{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,12]],"date-time":"2025-10-12T02:48:27Z","timestamp":1760237307614,"version":"build-2065373602"},"reference-count":28,"publisher":"MDPI AG","issue":"4","license":[{"start":{"date-parts":[[2020,3,26]],"date-time":"2020-03-26T00:00:00Z","timestamp":1585180800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100002081","name":"Irish Research Council","doi-asserted-by":"publisher","award":["ircb7bc9e0d48070607513b7e12db385ac4"],"award-info":[{"award-number":["ircb7bc9e0d48070607513b7e12db385ac4"]}],"id":[{"id":"10.13039\/501100002081","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100001633","name":"National University of Ireland, Maynooth","doi-asserted-by":"publisher","award":["John and Pat Hume Scholarship"],"award-info":[{"award-number":["John and Pat Hume Scholarship"]}],"id":[{"id":"10.13039\/501100001633","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100008530","name":"European Regional Development Fund","doi-asserted-by":"publisher","award":["13\/RC\/2077"],"award-info":[{"award-number":["13\/RC\/2077"]}],"id":[{"id":"10.13039\/501100008530","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Entropy"],"abstract":"<jats:p>Password guessing is one of the most common methods an attacker will use for compromising end users. We often hear that passwords belonging to website users have been leaked and revealed to the public. These leaks compromise the users involved but also feed the wealth of knowledge attackers have about users\u2019 passwords. The more informed attackers are about password creation, the better their password guessing becomes. In this paper, we demonstrate using proofs of convergence and real-world password data that the vulnerability of users increases as a result of password leaks. We show that a leak that reveals the passwords of just 1% of the users provides an attacker with enough information to potentially have a success rate of over 84% when trying to compromise other users of the same website. For researchers, it is often difficult to quantify the effectiveness of guessing strategies, particularly when guessing different datasets. We construct a model of password guessing that can be used to offer visual comparisons and formulate theorems corresponding to guessing success.<\/jats:p>","DOI":"10.3390\/e22040378","type":"journal-article","created":{"date-parts":[[2020,3,27]],"date-time":"2020-03-27T09:04:38Z","timestamp":1585299878000},"page":"378","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":6,"title":["Convergence of Password Guessing to Optimal Success Rates"],"prefix":"10.3390","volume":"22","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-5349-4011","authenticated-orcid":false,"given":"Hazel","family":"Murray","sequence":"first","affiliation":[{"name":"Department of Mathematics and Statistics and the Hamilton Institute, Maynooth University, R51 A021 Co. Kildare, Ireland"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6947-586X","authenticated-orcid":false,"given":"David","family":"Malone","sequence":"additional","affiliation":[{"name":"Department of Mathematics and Statistics and the Hamilton Institute, Maynooth University, R51 A021 Co. Kildare, Ireland"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1968","published-online":{"date-parts":[[2020,3,26]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","unstructured":"Murray, H., and Malone, D. (2018, January 28\u201330). Exploring the Impact of Password Dataset Distribution on Guessing. Proceedings of the 16th Annual Conference on Privacy, Security and Trust (PST), Belfast, UK.","DOI":"10.1109\/PST.2018.8514194"},{"key":"ref_2","doi-asserted-by":"crossref","unstructured":"Grassi, P.A., Garcia, M.E., and Fenton, J.L. (2017). SP-800-63 Digital Identity Guidelines. NIST, 800, Available online: https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-63\/3\/final.","DOI":"10.6028\/NIST.SP.800-63-3"},{"key":"ref_3","unstructured":"Henriquez, M. (2020, March 20). The Top 12 Data Breaches of 2019. Available online: https:\/\/www.securitymagazine.com\/articles\/91366-the-top-12-data-breaches-of-2019."},{"key":"ref_4","doi-asserted-by":"crossref","unstructured":"Oechslin, P. (2003, January 17\u201321). Making a Faster Cryptanalytic Time-Memory Trade-Off. Proceedings of the Annual International Cryptology Conference (CRYPTO 2003), Santa Barbara, CA, USA.","DOI":"10.1007\/978-3-540-45146-4_36"},{"key":"ref_5","unstructured":"Flor\u00eancio, D., Herley, C., and Van Oorschot, P.C. (2014, January 9\u201314). An Administrator\u2019s Guide to Internet Password Research. Proceedings of the 28th USENIX Conference on Large Installation System Administration (LISA\u201914), Seattle, WA, USA."},{"key":"ref_6","unstructured":"Melicher, W., Ur, B., Segreti, S.M., Komanduri, S., Bauer, L., Christin, N., and Cranor, L.F. (2016, January 10\u201312). Fast, Lean, and Accurate: Modeling Password Guessability Using Neural Networks. Proceedings of the 25th USENIX Security Symposium (USENIX Security 16), Austin, TX, USA."},{"key":"ref_7","doi-asserted-by":"crossref","unstructured":"D\u00fcrmuth, M., Angelstorf, F., Castelluccia, C., Perito, D., and Chaabane, A. (2015, January 4\u20136). OMEN: Faster Password Guessing Using an Ordered Markov Enumerator. Proceedings of the International Symposium on Engineering Secure Software and Systems, Milan, Italy.","DOI":"10.1007\/978-3-319-15618-7_10"},{"key":"ref_8","doi-asserted-by":"crossref","unstructured":"Hitaj, B., Gasti, P., Ateniese, G., and Perez-Cruz, F. (2019, January 5\u20137). Passgan: A Deep Learning Approach for Password Guessing. Proceedings of the International Conference on Applied Cryptography and Network Security, Bogota, Colombia.","DOI":"10.1007\/978-3-030-21568-2_11"},{"key":"ref_9","doi-asserted-by":"crossref","unstructured":"Weir, M., Aggarwal, S., De Medeiros, B., and Glodek, B. (2009, January 17\u201320). Password Cracking Using Probabilistic Context-Free Grammars. Proceedings of the 2009 30th IEEE Symposium on Security and Privacy, Oakland, CA, USA.","DOI":"10.1109\/SP.2009.8"},{"key":"ref_10","doi-asserted-by":"crossref","unstructured":"D\u00fcrmuth, M., and Kranz, T. (2014, January 8\u201310). On Password Guessing With GPUs and FPGAs. Proceedings of the International Conference on Passwords, Trondheim, Norway.","DOI":"10.1007\/978-3-319-24192-0_2"},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Wang, D., Zhang, Z., Wang, P., Yan, J., and Huang, X. (2016, January 24\u201328). Targeted Online Password Guessing: An Underestimated Threat. Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria.","DOI":"10.1145\/2976749.2978339"},{"key":"ref_12","unstructured":"Ur, B., Segreti, S.M., Bauer, L., Christin, N., Cranor, L.F., Komanduri, S., Kurilova, D., Mazurek, M.L., Melicher, W., and Shay, R. (2015, January 12\u201314). Measuring Real-World Accuracies and Biases in Modeling Password Guessability. Proceedings of the 24th USENIX Security Symposium (USENIX Security 15), Austin, TX, USA."},{"key":"ref_13","unstructured":"Li, Z., Han, W., and Xu, W. (2014, January 20\u201322). A Large-Scale Empirical Analysis of Chinese Web Passwords. Proceedings of the 23rd USENIX Security Symposium (USENIX Security 14), San Diego, CA, USA."},{"key":"ref_14","unstructured":"Wei, M., Golla, M., and Ur, B. (2020, March 24). The Password Doesn\u2019t Fall Far: How Service Influences Password Choice. Available online: https:\/\/www.blaseur.com\/papers\/way2018-wei.pdf."},{"key":"ref_15","doi-asserted-by":"crossref","unstructured":"Malone, D., and Maher, K. (2012, January 16\u201320). Investigating the Distribution of Password Choices. Proceedings of the 21st International Conference on World Wide Web, Lyon, France.","DOI":"10.1145\/2187836.2187878"},{"key":"ref_16","unstructured":"Castelluccia, C., Chaabane, A., D\u00fcrmuth, M., and Perito, D. (2013). When Privacy Meets Security: Leveraging Personal Information For Password Cracking. arXiv."},{"key":"ref_17","doi-asserted-by":"crossref","unstructured":"Wang, D., and Wang, P. (2016). On the Implications of Zipf\u2019S Law in Passwords. European Symposium on Research in Computer Security, Springer.","DOI":"10.1007\/978-3-319-45744-4_6"},{"key":"ref_18","unstructured":"Bonneau, J. (2012). Guessing Human-Chosen Secrets. [Ph.D. Thesis, University of Cambridge]."},{"key":"ref_19","unstructured":"Massey, J.L. (July, January 27). Guessing and Entropy. Proceedings of the 1994 IEEE International Symposium on Information Theory, Trondheim, Norway."},{"key":"ref_20","unstructured":"Dixon, P. (2020, March 22). PASTEBIN. Available online: https:\/\/www.pastebin.com."},{"key":"ref_21","unstructured":"Beaumont, C. (2020, March 22). Microsoft Hotmail Leak Blamed on Phishing Attack. Available online: https:\/\/www.telegraph.co.uk\/technology\/microsoft\/6264539\/Microsoft-Hotmail-leak-blamed-on-phishing-attack.html."},{"key":"ref_22","unstructured":"R\u00fctten, V.C. (2019, December 04). Passwortdaten Von Flirtlife.de Kompromittiert. Available online: https:\/\/www.heise.de\/security\/meldung\/Passwortdaten-von-Flirtlife-de-kompromittiert-126608.html."},{"key":"ref_23","doi-asserted-by":"crossref","unstructured":"Golla, M., and D\u00fcrmuth, M. (2018, January 15\u201319). On the Accuracy of Password Strength Meters. Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, Toronto, ON, Canada.","DOI":"10.1145\/3243734.3243769"},{"key":"ref_24","unstructured":"(2020, March 22). Targeted Bruteforcing\u2014Mining Patterns in Passwords to Make Bruteforcing Easy. Available online: https:\/\/www.reddit.com\/r\/netsec\/comments\/5asjeu\/targeted_bruteforcing_mining_patterns_in\/."},{"key":"ref_25","unstructured":"Openwall (2020, January 08). John the Ripper Password Cracker. Available online: https:\/\/www.openwall.com\/john\/doc\/."},{"key":"ref_26","unstructured":"Commission, D.P. (2020, March 22). Guidance for Controllers on Data Security. Available online: https:\/\/www.dataprotection.ie\/sites\/default\/files\/uploads\/2020-02\/Data%20Security%20Guidance_Feb20.pdf."},{"key":"ref_27","doi-asserted-by":"crossref","unstructured":"Thomas, D.R., Pastrana, S., Hutchings, A., Clayton, R., and Beresford, A.R. (2017, January 1\u20133). Ethical Issues in Research Using Datasets of Illicit Origin. Proceedings of the 2017 Internet Measurement Conference, London, UK.","DOI":"10.1145\/3131365.3131389"},{"key":"ref_28","doi-asserted-by":"crossref","unstructured":"Fahl, S., Harbach, M., Acar, Y., and Smith, M. (2013, January 24\u201326). On the ecological validity of a password study. Proceedings of the Ninth Symposium on Usable Privacy and Security, Newcastle, UK.","DOI":"10.1145\/2501604.2501617"}],"container-title":["Entropy"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1099-4300\/22\/4\/378\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T09:11:59Z","timestamp":1760173919000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1099-4300\/22\/4\/378"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,3,26]]},"references-count":28,"journal-issue":{"issue":"4","published-online":{"date-parts":[[2020,4]]}},"alternative-id":["e22040378"],"URL":"https:\/\/doi.org\/10.3390\/e22040378","relation":{},"ISSN":["1099-4300"],"issn-type":[{"type":"electronic","value":"1099-4300"}],"subject":[],"published":{"date-parts":[[2020,3,26]]}}}