System Password Security: Attack and Defense Mechanisms
Chaofang Shi, Zhongwen Li, Xiaoqi Li
TL;DR
The paper addresses password security by analyzing common attack vectors (brute-force, dictionary, rainbow table) and evaluating defenses such as salting, slow hashing, MFA, and risk-adaptive authentication. It combines empirical evaluation using John the Ripper and Hashcat on MD5, SHA-256, and bcrypt to quantify cracking effectiveness and defense impact, highlighting bcrypt with salt and cost as a robust option. It also surveys advanced defenses, including honeywords, client-side key derivation, and biometric-based password replacement, discussing their practical trade-offs. Overall, the work demonstrates that fast hashes like MD5/SHA-256 are vulnerable without protective measures, while bcrypt provides strong security in a layered defense framework, underscoring the need for uncorrelated passphrases and user education for effective password security.
Abstract
System passwords serve as critical credentials for user authentication and access control when logging into operating systems or applications. Upon entering a valid password, users pass verification to access system resources and execute corresponding operations. In recent years, frequent password cracking attacks targeting system passwords have posed a severe threat to information system security. To address this challenge, in-depth research into password cracking attack methods and defensive technologies holds significant importance. This paper conducts systematic research on system password security, focusing on analyzing typical password cracking methods such as brute force attacks, dictionary attacks, and rainbow table attacks, while evaluating the effectiveness of existing defensive measures. The experimental section utilizes common cryptanalysis tools, such as John the Ripper and Hashcat, to simulate brute force and dictionary attacks. Five test datasets, each generated using Message Digest Algorithm 5 (MD5), Secure Hash Algorithm 256-bit (SHA 256), and bcrypt hash functions, are analyzed. By comparing the overall performance of different hash algorithms and password complexity strategies against these attacks, the effectiveness of defensive measures such as salting and slow hashing algorithms is validated. Building upon this foundation, this paper further evaluates widely adopted defense mechanisms, including account lockout policies, multi-factor authentication, and risk adaptive authentication. By integrating experimental data with recent research findings, it analyzes the strengths and limitations of each approach while proposing feasible improvement recommendations and optimization strategies.