{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,8,22]],"date-time":"2025-08-22T05:12:57Z","timestamp":1755839577096,"version":"3.37.3"},"reference-count":66,"publisher":"IEEE","license":[{"start":{"date-parts":[[2023,5,1]],"date-time":"2023-05-01T00:00:00Z","timestamp":1682899200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-009"},{"start":{"date-parts":[[2023,5,1]],"date-time":"2023-05-01T00:00:00Z","timestamp":1682899200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-001"}],"funder":[{"DOI":"10.13039\/100000001","name":"National Science Foundation","doi-asserted-by":"publisher","id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2023,5]]},"DOI":"10.1109\/sp46215.2023.10179431","type":"proceedings-article","created":{"date-parts":[[2023,7,21]],"date-time":"2023-07-21T17:18:15Z","timestamp":1689959895000},"page":"606-625","source":"Crossref","is-referenced-by-count":3,"title":["Towards a Rigorous Statistical Analysis of Empirical Password Datasets"],"prefix":"10.1109","author":[{"given":"Jeremiah","family":"Blocki","sequence":"first","affiliation":[{"name":"Purdue University"}]},{"given":"Peiyuan","family":"Liu","sequence":"additional","affiliation":[{"name":"Purdue University"}]}],"member":"263","reference":[{"key":"ref1","first-page":"175","article-title":"Fast, lean, and accurate: Modeling password guessability using neural networks","volume-title":"USENIX Security 2016","author":"Melicher","year":"2016"},{"key":"ref2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2009.8"},{"key":"ref3","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2014.23103"},{"key":"ref4","doi-asserted-by":"publisher","DOI":"10.1145\/1102120.1102168"},{"key":"ref5","article-title":"Adaptive password-strength meters from Markov models","volume-title":"NDSS 2012","author":"Castelluccia","year":"2012"},{"key":"ref6","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2014.50"},{"key":"ref7","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-15618-7_10"},{"key":"ref8","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00070"},{"key":"ref9","article-title":"John the ripper"},{"key":"ref10","article-title":"Hashcat"},{"key":"ref11","first-page":"463","article-title":"Measuring real-world accuracies and biases in modeling password guessability","volume-title":"USENIX Security 2015","author":"Ur","year":"2015"},{"key":"ref12","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2016.53"},{"key":"ref13","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134000"},{"key":"ref14","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2018.00009"},{"key":"ref15","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2016.23328"},{"key":"ref16","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2012.49"},{"key":"ref17","doi-asserted-by":"publisher","DOI":"10.1109\/CSF.2016.33"},{"key":"ref18","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-662-64331-0_20"},{"key":"ref19","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2012.44"},{"key":"ref20","doi-asserted-by":"publisher","DOI":"10.1145\/3125643"},{"key":"ref21","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2017.2721359"},{"key":"ref22","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813631"},{"article-title":"Password hashing competition","year":"2015","author":"A","key":"ref23"},{"key":"ref24","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP.2016.31"},{"key":"ref25","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134031"},{"article-title":"Stronger key derivation via sequential memory-hard functions","year":"2009","author":"Percival","key":"ref26"},{"key":"ref27","doi-asserted-by":"publisher","DOI":"10.1145\/2482540.2482552"},{"key":"ref28","doi-asserted-by":"publisher","DOI":"10.1145\/359168.359172"},{"key":"ref29","article-title":"Bcrypt algorithm","author":"Provos","year":"1999","journal-title":"USENIX"},{"key":"ref30","doi-asserted-by":"crossref","DOI":"10.17487\/rfc2898","article-title":"Pkcs# 5: Password-based cryptography specification version 2.0","author":"Kaliski","year":"2000"},{"key":"ref31","doi-asserted-by":"publisher","DOI":"10.1145\/2508859.2516671"},{"key":"ref32","first-page":"1556","article-title":"Protecting accounts from credential stuffing with password breach alerting","volume-title":"USENIX Security 2019","author":"Thomas","year":"2019"},{"key":"ref33","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3354229"},{"key":"ref34","first-page":"547","article-title":"The pythia PRF service","author":"Everspaugh","year":"2015","journal-title":"USENIX Security 2015"},{"key":"ref35","doi-asserted-by":"publisher","DOI":"10.1145\/1180405.1180427"},{"key":"ref36","doi-asserted-by":"publisher","DOI":"10.3233\/JCS-2010-0412"},{"key":"ref37","doi-asserted-by":"publisher","DOI":"10.1145\/1837110.1837113"},{"key":"ref38","doi-asserted-by":"publisher","DOI":"10.1080\/0144929X.2010.492876"},{"key":"ref39","first-page":"2595","article-title":"Of passwords and people: measuring the effect of password-composition policies","volume-title":"CHI, 2011, Conference Proceedings","author":"Komanduri"},{"key":"ref40","doi-asserted-by":"publisher","DOI":"10.1145\/322796.322806"},{"key":"ref41","first-page":"591","article-title":"Telepathwords: Preventing weak passwords by reading users minds","author":"Komanduri","year":"2014","journal-title":"USENIX Security 2014"},{"key":"ref42","first-page":"607","article-title":"Towards reliable storage of 56-bit secrets in human memory","author":"Bonneau","year":"2014","journal-title":"USENIX Security 2014"},{"key":"ref43","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2004.81"},{"key":"ref44","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978346"},{"key":"ref45","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-42045-0_19"},{"key":"ref46","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2015.23094"},{"key":"ref47","first-page":"102068","article-title":"Bicycle attacks considered harmful: Quantifying the damage of widespread password length leakage","volume-title":"Computers & Security","volume":"100","author":"Harsha","year":"2021"},{"article-title":"Dalock: Distribution aware password throttling","year":"2020","author":"Blocki","key":"ref48"},{"key":"ref49","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP.2019.00048"},{"article-title":"Information signaling: A counter-intuitive defenseagainst password cracking","year":"2020","author":"Bai","key":"ref50"},{"key":"ref51","doi-asserted-by":"publisher","DOI":"10.1017\/CBO9781107359949.008"},{"key":"ref52","article-title":"Towards a rigorous statistical analysis of empirical password datasets","volume-title":"CoRR","volume":"abs\/2105.14170","author":"Blocki","year":"2021"},{"article-title":"Linkedin revisited \u2013 full 2012 hash dump analysis","year":"2016","author":"Redman","key":"ref53"},{"key":"ref54","article-title":"Modeling the adversary to evaluate password strength with limited samples","volume-title":"Ph.D. dissertation","author":"Komanduri","year":"2016"},{"article-title":"Gurobi optimizer reference manual","volume-title":"L. Gurobi Optimization","year":"2021","key":"ref55"},{"key":"ref56","article-title":"Nist sp800-63b: Digital authentication guideline","volume-title":"Technical report","author":"Grassi","year":"2016"},{"article-title":"Popularity is everything: A new approach to protecting passwords from statistical-guessing attacks","volume-title":"5th USENIX Workshop on Hot Topics in Security (HotSec 10)","author":"Schechter","key":"ref57"},{"key":"ref58","doi-asserted-by":"publisher","DOI":"10.1145\/2187836.2187878"},{"key":"ref59","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-45744-4_6"},{"article-title":"Rockyou hack: From bad to worse","year":"2009","author":"Cubrilovic","key":"ref60"},{"article-title":"Chinese internet suffers the most serious user data leak in history","year":"2011","author":"Yang","key":"ref61"},{"article-title":"13 million plaintext passwords belonging to webhost users leaked online","year":"2015","author":"Goodin","key":"ref62"},{"article-title":"Another day, another hack: Tens of millions of neopets accounts","year":"2016","author":"Cox","key":"ref63"},{"article-title":"Lulzsec over, release battlefield heroes data","year":"2011","author":"Walker","key":"ref64"},{"article-title":"Nearly 800,000 brazzers porn site accounts exposed in forum hack","year":"2016","author":"Cox","key":"ref65"},{"article-title":"6.6 million plaintext passwords exposed as site gets hacked to the bone","year":"2016","author":"Goodin","key":"ref66"}],"event":{"name":"2023 IEEE Symposium on Security and Privacy (SP)","start":{"date-parts":[[2023,5,21]]},"location":"San Francisco, CA, USA","end":{"date-parts":[[2023,5,25]]}},"container-title":["2023 IEEE Symposium on Security and Privacy (SP)"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx7\/10179215\/10179280\/10179431.pdf?arnumber=10179431","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,7,20]],"date-time":"2024-07-20T05:17:41Z","timestamp":1721452661000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/10179431\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,5]]},"references-count":66,"URL":"https:\/\/doi.org\/10.1109\/sp46215.2023.10179431","relation":{},"subject":[],"published":{"date-parts":[[2023,5]]}}}