Abstract or Summary:
While a lot has changed in computer security over the last twenty years, textual passwords remain the dominant mechanism of authentication over computer systems and are likely to persist in the foreseeable future. Though much attention has been paid to passwords chosen by English users, relatively little is known about passwords selected by non-English users, especially by those who use hieroglyphic characters as their native languages. In this work, we initiate a systematic investigation into the password characteristics of Chinese users, the largest Internet population, and for the first time uncover several striking findings on the basis of a corpus of 100 million real-life Chinese web passwords (as well as 30 million English web passwords), the largest corpus of user-generated passwords ever studied.

We further conduct a series of experiments on these datasets by employing two state-of-the-art password cracking (including PCFG-based and Markov-Chain-based) techniques and remarkably, our results reveal a "reversal principle": When the guess number allowed is small, Chinese web passwords are much weaker than their English counterparts, yet this relationship will be reversed when the guess number is large. This implies that at somewhere these two groups will be of similar security strength, which well reconciles two obviously conflicting claims about the strength of Chinese web passwords made by Bonneau in IEEE S&P'12 and Li et al. in USENIX SEC'14, respectively. At one million guesses, the success rate of our improved PCFG-based attack (using Duowan as the training set) against the remaining five Chinese datasets is from 33.2% to 49.8%, which means that our improved attack can crack 92% to 188% more passwords than the best record reported by Li et al. in 2014. We believe our results are of practical value to world-wide system administrators and Chinese individual users to secure their accounts.