International journal of


EISSN: 2313-3724, Print ISSN:2313-626X

Frequency: 12

line decor
line decor

 Volume 5, Issue 11 (November 2018), Pages: 51-60


 Original Research Paper

 Title: Analysis of passwords: Towards understanding of strengths and weaknesses

 Author(s): Waleed Albattah *


 Information Technology Department, College of Computer, Qassim University, Saudi Arabia

 Full Text - PDF          XML


In this paper, we analyze the passwords’ strength from real-world data; perform an in-depth analysis, and extract useful information related to the millions of usernames and passwords being utilized. This useful information thus represents the millions of minds and the individual behaviors in online and offline passwords based information systems. From the twelve million usernames and passwords, we investigate density, numbers in usernames and passwords, special characters, and strength analysis of the usernames and passwords. To the best of our knowledge, this work is unique based on the selected parameters and the amount of processed data. With the extensive analysis, we seek the weak link in the username and password paradigm. With density analysis, it can be deduced that users like to have (or by chance use) similar character usernames and passwords. From the digits analysis in passwords, it is found that users like to use the first few digits (1, 2, and 3) and the last digits (8, 9, and 0). With the special character analysis, we found that “_” is the most widely used character. With the strength analysis, we determined that it is better to use non-popular English vocabulary words and the inclusion of the special characters, lower, upper and digits are in between different words. Also, if a word can be converted to other languages and used as a password, it will be extremely robust. Most users use their username partly or fully as passwords. This opens doors for hackers. The extensive experimentation and results in the appropriate sections provide useful contributions. 

 © 2018 The Authors. Published by IASE.

 This is an open access article under the CC BY-NC-ND license (

 Keywords: Password strength, Password analysis, Security, Password prediction

 Article History: Received 14 May 2018, Received in revised form 25 August 2018, Accepted 10 September 2018

 Digital Object Identifier:


 Albattah W (2018). Analysis of passwords: Towards understanding of strengths and weaknesses. International Journal of Advanced and Applied Sciences, 5(11): 51-60

 Permanent Link:


 References (33) 

  1. Adams A, Sasse MA, and Lunt P (1997). Making passwords secure and usable. In: Thimbleby H, O'Connaill B, and Thomas PJ (Eds.), People and computers XII: 1-19. Springer, London, UK.   [Google Scholar]
  1. Anderson JP and Vaughn R (1991). A guide to understanding identification and authentication in trusted systems. No. NCSC-TG-017. National Computer Security Center Fort George G Meade Md. Available online at:   [Google Scholar]
  1. Bellare M, Pointcheval D, and Rogaway P (2000). Authenticated key exchange secure against dictionary attacks. In the International Conference on the Theory and Applications of Cryptographic Techniques, Springer, Berlin, Germany: 139-155.   [Google Scholar]
  1. Bellovin SM and Merritt M (1992). Encrypted key exchange: Password-based protocols secure against dictionary attacks. In the IEEE Computer Society Symposium on Research in Security and Privacy, IEEE, Oakland, USA: 72-84.   [Google Scholar]
  1. Burnett M (2015). Today I am releasing ten million passwords. Available online at:   [Google Scholar]
  1. Conklin A, Dietrich G, and Walz D (2004). Password-based authentication: A system perspective. In the 37th Annual Hawaii International Conference on System Sciences, IEEE, Big Island, USA: 1-10.   [Google Scholar]
  1. Egelman S, Sotirakopoulos A, Muslukhov I, Beznosov K, and Herley C (2013). Does my password go up to eleven?: the impact of password meters on password selection. In the SIGCHI Conference on Human Factors in Computing Systems, ACM, Paris, France: 2379-2388.   [Google Scholar]
  1. Eichin MW and Rochlis JA (1989). With microscope and tweezers: An analysis of the internet virus of November 1988. In the IEEE Symposium on Security and Privacy, IEEE, Oakland, USA: 326-343.   [Google Scholar]
  1. Fagin R, Naor M, and Winkler P (1996). Comparing information without leaking it. Communications of the ACM, 39(5): 77-85.   [Google Scholar]
  1. Farash MS and Attari MA (2014). An efficient client–client password-based authentication scheme with provable security. The Journal of Supercomputing, 70(2): 1002-1022.   [Google Scholar]
  1. Furnell SM, Dowland PS, Illingworth HM, and Reynolds PL (2000). Authentication and supervision: A survey of user attitudes. Computers and Security, 19(6): 529-539.   [Google Scholar]
  1. Gong L, Lomas MA, Needham RM, and Saltzer JH (1993). Protecting poorly chosen secrets from guessing attacks. IEEE Journal on Selected Areas in Communications, 11(5): 648-656.   [Google Scholar]
  1. Granville V (2012). Password and hijacked email dataset for you to test your data science skills - Data science central. Available online at:   [Google Scholar]
  1. Halevi S and Krawczyk H (1999). Public-key cryptography and password protocols. ACM Transactions on Information and System Security, 2(3): 230-268.   [Google Scholar]
  1. Hauser R, Janson P, Tsudik G, Van Herreweghen E, and Molva R (1996). Robust and secure password and key change method. Journal of Computer Security, 4(1): 97-111.   [Google Scholar]
  1. Herley C and Van Oorschot P (2012). A research agenda acknowledging the persistence of passwords. IEEE Security and Privacy, 10(1): 28-36.   [Google Scholar]
  1. Jablon DP (1996). Strong password-only authenticated key exchange. ACM SIGCOMM Computer Communication Review, 26(5): 5-26.   [Google Scholar]
  1. Ji S, Yang S, Wang T, Liu C, Lee WH, and Beyah R (2015). Pars: A uniform and open-source password analysis and research system. In the 31st Annual Computer Security Applications Conference, ACM, Los Angeles, USA: 321-330.   [Google Scholar]
  1. Jobusch DL and Oldehoeft AE (1989). A survey of password mechanisms: Weaknesses and potential improvements. Part 1. Computers and Security, 8(7): 587-604.   [Google Scholar]
  1. Kaspersky (2017). Password strength checking we use words to save the world. Available online at:   [Google Scholar]
  1. Khan RU and Albattah W (2017). Security and safety concerns: Username and password paradigm. International Journal of Computer Science and Network Security, 17(10): 145-152.   [Google Scholar]
  1. Lampson B, Abadi M, Burrows M, and Wobber E (1992). Authentication in distributed systems: Theory and practice. ACM Transactions on Computer Systems (TOCS), 10(4): 265-310.   [Google Scholar]
  1. Manber U (1996). A simple scheme to make passwords based on one-way functions much harder to crack. Computers and Security, 15(2): 171-176.   [Google Scholar]
  1. Mattord HJ, Levy Y, and Furnell S (2013). Factors of password-based authentication. International Journal of Computer Science and Network Security, 17(10): 145-152.   [Google Scholar]
  1. Menkus B (1988). Special feature: Understanding the use of passwords. Computers and Security, 7(2): 132-136.   [Google Scholar]
  1. Navarro G (2001). A guided tour to approximate string matching. ACM Computing Surveys, 33(1): 31-88.   [Google Scholar]
  1. Parker DB (1992). Restating the foundation of information security. In the 8th International Conference on Information Security: IT Security: The Need for International Cooperation, North-Holland Publishing Co., Amsterdam, Netherlands: 139-151.   [Google Scholar]
  1. Purdy GB (1974). A high security log-in procedure. Communications of the ACM, 17(8): 442-445.   [Google Scholar]
  1. Riddle BL, Miron MS, and Semo JA (1989). Passwords in use in a university timesharing environment. Computers and Security, 8(7): 569-579.   [Google Scholar]
  1. Spafford EH (1992). OPUS: Preventing weak password choices. Computers and Security, 11(3): 273-278.   [Google Scholar]
  1. Stoll C (2005). The cuckoo's egg: tracking a spy through the maze of computer espionage. Simon and Schuster, New York, USA.   [Google Scholar]
  1. Uellenbeck S, Dürmuth M, Wolf C, and Holz T (2013). Quantifying the security of graphical passwords: the case of android unlock patterns. In the 2013 ACM SIGSAC Conference on Computer and Communications Security, ACM, Berlin, Germany: 161-172.   [Google Scholar]
  1. Zhao Z, Dong Z, and Wang Y (2006). Security analysis of a password-based authentication protocol proposed to IEEE 1363. Theoretical Computer Science, 352(1-3): 280-287.   [Google Scholar]