruz, F.: Passgan: A deep learning approach for password guessing. In: Applied Cryptography and Network Security, pp. 217\u2013237. Springer International Publishing (2019)","DOI":"10.1007\/978-3-030-21568-2_11"},{"issue":"8","key":"560_CR27","doi-asserted-by":"publisher","first-page":"1776","DOI":"10.1109\/TIFS.2015.2428671","volume":"10","author":"S Houshmand","year":"2015","unstructured":"Houshmand, S., Aggarwal, S., Flood, R.: Next gen pcfg password cracking. IEEE Trans. Inf. Foren. Secur. 10(8), 1776\u20131791 (2015)","journal-title":"IEEE Trans. Inf. Foren. Secur."},{"key":"560_CR28","doi-asserted-by":"crossref","unstructured":"Inglesant, P.G., Sasse, M.A.: The true cost of unusable password policies. In: Proceedings of the 2010 conference on human factors in computing systems (CHI), pp. 383\u2013392 (2010)","DOI":"10.1145\/1753326.1753384"},{"key":"560_CR29","doi-asserted-by":"crossref","unstructured":"Jakobsson, M., Dhiman, M.: The benefits of understanding passwords. In: Mobile Authentication, pp. 5\u201324. Springer (2013)","DOI":"10.1007\/978-1-4614-4878-5_2"},{"key":"560_CR30","doi-asserted-by":"crossref","unstructured":"Ji, S., Yang, S., Das, A., Hu, X., Beyah, R.: Password correlation: Quantification, evaluation and application. In: Proceedings of the IEEE conference on computer communications, pp. 1\u20139 (2017)","DOI":"10.1109\/INFOCOM.2017.8057067"},{"issue":"5","key":"560_CR31","doi-asserted-by":"publisher","first-page":"550","DOI":"10.1109\/TDSC.2015.2481884","volume":"14","author":"S Ji","year":"2017","unstructured":"Ji, S., Yang, S., Hu, X., Han, W., Li, Z., Beyah, R.: Zero-sum password cracking game: a large-scale empirical study on the crackability, correlation, and security of passwords. IEEE Trans. Dependable Secure Comput. 14(5), 550\u2013564 (2017)","journal-title":"IEEE Trans. Dependable Secure Comput."},{"key":"560_CR32","doi-asserted-by":"crossref","unstructured":"Kelley, P.G., Komanduri, S., Mazurek, M.L., Shay, R., Vidas, T., Bauer, L., Christin, N., Cranor, L.F., Julio, L.: Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms. In: Proceedings of the 2012 IEEE symposium on security and privacy (S&P), pp. 523\u2013537 (2012)","DOI":"10.1109\/SP.2012.38"},{"key":"560_CR33","doi-asserted-by":"crossref","unstructured":"Komanduri, S., Shay, R., Kelley, P.G., Mazurek, M.L., Bauer, L., Christin, N., Cranor, L.F., Egelman, S.: Of passwords and people: Measuring the effect of password-composition policies. In: Proceedings of the 2011 conference on human factors in computing systems (CHI), pp. 2595\u20132604 (2011)","DOI":"10.1145\/1978942.1979321"},{"key":"560_CR34","doi-asserted-by":"crossref","unstructured":"Malone, D., Maher, K.: Investigating the distribution of password choices. In: Proceedings of the 21st international conference on World Wide Web (WWW), pp. 301\u2013310 (2012)","DOI":"10.1145\/2187836.2187878"},{"key":"560_CR35","doi-asserted-by":"crossref","unstructured":"Mazurek, M.L., Komanduri, S., Vidas, T., Bauer, L., Christin, N., Cranor, L.F., Kelley, P.G., Shay, R., Ur, B.: Measuring password guessability for an entire university. In: Proceedings of the 2013 ACM SIGSAC conference on computer & communications security (CCS), pp. 173\u2013186 (2013)","DOI":"10.1145\/2508859.2516726"},{"key":"560_CR36","unstructured":"Melicher, W.: The neural network password meter (2019). https:\/\/github.com\/cupslab\/neural_network_cracking"},{"key":"560_CR37","unstructured":"Melicher, W., Ur, B., Segreti, S.M., Komanduri, S., Bauer, L., Christin, N., Cranor, L.F.: Fast, lean, and accurate: Modeling password guessability using neural networks. In: Proceedings of the 25th USENIX security symposium, pp. 175\u2013191 (2016)"},{"key":"560_CR38","doi-asserted-by":"crossref","unstructured":"Narayanan, A., Shmatikov, V.: Fast dictionary attacks on passwords using time-space tradeoff. In: Proceedings of the 2005 ACM SIGSAC conference on computer and communications security (CCS), pp. 364\u2013372 (2005)","DOI":"10.1145\/1102120.1102168"},{"key":"560_CR39","doi-asserted-by":"crossref","unstructured":"Pal, B., Daniel, T., Chatterjee, R., Ristenpart, T.: Beyond credential stuffing: Password similarity models using neural networks. In: IEEE Symposium on security and privacy, pp. 417\u2013434 (2019)","DOI":"10.1109\/SP.2019.00056"},{"key":"560_CR40","unstructured":"Peslyak, A.: John the ripper community build (1.9.0-bleeding-jumbo) (2019). https:\/\/github.com\/magnumripper\/JohnTheRipper"},{"key":"560_CR41","unstructured":"Ruhr University Bochum, RUB-SysSec: OMEN: Ordered markov enumerator (2019). https:\/\/github.com\/RUB-SysSec\/OMEN"},{"key":"560_CR42","unstructured":"Russon, M.A.: Mate1.com hack: 27 million account passwords and emails have been leaked and sold on dark web (2016). https:\/\/www.ibtimes.co.uk\/mate1-com-hack-27-million-account-passwords-emails-have-been-leaked-sold-dark-web-1547166"},{"issue":"2","key":"560_CR43","doi-asserted-by":"publisher","first-page":"127","DOI":"10.1057\/ivs.2010.12","volume":"10","author":"D Schweitzer","year":"2011","unstructured":"Schweitzer, D., Boleng, J., Hughes, C., Murphy, L.: Visualizing keyboard pattern passwords. Inf. Vis. 10(2), 127\u2013133 (2011)","journal-title":"Inf. Vis."},{"issue":"4","key":"560_CR44","first-page":"35","volume":"24","author":"A Singhal","year":"2001","unstructured":"Singhal, A.: Modern information retrieval: a brief overview. Bull. IEEE Comput. Soc. Tech. Committee Data Eng. 24(4), 35\u201343 (2001)","journal-title":"Bull. IEEE Comput. Soc. Tech. Committee Data Eng."},{"key":"560_CR45","unstructured":"Summers, W.C., Bosworth, E.: Password policy: The good, the bad, and the ugly. In: Proceedings of the winter international synposium on information and communication technologies, pp. 1\u20136 (2004)"},{"key":"560_CR46","doi-asserted-by":"crossref","unstructured":"Thomas, K., Moscicki, A., Margolis, D., Paxson, V., Bursztein, E., Li, F., Zand, A., Barrett, J., Ranieri, J., Invernizzi, L., Markov, Y., Comanescu, O., Eranti, V.: Data breaches, phishing, or malware?: Understanding the risks of stolen credentials. In: Proceedings of the 2017 ACM SIGSAC conference on computer and communications security (CCS), pp. 1421\u20131434 (2017)","DOI":"10.1145\/3133956.3134067"},{"key":"560_CR47","doi-asserted-by":"crossref","unstructured":"Ur, B., Habib, H., Johnson, N., Melicher, W., Alfieri, F., Aung, M., Bauer, L., Christin, N., Colnago, J., Cranor, L.F., Dixon, H., Emami Naeini, P.: Design and evaluation of a data-driven password meter. In: Proceedings of the 2017 conference on human factors in computing systems (CHI), pp. 3775\u20133786 (2017)","DOI":"10.1145\/3025453.3026050"},{"key":"560_CR48","unstructured":"Ur, B., Kelley, P.G., Komanduri, S., Lee, J., Maass, M., Mazurek, M.L., Passaro, T., Shay, R., Vidas, T., Bauer, L., Christin, N., Cranor, L.F.: How does your password measure up? the effect of strength meters on password creation. In: Proceedings of the 21st USENIX Security Symposium, pp. 65\u201380 (2012)"},{"key":"560_CR49","unstructured":"Ur, B., Segreti, S.M., Bauer, L., Christin, N., Cranor, L.F., Komanduri, S., Kurilova, D., Mazurek, M.L., Melicher, W., Shay, R.: Measuring real-world accuracies and biases in modeling password guessability. In: Proceedings of the 24th USENIX security symposium, pp. 463\u2013481 (2015)"},{"key":"560_CR50","unstructured":"Veras, R.: Semantic password guesser (lite) (2019). https:\/\/github.com\/vialab\/semantic-guesser\/tree\/lite"},{"key":"560_CR51","doi-asserted-by":"crossref","unstructured":"Veras, R., Collins, C., Thorpe, J.: On the semantic patterns of passwords and their security impact. In: Proceedings 2014 Network and distributed system security symposium (NDSS), pp. 23\u201326 (2014)","DOI":"10.14722\/ndss.2014.23103"},{"key":"560_CR52","doi-asserted-by":"crossref","unstructured":"Veras, R., Thorpe, J., Collins, C.: Visualizing semantics in passwords: the role of dates. In: Proceedings of the ninth international symposium on visualization for cyber security, pp. 88\u201395 (2012)","DOI":"10.1145\/2379690.2379702"},{"key":"560_CR53","doi-asserted-by":"crossref","unstructured":"Wang, D., Zhang, Z., Wang, P., Yan, J., Huang, X.: Targeted online password guessing: An underestimated threat. In: Proceedings of the 2016 ACM SIGSAC Conference on computer and communications security (CCS), pp. 1242\u20131254 (2016)","DOI":"10.1145\/2976749.2978339"},{"key":"560_CR54","unstructured":"Wei, M., Golla, M.: The password doesn\u2019t fall far: How service influences password choice. In: Proceedings of the 2018 Who Are You?! Adventures in authentication workshop (2018)"},{"key":"560_CR55","unstructured":"Weir, C.M.: Pretty cool fuzzy guesser (4.0) (2019). https:\/\/github.com\/lakiw\/pcfg_cracker"},{"key":"560_CR56","doi-asserted-by":"crossref","unstructured":"Weir, M., Aggarwal, S., Collins, M., Stern, H.: Testing metrics for password creation policies by attacking large sets of revealed passwords. In: Proceedings of the 2010 ACM SIGSAC conference on computer and communications security (CCS), pp. 162\u2013175 (2010)","DOI":"10.1145\/1866307.1866327"},{"key":"560_CR57","doi-asserted-by":"crossref","unstructured":"Weir, M., Aggarwal, S., De Medeiros, B., Glodek, B.: Password cracking using probabilistic context-free grammars. In: Proceedings of the 2009 IEEE symposium on security and privacy (S&P), pp. 391\u2013405 (2009)","DOI":"10.1109\/SP.2009.8"},{"key":"560_CR58","unstructured":"Wheeler, D.L.: zxcvbn: Low-budget password strength estimation. In: Proceedings of the 25th USENIX security symposium, pp. 157\u2013173 (2016)"},{"key":"560_CR59","unstructured":"Zhou, H., Liu, Q., Zhang, F.: Poster: An analysis of targeted password guessing using neural networks. In: Proceedings of the 2017 IEEE Symposium on security and privacy (S&P) (2017)"}],"container-title":["International Journal of Information Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-021-00560-9.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s10207-021-00560-9\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-021-00560-9.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,3,21]],"date-time":"2022-03-21T08:08:01Z","timestamp":1647850081000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s10207-021-00560-9"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,8,23]]},"references-count":59,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2022,4]]}},"alternative-id":["560"],"URL":"https:\/\/doi.org\/10.1007\/s10207-021-00560-9","relation":{},"ISSN":["1615-5262","1615-5270"],"issn-type":[{"value":"1615-5262","type":"print"},{"value":"1615-5270","type":"electronic"}],"subject":[],"published":{"date-parts":[[2021,8,23]]},"assertion":[{"value":"23 August 2021","order":1,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors have no conflicts of interest to declare that are relevant to the content of this article.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Conflict of interest"}},{"value":"This article does not contain any studies with human participants or animals performed by any of the authors.","order":3,"name":"Ethics","group":{"name":"EthicsHeading","label":"Ethical approval"}}]}}