{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,18]],"date-time":"2026-03-18T02:19:55Z","timestamp":1773800395205,"version":"3.50.1"},"reference-count":23,"publisher":"Association for Computing Machinery (ACM)","issue":"3","license":[{"start":{"date-parts":[[2021,4,20]],"date-time":"2021-04-20T00:00:00Z","timestamp":1618876800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/501100001804","name":"Canada Research Chairs Program","doi-asserted-by":"crossref","award":["950-232001"],"award-info":[{"award-number":["950-232001"]}],"id":[{"id":"10.13039\/501100001804","id-type":"DOI","asserted-by":"crossref"}]},{"DOI":"10.13039\/501100000038","name":"Natural Sciences and Engineering Research Council of Canada","doi-asserted-by":"crossref","award":["RGPIN-2015-03916, RGPIN-2019-005803"],"award-info":[{"award-number":["RGPIN-2015-03916, RGPIN-2019-005803"]}],"id":[{"id":"10.13039\/501100000038","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Priv. Secur."],"published-print":{"date-parts":[[2021,8,31]]},"abstract":"<jats:p>\n            In this article, we present a thorough evaluation of semantic password grammars. We report multifactorial experiments that test the impact of sample size, probability smoothing, and linguistic information on password cracking. The semantic grammars are compared with state-of-the-art\n            <jats:bold>probabilistic context-free grammar<\/jats:bold>\n            (\n            <jats:bold>PCFG<\/jats:bold>\n            ) and neural network models, and tested in cross-validation and\n            <jats:italic>A vs. B<\/jats:italic>\n            scenarios. We present results that reveal the contributions of part-of-speech (syntactic) and semantic patterns, and suggest that the former are more consequential to the security of passwords. Our results show that in many cases PCFGs are still competitive models compared to their latest neural network counterparts. In addition, we show that there is little performance gain in training PCFGs with more than 1 million passwords. We present qualitative analyses of four password leaks (Mate1, 000webhost, Comcast, and RockYou) based on trained semantic grammars, and derive graphical models that capture high-level dependencies between token classes. Finally, we confirm the similarity inferences from our qualitative analysis by examining the effectiveness of grammars trained and tested on all pairs of leaks.\n          <\/jats:p>","DOI":"10.1145\/3448608","type":"journal-article","created":{"date-parts":[[2021,4,20]],"date-time":"2021-04-20T10:09:39Z","timestamp":1618913379000},"page":"1-21","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":23,"title":["A Large-Scale Analysis of the Semantic Password Model and Linguistic Patterns in Passwords"],"prefix":"10.1145","volume":"24","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-2253-1956","authenticated-orcid":false,"given":"Rafael","family":"Veras","sequence":"first","affiliation":[{"name":"Ontario Tech University, Oshawa, Ontario, Canada"}]},{"given":"Christopher","family":"Collins","sequence":"additional","affiliation":[{"name":"Ontario Tech University, Oshawa, Ontario, Canada"}]},{"given":"Julie","family":"Thorpe","sequence":"additional","affiliation":[{"name":"Ontario Tech University, Ontario, Canada"}]}],"member":"320","published-online":{"date-parts":[[2021,4,20]]},"reference":[{"key":"e_1_2_1_1_1","volume-title":"Retrieved","year":"2019","unstructured":"[n.d.]. Hashes. org\u2014Shared Community Password Recovery . Retrieved September 28, 2019 from https:\/\/hashes.org. [n.d.]. Hashes.org\u2014Shared Community Password Recovery. Retrieved September 28, 2019 from https:\/\/hashes.org."},{"key":"e_1_2_1_2_1","volume-title":"LeakedSource Analysis of Mate1.com Hack. Retrieved","year":"2018","unstructured":"[n.d.]. LeakedSource Analysis of Mate1.com Hack. Retrieved May 1, 2018 from https:\/\/leakedsource.ru\/blog\/mate1. [n.d.]. LeakedSource Analysis of Mate1.com Hack. Retrieved May 1, 2018 from https:\/\/leakedsource.ru\/blog\/mate1."},{"key":"e_1_2_1_3_1","volume-title":"Retrieved Septembet 28, 2019","year":"2016","unstructured":"[n.d.]. LinkedIn Revisited\u2014Full 2012 Hash Dump Analysis . Retrieved Septembet 28, 2019 from https:\/\/blog.korelogic.com\/blog\/ 2016 \/05\/19\/linkedin_passwords_2016. [n.d.]. LinkedIn Revisited\u2014Full 2012 Hash Dump Analysis. Retrieved Septembet 28, 2019 from https:\/\/blog.korelogic.com\/blog\/2016\/05\/19\/linkedin_passwords_2016."},{"key":"e_1_2_1_4_1","volume-title":"Public Database Directory\u2014Public DB Host. Retrieved","year":"2018","unstructured":"[n.d.]. Public Database Directory\u2014Public DB Host. Retrieved May 1, 2018 from https:\/\/www.databases.today\/. [n.d.]. Public Database Directory\u2014Public DB Host. Retrieved May 1, 2018 from https:\/\/www.databases.today\/."},{"key":"e_1_2_1_5_1","volume-title":"Retreived September28, 2018","year":"2018","unstructured":"[n.d.]. StackOverflow\u2014Developer Survey Results 2018 . Retreived September28, 2018 from https:\/\/insights.stackoverflow.com\/survey\/ 2018 #demographics. [n.d.]. StackOverflow\u2014Developer Survey Results 2018. Retreived September28, 2018 from https:\/\/insights.stackoverflow.com\/survey\/2018#demographics."},{"key":"e_1_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1006\/csla.1999.0128"},{"key":"e_1_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813631"},{"key":"e_1_2_1_8_1","volume-title":"Using Corpora for Language Research: Studies in the Honour of Geoffrey Leech","author":"Garside Roger","unstructured":"Roger Garside . 1996. The robust tagging of unrestricted text: The BNC experience . In Using Corpora for Language Research: Studies in the Honour of Geoffrey Leech , J. Thomas and M. Short (Eds.). Longman Publishing Group , 167. Roger Garside. 1996. The robust tagging of unrestricted text: The BNC experience. In Using Corpora for Language Research: Studies in the Honour of Geoffrey Leech, J. Thomas and M. Short (Eds.). Longman Publishing Group, 167."},{"key":"e_1_2_1_9_1","volume-title":"PassGAN: A deep learning approach for password guessing","author":"Hitaj Briland","unstructured":"Briland Hitaj , Paolo Gasti , Giuseppe Ateniese , and Fernando Perez-Cruz . 2019. PassGAN: A deep learning approach for password guessing . In Applied Cryptography and Network Security, Robert H. Deng, Val\u00e9rie Gauthier-Uma\u00f1a, Mart\u00edn Ochoa, and Moti Yung (Eds.). Springer International Publishing , Cham , 217--237. Briland Hitaj, Paolo Gasti, Giuseppe Ateniese, and Fernando Perez-Cruz. 2019. PassGAN: A deep learning approach for password guessing. In Applied Cryptography and Network Security, Robert H. Deng, Val\u00e9rie Gauthier-Uma\u00f1a, Mart\u00edn Ochoa, and Moti Yung (Eds.). Springer International Publishing, Cham, 217--237."},{"key":"e_1_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2015.2428671"},{"key":"e_1_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1145\/2818000.2818018"},{"key":"e_1_2_1_13_1","first-page":"2","article-title":"Generalizing case frames using a thesaurus and the MDL principle","volume":"24","author":"Li Hang","year":"1998","unstructured":"Hang Li and Naoki Abe . 1998 . Generalizing case frames using a thesaurus and the MDL principle . Comput. Linguist. 24 , 2 (June 1998), 217--244. Hang Li and Naoki Abe. 1998. Generalizing case frames using a thesaurus and the MDL principle. Comput. Linguist. 24, 2 (June 1998), 217--244.","journal-title":"Comput. Linguist."},{"key":"e_1_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2014.50"},{"key":"e_1_2_1_15_1","volume-title":"Manning and Hinrich Sch\u00fctze","author":"Christopher","year":"1999","unstructured":"Christopher D. Manning and Hinrich Sch\u00fctze . 1999 . Foundations of Statistical Natural Language Processing. MIT Press . Christopher D. Manning and Hinrich Sch\u00fctze. 1999. Foundations of Statistical Natural Language Processing. MIT Press."},{"key":"e_1_2_1_16_1","volume-title":"Proc. 25th USENIX Security Symposium. USENIX Association, 175--191","author":"Melicher William","year":"2016","unstructured":"William Melicher , Blase Ur , Sean M. Segreti , Saranga Komanduri , Lujo Bauer , Nicolas Christin , and Lorrie Faith Cranor . 2016 . Fast, lean, and accurate: Modeling password guessability using neural networks . In Proc. 25th USENIX Security Symposium. USENIX Association, 175--191 . William Melicher, Blase Ur, Sean M. Segreti, Saranga Komanduri, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2016. Fast, lean, and accurate: Modeling password guessability using neural networks. In Proc. 25th USENIX Security Symposium. USENIX Association, 175--191."},{"key":"e_1_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1145\/219717.219748"},{"key":"e_1_2_1_18_1","volume-title":"Natural language corpus data","author":"Norvig Peter","unstructured":"Peter Norvig . 2009. Natural language corpus data . In Beautiful Data, Toby Segaran and Jeff Hammerbacher (Eds.). O\u2019Reilly Media , Chapter 14, 219--242. Peter Norvig. 2009. Natural language corpus data. In Beautiful Data, Toby Segaran and Jeff Hammerbacher (Eds.). O\u2019Reilly Media, Chapter 14, 219--242."},{"key":"e_1_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1214\/aos\/1176346150"},{"key":"e_1_2_1_20_1","volume-title":"Proc. 24th USENIX Security Symposium. USENIX Association, 463--481","author":"Ur Blase","year":"2015","unstructured":"Blase Ur , Sean M. Segreti , Lujo Bauer , Nicolas Christin , Lorrie Faith Cranor , Saranga Komanduri , Darya Kurilova , Michelle L. Mazurek , William Melicher , and Richard Shay . 2015 . Measuring real-world accuracies and biases in modeling password guessability . In Proc. 24th USENIX Security Symposium. USENIX Association, 463--481 . Blase Ur, Sean M. Segreti, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Saranga Komanduri, Darya Kurilova, Michelle L. Mazurek, William Melicher, and Richard Shay. 2015. Measuring real-world accuracies and biases in modeling password guessability. In Proc. 24th USENIX Security Symposium. USENIX Association, 463--481."},{"key":"e_1_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2014.23103"},{"key":"e_1_2_1_22_1","volume-title":"Proc. of Who Are You?! Adventures in Authentication Workshop (WAY).","author":"Wei Miranda","year":"2018","unstructured":"Miranda Wei , Maximilian Golla , and Blase Ur . 2018 . The password doesn\u2019t fall far: How service influences password choice . In Proc. of Who Are You?! Adventures in Authentication Workshop (WAY). Miranda Wei, Maximilian Golla, and Blase Ur. 2018. The password doesn\u2019t fall far: How service influences password choice. In Proc. of Who Are You?! Adventures in Authentication Workshop (WAY)."},{"key":"e_1_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2009.8"},{"key":"e_1_2_1_24_1","volume-title":"An alternative method for understanding user-chosen passwords. Security and Communication Networks","author":"Zheng Zhixiong","year":"2018","unstructured":"Zhixiong Zheng , Haibo Cheng , Zijian Zhang , Yiming Zhao , and Ping Wang . 2018. An alternative method for understanding user-chosen passwords. Security and Communication Networks 2018 , Article ID 6160125 (2018), 1--12. DOI:https:\/\/doi.org\/10.1155\/2018\/6160125 Zhixiong Zheng, Haibo Cheng, Zijian Zhang, Yiming Zhao, and Ping Wang. 2018. An alternative method for understanding user-chosen passwords. Security and Communication Networks 2018, Article ID 6160125 (2018), 1--12. DOI:https:\/\/doi.org\/10.1155\/2018\/6160125"}],"container-title":["ACM Transactions on Privacy and Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3448608","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3448608","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T20:47:43Z","timestamp":1750193263000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3448608"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,4,20]]},"references-count":23,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2021,8,31]]}},"alternative-id":["10.1145\/3448608"],"URL":"https:\/\/doi.org\/10.1145\/3448608","relation":{},"ISSN":["2471-2566","2471-2574"],"issn-type":[{"value":"2471-2566","type":"print"},{"value":"2471-2574","type":"electronic"}],"subject":[],"published":{"date-parts":[[2021,4,20]]},"assertion":[{"value":"2019-02-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2021-01-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2021-04-20","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}