WO2020206909A1 - Method and apparatus for calculating password strength, and computer-readable storage medium - Google Patents

Method and apparatus for calculating password strength, and computer-readable storage medium Download PDF

Info

Publication number
WO2020206909A1
WO2020206909A1 PCT/CN2019/102812 CN2019102812W WO2020206909A1 WO 2020206909 A1 WO2020206909 A1 WO 2020206909A1 CN 2019102812 W CN2019102812 W CN 2019102812W WO 2020206909 A1 WO2020206909 A1 WO 2020206909A1
Authority
WO
WIPO (PCT)
Prior art keywords
password
passwords
virtual
real
leakage
Prior art date
Application number
PCT/CN2019/102812
Other languages
French (fr)
Chinese (zh)
Inventor
徐凌智
王健宗
Original Assignee
平安科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 平安科技(深圳)有限公司 filed Critical 平安科技(深圳)有限公司
Publication of WO2020206909A1 publication Critical patent/WO2020206909A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/30Information retrieval; Database structures therefor; File system structures therefor of unstructured textual data
    • G06F16/33Querying
    • G06F16/3331Query processing
    • G06F16/334Query execution
    • G06F16/3346Query execution using probabilistic model
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • G06F21/46Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords

Definitions

  • This application relates to the field of security technology, and in particular to a method, device and computer-readable storage medium for calculating password strength.
  • Password is one of the most important security authentication methods in current Internet applications.
  • the strength of the password determines the security of user accounts and systems. Since weak passwords are easy to recover from encrypted files, in order to prompt users to choose a stronger password, a common method is to introduce a password strength meter (Strength Meter).
  • the influencing factors of the password strength value are divided into positive plus points and negative plus points.
  • the bonus items include length, numbers, uppercase and lowercase letters, special symbols, etc.
  • Each factor is assigned a different weight, and the deduction items are: Whether it is a pure number, a pure letter, whether there are repeated symbols, etc., and assign different weights to each factor, and finally the scores of the two factors are simply added and subtracted to obtain the strength value of the password, the larger the value indicates its strength Higher.
  • the method of this type of evaluation tool is very simple, with few parameters, and a password with a password strength value of "strong" can not resist dictionary attacks only by simple rules of password characters.
  • This application provides a password strength calculation method, device, and computer-readable storage medium, the main purpose of which is to present accurate calculation results to the user when the user is performing the password strength calculation.
  • the password strength calculation method provided by this application includes:
  • the password strength value of the password to be analyzed input by the user is calculated.
  • the present application also provides a password strength calculation device, which includes a memory and a processor, and a password strength calculation program that can be run on the processor is stored in the memory. The following steps are implemented when the calculation program is executed by the processor:
  • the password strength value of the password to be analyzed input by the user is calculated.
  • the present application also provides a computer-readable storage medium having a password strength calculation program stored on the computer-readable storage medium, and the password strength calculation program can be executed by one or more processors, To achieve the steps of the password strength calculation method described above.
  • the password strength calculation method, device and computer readable storage medium proposed in this application when a user evaluates the strength of a password, calculate the leakage parameters of the password to be analyzed by the user according to the preset first leakage parameter analysis model, and use the password
  • the strength calculation model calculates the strength of the user's password to be analyzed, so that the user can present accurate calculation results.
  • FIG. 1 is a schematic flowchart of a password strength calculation method provided by an embodiment of this application
  • FIG. 2 is a schematic diagram of the internal structure of a password strength calculation device provided by an embodiment of the application.
  • Fig. 3 is a schematic diagram of modules of a password strength calculation program in a password strength calculation device provided by an embodiment of the application.
  • FIG. 4 is a schematic diagram of the generation process of the second leakage parameter analysis model in the password strength calculation method provided by an embodiment of the application.
  • This application provides a method for calculating password strength.
  • FIG. 1 it is a schematic flowchart of a password strength calculation method provided by an embodiment of this application.
  • the method can be executed by a device, and the device can be implemented by software and/or hardware.
  • the password strength calculation method includes:
  • the password is also referred to as a plaintext password which refers to a text or string that is not encrypted. It is a term that can be understood by ordinary people. It is a cryptographic term. Generally speaking, the plaintext password of a password is a meaningful character Or a set of bits, or a message that can be obtained through some public coding standard.
  • the password usually includes Arabic numerals of different lengths, uppercase and lowercase letters, special symbol sets, etc.
  • the real password includes letters, numbers and/or symbols
  • the virtual password includes pure letters, pure letters or pure symbols.
  • the leakage parameter is described by taking the leakage probability as an example, and the preset first leakage parameter analysis model is a Markov model.
  • the Markov model believes that there is a connection between characters and characters in a password, and generally knowing the first few characters in a password can predict the next character in the password. Therefore, this application can use the Markov model of n-gram to estimate the probability of the nth character in the password through the prefix string of n-1 length.
  • the preferred embodiment of the present application constructs an n-gram database using the real password leaked from the collected network and a preset type of virtual password.
  • this application selects one of the passwords S from the n-gram database. Assuming that the password S consists of a character sequence ⁇ W 1 , W 2 ...W m ⁇ , then in the password S, the first n-1 When a character appears, the probability of the nth character can be expressed as:
  • W m-i+1 ,...W m-1 ) refers to the probability of W m appearing when the character strings W m-i+1 ,...W m-1 appear.
  • the maximum likelihood estimation is used to obtain the leakage probability of the password S, and the leakage probability of the password S can be expressed as:
  • the leakage probability of each real password and virtual password can be calculated.
  • the preferred embodiment of the application analyzes the structure of the real password leaked from the network, and obtains the structure L of the real password and the virtual password by counting the number of letters, numbers and/or symbols contained in the real password and the virtual password.
  • m D n S i where L represents a letter, D represents a number, S represents a symbol, m, n, and i are natural numbers, respectively representing the number of letters, numbers, and symbols in the real password and the virtual password.
  • the passwords Abc1234 ⁇ , qwe456&, etc. can be expressed as a password structure of L 3 D 4 S 1 (that is, 3 letters, 4 numbers, and 1 symbol).
  • the probability of all the real passwords with the same password structure is averaged to obtain the probability corresponding to the password structure.
  • the leakage probability of the password structure L 3 D 4 S 1 is 0.3
  • the leakage probability of the password structure D6 is 0.7.
  • the average operation may adopt a weighted average algorithm.
  • the virtual passwords described in this application only contain letters, Arabic numerals or special symbols. Therefore, the probability corresponding to the password structure of each virtual password can be obtained by using the Markov model described above. For example, in a virtual password composed of 6 pure numbers, the leakage probability of the password 123456 is 0.8, and the leakage probability of the password 111111 is 0.2.
  • the leakage parameter is explained by taking the leakage probability as an example.
  • the preferred embodiment of the application will form the second according to the probability corresponding to the password structure obtained by the real password and the leakage probability corresponding to the password structure obtained by each virtual password.
  • Leak parameter analysis model In detail, this application generates a basic probability table based on the structure of each real password and the corresponding leakage probability, and generates a segmented probability table ST based on the structure of each virtual password and the corresponding leakage probability, and uses the following The formula forms the second leakage parameter analysis model:
  • the value of P(S′) is taken from the basic probability table BT, and the values of P(L m ), P(D n ) and P(S i ) are taken from the segment probability table ST.
  • the leakage probability can be obtained as:
  • a batch of passwords is randomly generated, and the leakage parameters of the randomly generated batch of passwords are calculated by using the second leakage parameter analysis model.
  • the leakage parameters described in the preferred embodiment of the application illustrate the application by taking the leakage probability as an example.
  • a batch of passwords are randomly generated, and it is assumed that each randomly generated password consists of N characters, where S i represents the i-th character, Q i represents the occurrence probability of the character.
  • a password containing N characters S 1 , S 2 ,..., S N is randomly selected. It constitutes a complete password S as follows:
  • a preferred embodiment of the present application analyzes the structure of the randomly generated password, and calculates the leakage probability of each password in the batch of randomly generated passwords through the above-mentioned second leakage parameter analysis model.
  • the leakage parameter is described by taking the leakage probability as an example, and the preset password strength calculation model may be the Monte Carlo method.
  • the Monte Carlo method is also called random sampling method, which is a calculation method based on statistical theory and probability.
  • the main idea of the Monte Carlo method is to use the random numbers on the computer to represent the probability parameters of the system components, and at the same time to simulate the actual operation of the system on the Monte Carlo simulator, observe for a period of time, and give the approximate value of the solution. That is, it is expressed by the standard deviation of the estimated value. Since the sampling times of the Monte Carlo method have nothing to do with the scale of the system, there is no rapid growth relationship between the number of system states and the number of system components.
  • the formula of the preset password strength calculation model is as follows:
  • is the password to be evaluated
  • is a batch of randomly generated passwords
  • n is the number of randomly generated passwords
  • p(.) is the estimated probability of the password
  • C ⁇ is the estimated number of guesses, which can be regarded as the password Strength value.
  • the above random password leakage probability set and the user password leakage probability to be evaluated are input into the password strength calculation model, and the number of password guesses for the user password to be evaluated is calculated. The more guesses there are, The stronger the password, the fewer guesses and the weaker the password.
  • This application also provides a password strength calculation device.
  • FIG. 2 it is a schematic diagram of the internal structure of a password strength calculation device provided by an embodiment of this application.
  • the password strength calculation device 1 may be a PC (Personal Computer, personal computer), or a terminal device such as a smart phone, a tablet computer, or a portable computer, or a server.
  • the password strength calculation device 1 at least includes a memory 11, a processor 12, a communication bus 13, and a network interface 14.
  • the memory 11 includes at least one type of readable storage medium, and the readable storage medium includes flash memory, hard disk, multimedia card, card-type memory (for example, SD or DX memory, etc.), magnetic memory, magnetic disk, optical disk, etc.
  • the memory 11 may be an internal storage unit of the password strength calculation device 1 in some embodiments, such as a hard disk of the password strength calculation device 1.
  • the memory 11 may also be an external storage device of the password strength calculation device 1, for example, a plug-in hard disk equipped on the password strength calculation device 1, a smart media card (SMC), and a secure digital (Secure Digital). Digital, SD) card, flash card (Flash Card), etc.
  • the memory 11 may also include both an internal storage unit of the password strength calculation device 1 and an external storage device.
  • the memory 11 can be used not only to store application software and various data installed in the password strength calculation device 1, such as the code of the password strength calculation program 01, etc., but also to temporarily store data that has been output or will be output.
  • the processor 12 may be a central processing unit (CPU), controller, microcontroller, microprocessor or other data processing chip in some embodiments, and is used to run the program code or processing stored in the memory 11 Data, such as execution of password strength calculation program 01, etc.
  • CPU central processing unit
  • controller microcontroller
  • microprocessor or other data processing chip in some embodiments, and is used to run the program code or processing stored in the memory 11 Data, such as execution of password strength calculation program 01, etc.
  • the communication bus 13 is used to realize the connection and communication between these components.
  • the network interface 14 may optionally include a standard wired interface and a wireless interface (such as a WI-FI interface), and is usually used to establish a communication connection between the device 1 and other electronic devices.
  • the device 1 may also include a user interface.
  • the user interface may include a display (Display) and an input unit such as a keyboard (Keyboard).
  • the optional user interface may also include a standard wired interface and a wireless interface.
  • the display may be an LED display, a liquid crystal display, a touch-sensitive liquid crystal display, an OLED (Organic Light-Emitting Diode, organic light emitting diode) touch device, etc.
  • the display can also be appropriately called a display screen or a display unit, which is used to display the information processed in the password strength calculation device 1 and to display a visualized user interface.
  • Figure 2 only shows the password strength calculation device 1 with components 11-14 and the password strength calculation program 01.
  • the structure shown in Figure 1 does not constitute a limitation on the password strength calculation device 1 It may include fewer or more components than shown, or a combination of some components, or a different component arrangement.
  • the password strength calculation program 01 is stored in the memory 11; when the processor 12 executes the password strength calculation program 01 stored in the memory 11, the following steps are implemented:
  • Step 1 Collect real passwords leaked from the network and preset types of virtual passwords, and calculate the leak parameters of the real passwords and virtual passwords through a preset first leak parameter analysis model.
  • the password is also called a plaintext password which refers to a text or string that is not encrypted. It is a term that can be understood by ordinary people. It is a cryptographic term. Generally speaking, the plaintext password of a password can be simply considered as meaningful characters. Or a set of bits, or a message that can be obtained through some public coding standard.
  • the password usually includes Arabic numerals of different lengths, uppercase and lowercase letters, special symbol sets, etc.
  • the real password includes letters, numbers and/or symbols
  • the virtual password includes pure letters, pure letters or pure symbols.
  • the leakage parameter is described by taking the leakage probability as an example, and the preset first leakage parameter analysis model is a Markov model.
  • the Markov model believes that there is a connection between characters and characters in a password, and generally knowing the first few characters in a password can predict the next character in the password. Therefore, this application can use the Markov model of n-gram to estimate the probability of the nth character in the password through the prefix string of n-1 length.
  • the preferred embodiment of the present application constructs an n-gram database using the real password leaked from the collected network and a preset type of virtual password.
  • this application selects one of the passwords S from the n-gram database. Assuming that the password S consists of a character sequence ⁇ W 1 , W 2 ...W m ⁇ , then in the password S, the first n-1 When a character appears, the probability of the nth character can be expressed as:
  • W m-i+1 ,...W m-1 ) refers to the probability of W m appearing when the character strings W m-i+1 ,...W m-1 appear.
  • the maximum likelihood estimation is used to obtain the leakage probability of the password S, and the leakage probability of the password S can be expressed as:
  • the leakage probability of each real password and virtual password can be calculated.
  • Step 2 Analyze the structure of the real password and the virtual password, and construct a second leakage parameter analysis model based on the structure of the real password and the virtual password and the calculated leakage parameters.
  • the preferred embodiment of the present application analyzes the structure of the real password leaked from the network, and obtains the structure L of the real password and the virtual password by counting the number of letters, numbers and/or symbols contained in the real password and the virtual password.
  • m D n S i where L represents a letter, D represents a number, S represents a symbol, m, n, and i are natural numbers, respectively representing the number of letters, numbers, and symbols in the real password and the virtual password.
  • the passwords Abc1234 ⁇ , qwe456&, etc. can be expressed as a password structure of L 3 D 4 S 1 (that is, 3 letters, 4 numbers, and 1 symbol).
  • the probability of all the real passwords with the same password structure is averaged to obtain the probability corresponding to the password structure.
  • the leakage probability of the password structure L 3 D 4 S 1 is 0.3
  • the leakage probability of the password structure D6 is 0.7.
  • the average operation may adopt a weighted average algorithm.
  • the virtual passwords described in this application only contain letters, Arabic numerals or special symbols. Therefore, the probability corresponding to the password structure of each virtual password can be obtained by using the Markov model described above. For example, in a virtual password composed of 6 pure numbers, the leakage probability of the password 123456 is 0.8, and the leakage probability of the password 111111 is 0.2.
  • the leakage parameter is explained by taking the leakage probability as an example.
  • the preferred embodiment of the application will form the second according to the probability corresponding to the password structure obtained by the real password and the leakage probability corresponding to the password structure obtained by each virtual password.
  • Leak parameter analysis model In detail, this application generates a basic probability table based on the structure of each real password and the corresponding leakage probability, and generates a segmented probability table ST based on the structure of each virtual password and the corresponding leakage probability, and uses the following The formula forms the second leakage parameter analysis model:
  • the value of P(S′) is taken from the basic probability table BT, and the values of P(L m ), P(D n ) and P(S i ) are taken from the segment probability table ST.
  • the leakage probability can be obtained as:
  • Step 3 Generate a batch of passwords randomly, and use the second leakage parameter analysis model to calculate the leakage parameters of the randomly generated batch of passwords.
  • the leakage parameters described in the preferred embodiment of the application illustrate the application by taking the leakage probability as an example.
  • a batch of passwords are randomly generated, and it is assumed that each randomly generated password consists of N characters, where S i represents the i-th character, Q i represents the occurrence probability of the character.
  • a password containing N characters S 1 , S 2 ,..., S N is randomly selected. It constitutes a complete password S as follows:
  • a preferred embodiment of the present application analyzes the structure of the randomly generated password, and calculates the leakage probability of each password in the batch of randomly generated passwords through the above-mentioned second leakage parameter analysis model.
  • Step 4 Using a preset password strength calculation model and the leaked parameters of a batch of randomly generated passwords, the password strength value of the password to be analyzed input by the user is calculated.
  • the leakage parameter is described by taking the leakage probability as an example, and the preset password strength calculation model may be the Monte Carlo method.
  • the Monte Carlo method is also called random sampling method, which is a calculation method based on statistical theory and probability.
  • the main idea of the Monte Carlo method is to use the random numbers on the computer to represent the probability parameters of the system components, and at the same time to simulate the actual operation of the system on the Monte Carlo simulator, observe for a period of time, and give the approximate value of the solution. That is, it is expressed by the standard deviation of the estimated value. Since the sampling times of the Monte Carlo method have nothing to do with the scale of the system, there is no relationship between the number of system states and the number of system components.
  • the formula of the preset password strength calculation model is as follows:
  • is the password to be evaluated
  • is a batch of randomly generated passwords
  • n is the number of randomly generated passwords
  • p(.) is the estimated probability of the password
  • C ⁇ is the estimated number of guesses, which can be regarded as the password Strength value.
  • the above random password leakage probability set and the user password leakage probability to be evaluated are input into the password strength calculation model, and the number of password guesses for the user password to be evaluated is calculated. The more guesses there are, The stronger the password, the fewer guesses and the weaker the password.
  • the password strength calculation program can also be divided into one or more modules, one or more modules are stored in the memory 11, and are executed by one or more processors (in this embodiment The processor 12) is executed to complete the application.
  • the module referred to in the application refers to a series of computer program instruction segments capable of completing specific functions, and is used to describe the execution process of the password strength calculation program in the password strength calculation device.
  • FIG. 3 is a schematic diagram of the program modules of the password strength calculation program in an embodiment of the password strength calculation device of this application.
  • the password strength calculation program can be divided into a password acquisition module 10 and a structure
  • the analysis module 20, the password preset module 30, and the strength evaluation module 40 are illustratively:
  • the password acquisition module 10 is used to collect real passwords leaked from the network and preset types of virtual passwords, and estimate and calculate the leak probability parameters of the real passwords and virtual passwords through the preset first leak parameter probability analysis model, wherein
  • the real password includes letters, numbers and/or symbols
  • the virtual password includes pure letters, pure letters or pure symbols.
  • the structure analysis module 20 is configured to: perform structure analysis on the real password and the virtual password, and form a second leakage parameter analysis model according to the structure of the real password and the virtual password and the calculated leakage parameter probability.
  • the password preset module 30 is configured to randomly generate a batch of passwords, and use the second leakage parameter analysis model to calculate the leakage probability of the randomly generated batch of passwords.
  • the strength evaluation 40 is used for: using a preset password strength calculation model and the leakage probability of a batch of randomly generated passwords to estimate the password strength value of the password to be evaluated input by the user.
  • an embodiment of the present application also proposes a computer-readable storage medium having a password strength calculation program stored on the computer-readable storage medium, and the password strength calculation program can be executed by one or more processors to achieve the following operating:
  • the password strength value of the password to be analyzed input by the user is calculated.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Probability & Statistics with Applications (AREA)
  • Computational Linguistics (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

A method for calculating password strength, comprising: collecting real passwords leaked from a network and a preset type of virtual passwords, and estimating and calculating leakage parameters of the real passwords and virtual passwords by means of a preset first leakage parameter probability analysis model (S1); performing structural analysis on the real passwords and the virtual passwords, and constructing a second leakage parameter analysis model according to the structures of the real passwords and the virtual passwords and the calculated leakage parameters (S2); randomly generating a batch of passwords, and using the second leakage parameter analysis model to calculate leakage parameters of the randomly generated batch of passwords (S3); and using a preset password strength calculation model and the leakage parameters of the randomly generated batch of passwords to calculate a password strength value of a password to be evaluated that is inputted by a user (S4).

Description

口令强度计算方法、装置及计算机可读存储介质Password strength calculation method, device and computer readable storage medium
本申请基于巴黎公约申明享有2019年4月8日递交的申请号为CN 201910274077.0、名称为“口令强度计算方法、装置及计算机可读存储介质”的中国专利申请的优先权,该中国专利申请的整体内容以参考的方式结合在本申请中。Based on the Paris Convention, this application declares that it enjoys the priority of the Chinese patent application filed on April 8, 2019 with the application number CN 201910274077.0 and titled "Password Strength Calculation Method, Device and Computer-readable Storage Medium" The whole content is incorporated in this application by reference.
技术领域Technical field
本申请涉及安全技术领域,尤其涉及一种口令强度计算方法、装置及计算机可读存储介质。This application relates to the field of security technology, and in particular to a method, device and computer-readable storage medium for calculating password strength.
背景技术Background technique
口令作为当前互联网应用最主要的安全认证方式之一,口令的强弱决定着用户账户和系统的安全。由于弱口令极易从加密文件中恢复出来,为了提示用户选择较强的口令,常用方法是引入口令强度值表(Strength Meter)。Password is one of the most important security authentication methods in current Internet applications. The strength of the password determines the security of user accounts and systems. Since weak passwords are easy to recover from encrypted files, in order to prompt users to choose a stronger password, a common method is to introduce a password strength meter (Strength Meter).
目前,口令强度值的影响因素分为正向加分和负向加分两种,加分项有长度、数字、大小写字母、特殊符号等,每种因素赋予不同的权重,减分项有是否纯数字,是否纯字母,是否有重复符号等,且为每种因素赋予不同的权重,最后把两种因素的分数值进行简单加减运算得出口令的强度值,数值越大表示其强度越高。但是,这类评估工具的方法十分简单、参数较少,且仅通过口令字符的简单规则就得出口令强度值为“强”的口令是无法抵抗字典攻击的。At present, the influencing factors of the password strength value are divided into positive plus points and negative plus points. The bonus items include length, numbers, uppercase and lowercase letters, special symbols, etc. Each factor is assigned a different weight, and the deduction items are: Whether it is a pure number, a pure letter, whether there are repeated symbols, etc., and assign different weights to each factor, and finally the scores of the two factors are simply added and subtracted to obtain the strength value of the password, the larger the value indicates its strength Higher. However, the method of this type of evaluation tool is very simple, with few parameters, and a password with a password strength value of "strong" can not resist dictionary attacks only by simple rules of password characters.
发明内容Summary of the invention
本申请提供一种口令强度计算方法、装置及计算机可读存储介质,其主要目的在于当用户在进行口令强度计算时,给用户呈现出精准的计算结果。This application provides a password strength calculation method, device, and computer-readable storage medium, the main purpose of which is to present accurate calculation results to the user when the user is performing the password strength calculation.
为实现上述目的,本申请提供的口令强度计算方法,包括:In order to achieve the above objectives, the password strength calculation method provided by this application includes:
收集网络泄露的真实口令以及预设类型的虚拟口令,通过预设第一泄露参数分析模型计算所述真实口令以及虚拟口令的泄露参数,其中,所述真实 口令包括字母、数字和/或者符号,以及所述虚拟口令包括纯字母、纯字母或者纯符号;Collect real passwords leaked from the network and preset types of virtual passwords, and calculate the leak parameters of the real passwords and virtual passwords through a preset first leak parameter analysis model, where the real passwords include letters, numbers and/or symbols, And the virtual password includes pure letters, pure letters or pure symbols;
对所述真实口令和虚拟口令进行结构分析,根据所述真实口令以及虚拟口令的结构以及计算的泄露参数,构建第二泄露参数分析模型;Perform structural analysis on the real password and the virtual password, and construct a second leakage parameter analysis model based on the structure of the real password and the virtual password and the calculated leakage parameters;
随机生成一批口令,利用所述第二泄露参数分析模型,计算得到所述随机生成的一批口令的泄露参数;Randomly generating a batch of passwords, using the second leakage parameter analysis model to calculate the leakage parameters of the randomly generated batch of passwords;
采用预设口令强度计算模型,以及所述随机生成的一批口令的泄露参数,对用户输入的待分析口令进行口令强度值的计算。Using a preset password strength calculation model and the leakage parameters of a batch of randomly generated passwords, the password strength value of the password to be analyzed input by the user is calculated.
此外,为实现上述目的,本申请还提供一种口令强度计算装置,该装置包括存储器和处理器,所述存储器中存储有可在所述处理器上运行的口令强度计算程序,所述口令强度计算程序被所述处理器执行时实现如下步骤:In addition, in order to achieve the above objective, the present application also provides a password strength calculation device, which includes a memory and a processor, and a password strength calculation program that can be run on the processor is stored in the memory. The following steps are implemented when the calculation program is executed by the processor:
收集网络泄露的真实口令以及预设类型的虚拟口令,通过预设第一泄露参数分析模型计算所述真实口令以及虚拟口令的泄露参数,其中,所述真实口令包括字母、数字和/或者符号,以及所述虚拟口令包括纯字母、纯字母或者纯符号;Collect real passwords leaked from the network and preset types of virtual passwords, and calculate the leak parameters of the real passwords and virtual passwords through a preset first leak parameter analysis model, where the real passwords include letters, numbers and/or symbols, And the virtual password includes pure letters, pure letters or pure symbols;
对所述真实口令和虚拟口令进行结构分析,根据所述真实口令以及虚拟口令的结构以及计算的泄露参数,构建第二泄露参数分析模型;Perform structural analysis on the real password and the virtual password, and construct a second leakage parameter analysis model based on the structure of the real password and the virtual password and the calculated leakage parameters;
随机生成一批口令,利用所述第二泄露参数分析模型,计算得到所述随机生成的一批口令的泄露参数;Randomly generating a batch of passwords, using the second leakage parameter analysis model to calculate the leakage parameters of the randomly generated batch of passwords;
采用预设口令强度计算模型,以及所述随机生成的一批口令的泄露参数,对用户输入的待分析口令进行口令强度值的计算。Using a preset password strength calculation model and the leakage parameters of a batch of randomly generated passwords, the password strength value of the password to be analyzed input by the user is calculated.
此外,为实现上述目的,本申请还提供一种计算机可读存储介质,所述计算机可读存储介质上存储有口令强度计算程序,所述口令强度计算程序可被一个或者多个处理器执行,以实现如上所述的口令强度计算方法的步骤。In addition, in order to achieve the above object, the present application also provides a computer-readable storage medium having a password strength calculation program stored on the computer-readable storage medium, and the password strength calculation program can be executed by one or more processors, To achieve the steps of the password strength calculation method described above.
本申请提出的口令强度计算方法、装置及计算机可读存储介质,在用户对一个口令进行强度评估时,根据所述预设第一泄露参数分析模型计算出用户待分析口令的泄露参数,利用口令强度计算模型对用户待分析口令进行强度计算,从而可以给用户呈现出精准的计算结果。The password strength calculation method, device and computer readable storage medium proposed in this application, when a user evaluates the strength of a password, calculate the leakage parameters of the password to be analyzed by the user according to the preset first leakage parameter analysis model, and use the password The strength calculation model calculates the strength of the user's password to be analyzed, so that the user can present accurate calculation results.
附图说明Description of the drawings
图1为本申请一实施例提供的口令强度计算方法的流程示意图;FIG. 1 is a schematic flowchart of a password strength calculation method provided by an embodiment of this application;
图2为本申请一实施例提供的口令强度计算装置的内部结构示意图;2 is a schematic diagram of the internal structure of a password strength calculation device provided by an embodiment of the application;
图3为本申请一实施例提供的口令强度计算装置中口令强度计算程序的模块示意图。Fig. 3 is a schematic diagram of modules of a password strength calculation program in a password strength calculation device provided by an embodiment of the application.
图4为本申请一实施例提供的口令强度计算方法中第二泄露参数分析模型生成过程示意图。FIG. 4 is a schematic diagram of the generation process of the second leakage parameter analysis model in the password strength calculation method provided by an embodiment of the application.
本申请目的的实现、功能特点及优点将结合实施例,参照附图做进一步说明。The realization, functional characteristics, and advantages of the purpose of this application will be further described in conjunction with the embodiments and with reference to the accompanying drawings.
具体实施方式detailed description
应当理解,此处所描述的具体实施例仅仅用以解释本申请,并不用于限定本申请。It should be understood that the specific embodiments described here are only used to explain the application, and are not used to limit the application.
本申请提供一种口令强度计算方法。参照图1所示,为本申请一实施例提供的口令强度计算方法的流程示意图。该方法可以由一个装置执行,该装置可以由软件和/或硬件实现。This application provides a method for calculating password strength. Referring to FIG. 1, it is a schematic flowchart of a password strength calculation method provided by an embodiment of this application. The method can be executed by a device, and the device can be implemented by software and/or hardware.
在本实施例中,口令强度计算方法包括:In this embodiment, the password strength calculation method includes:
S1、收集网络泄露的真实口令以及预设类型的虚拟口令,通过预设第一泄露参数分析模型计算所述真实口令以及虚拟口令的泄露参数。S1. Collect real passwords leaked from the network and preset types of virtual passwords, and calculate the leak parameters of the real passwords and virtual passwords through a preset first leak parameter analysis model.
本申请较佳实施例中,所述口令也称明文密码是指没有加密的文字或者字符串,一般人都能看懂的意思,属于密码学术语,一般可以简单地认为口令明文是有意义的字符或比特集,或通过某种公开的编码标准就能获得的消息。所述口令通常包含不同长度的阿拉伯数字、大小写字母、特殊符号集等。In a preferred embodiment of this application, the password is also referred to as a plaintext password which refers to a text or string that is not encrypted. It is a term that can be understood by ordinary people. It is a cryptographic term. Generally speaking, the plaintext password of a password is a meaningful character Or a set of bits, or a message that can be obtained through some public coding standard. The password usually includes Arabic numerals of different lengths, uppercase and lowercase letters, special symbol sets, etc.
本申请较佳实施例中,所述真实口令包括字母、数字和/或者符号,以及所述虚拟口令包括纯字母、纯字母或者纯符号。In a preferred embodiment of the present application, the real password includes letters, numbers and/or symbols, and the virtual password includes pure letters, pure letters or pure symbols.
本申请较佳实施例中,所述泄露参数以泄露概率为例对本申请进行说明,所述预设第一泄露参数分析模型为马尔可夫模型。所述马尔可夫模型认为,口令中的字符与字符之间存在联系,通常知道了一条口令中的前几位字符,就可以预测该条口令中的下一位字符。因此,本申请可以利用n-gram的马尔可夫模型通过n-1长度的前缀字符串来估算口令中第n个字符的概率。In a preferred embodiment of the present application, the leakage parameter is described by taking the leakage probability as an example, and the preset first leakage parameter analysis model is a Markov model. The Markov model believes that there is a connection between characters and characters in a password, and generally knowing the first few characters in a password can predict the next character in the password. Therefore, this application can use the Markov model of n-gram to estimate the probability of the nth character in the password through the prefix string of n-1 length.
本申请较佳实施例利用所述收集网络泄露的真实口令和预设类型的虚拟口令构建n-gram数据库。The preferred embodiment of the present application constructs an n-gram database using the real password leaked from the collected network and a preset type of virtual password.
进一步地,本申请从所述n-gram数据库中选择其中一个口令S,假设该口令S由字符序列{W 1,W 2…W m}组成,则在该口令S中,前n-1个字符出现的情况下,第n个字符出现的概率可以表示为: Further, this application selects one of the passwords S from the n-gram database. Assuming that the password S consists of a character sequence {W 1 , W 2 …W m }, then in the password S, the first n-1 When a character appears, the probability of the nth character can be expressed as:
P(W n|W 1,…W n-1)=P(W n|W n-i+1,…W n-1)。 P(W n |W 1 ,...W n-1 )=P(W n |W n-i+1 ,...W n-1 ).
因此,所述口令S按照上述字符序列排列的概率为:Therefore, the probability that the password S is arranged according to the above character sequence is:
P(S)=P(W 1W 2…W m)=P(W 1)P(W 2|W 1)…P(W m|W m-i+1,…W m-1), P(S)=P(W 1 W 2 …W m )=P(W 1 )P(W 2 |W 1 )…P(W m |W m-i+1 ,…W m-1 ),
其中,所述P(W m|W m-i+1,…W m-1)指的是在字符串W m-i+1,…W m-1出现的情况下W m出现的概率。 Wherein, the P(W m |W m-i+1 ,...W m-1 ) refers to the probability of W m appearing when the character strings W m-i+1 ,...W m-1 appear.
通过在大规模口令数量的基础上,采用极大似然估计求得所述口令S的泄露概率,所述口令S泄露概率可以表示为:Based on the number of large-scale passwords, the maximum likelihood estimation is used to obtain the leakage probability of the password S, and the leakage probability of the password S can be expressed as:
Figure PCTCN2019102812-appb-000001
Figure PCTCN2019102812-appb-000001
因此,按照上述方法,可以计算出每一个真实口令以及虚拟口令的泄露概率。Therefore, according to the above method, the leakage probability of each real password and virtual password can be calculated.
S2、对所述真实口令和虚拟口令进行结构分析,根据所述真实口令以及虚拟口令的结构以及计算的泄露参数,构建第二泄露参数分析模型。S2. Perform structural analysis on the real password and virtual password, and construct a second leakage parameter analysis model based on the structure of the real password and virtual password and the calculated leakage parameters.
本申请较佳实施例对所述网络泄露的真实口令进行结构分析,通过统计所述真实口令和虚拟口令中包含的字母、数字和/或者符号的数量得到所述真实口令和虚拟口令的结构L mD nS i,其中,L表示字母,D表示数字,S表示符号,m、n、及i为自然数,分别表示所述真实口令和虚拟口令中字母、数字及符号的数量。例如,口令Abc1234^、qwe456&等就可以表示为L 3D 4S 1(即3个字母、4个数字以及1个符号)的口令结构。 The preferred embodiment of the application analyzes the structure of the real password leaked from the network, and obtains the structure L of the real password and the virtual password by counting the number of letters, numbers and/or symbols contained in the real password and the virtual password. m D n S i , where L represents a letter, D represents a number, S represents a symbol, m, n, and i are natural numbers, respectively representing the number of letters, numbers, and symbols in the real password and the virtual password. For example, the passwords Abc1234^, qwe456&, etc. can be expressed as a password structure of L 3 D 4 S 1 (that is, 3 letters, 4 numbers, and 1 symbol).
本申请较佳实施例根据上述计算出来的每一个真实口令的泄露概率,将所有具有相同口令结构的所述真实口令的概率取平均值操作,得到该种口令结构对应的概率。例如,根据平均值操作,可以得到L 3D 4S 1这种口令结构的泄露概率为0.3,D6这种口令结构的泄露概率为0.7。 In the preferred embodiment of the present application, based on the calculated leakage probability of each real password, the probability of all the real passwords with the same password structure is averaged to obtain the probability corresponding to the password structure. For example, according to the average operation, the leakage probability of the password structure L 3 D 4 S 1 is 0.3, and the leakage probability of the password structure D6 is 0.7.
本申请较佳实施例中,所述平均值操作可以采取加权平均值算法。In a preferred embodiment of the present application, the average operation may adopt a weighted average algorithm.
进一步地,如上所述,本申请所述虚拟口令只包含字母、阿拉伯数字或者特殊符号,因此,利用上述的马尔可夫模型可以得到每一个虚拟口令的口 令结构对应的概率。例如,6个纯数字组成虚拟口令中,口令123456的泄露概率为0.8,口令111111的泄露概率为0.2。Further, as described above, the virtual passwords described in this application only contain letters, Arabic numerals or special symbols. Therefore, the probability corresponding to the password structure of each virtual password can be obtained by using the Markov model described above. For example, in a virtual password composed of 6 pure numbers, the leakage probability of the password 123456 is 0.8, and the leakage probability of the password 111111 is 0.2.
进一步地,泄露参数以泄露概率为例对本申请进行说明,本申请较佳实施例根据所述真实口令得到的口令结构对应的概率以及每一个虚拟口令得的口令结构对应的泄露概率,形成第二泄露参数分析模型。详细地,本申请根据上述每一个真实口令的结构,和对应的泄露概率,生成基础概率表,根据上述每一个虚拟口令的结构和对应的泄露概率,生成分段概率表ST,并利用下述公式形成所述第二泄露参数分析模型:Further, the leakage parameter is explained by taking the leakage probability as an example. The preferred embodiment of the application will form the second according to the probability corresponding to the password structure obtained by the real password and the leakage probability corresponding to the password structure obtained by each virtual password. Leak parameter analysis model. In detail, this application generates a basic probability table based on the structure of each real password and the corresponding leakage probability, and generates a segmented probability table ST based on the structure of each virtual password and the corresponding leakage probability, and uses the following The formula forms the second leakage parameter analysis model:
P(S)=P(S′)*P(L m)*P(D n)*P(S i), P(S)=P(S′)*P(L m )*P(D n )*P(S i ),
其中,所述P(S′)的值取自所述基础概率表BT,以及所述P(L m)、P(D n)及P(S i)的值取至所述分段概率表ST。 Wherein, the value of P(S′) is taken from the basic probability table BT, and the values of P(L m ), P(D n ) and P(S i ) are taken from the segment probability table ST.
如图4所示,对于口令abc1234^,利用本申请所述的第二泄露参数分析模型公式可以得到其泄露概率为:As shown in Figure 4, for the password abc1234^, using the second leakage parameter analysis model formula described in this application, the leakage probability can be obtained as:
P(abc1234 ^) P(abc1234 ^ )
=P(S→L 3D 4S 1)*P(L 3→abc)*P(D 4→1234)*P(S 1^) =P(S→L 3 D 4 S 1 )*P(L 3 →abc)*P(D 4 →1234)*P(S 1^ )
=0.3*0.7*0.6*0.1=0.0126。=0.3*0.7*0.6*0.1=0.126.
S3、随机生成一批口令,利用所述第二泄露参数分析模型,计算得到所述随机生成的一批口令的泄露参数。S3. A batch of passwords is randomly generated, and the leakage parameters of the randomly generated batch of passwords are calculated by using the second leakage parameter analysis model.
本申请较佳实施例所述泄露参数以泄露概率为例对本申请进行说明,随机生成一批口令Password,并假设每一个随机生成的口令有N个字符组成,其中S i代表第i个字符,Q i代表所述字符出现概率。随机抽取包含N个字符S 1,S 2,…,S N的口令。其构成一个完整的口令S如下: The leakage parameters described in the preferred embodiment of the application illustrate the application by taking the leakage probability as an example. A batch of passwords are randomly generated, and it is assumed that each randomly generated password consists of N characters, where S i represents the i-th character, Q i represents the occurrence probability of the character. A password containing N characters S 1 , S 2 ,..., S N is randomly selected. It constitutes a complete password S as follows:
S=(S 1,S 2,…,S I,…,S N), S=(S 1 ,S 2 ,…,S I ,…,S N ),
进一步地,本申请较佳实施例分析所述随机生成的口令的结构,并通过上述第二泄露参数分析模型,计算所述随机生成的一批口令中每一个口令的泄露概率。Further, a preferred embodiment of the present application analyzes the structure of the randomly generated password, and calculates the leakage probability of each password in the batch of randomly generated passwords through the above-mentioned second leakage parameter analysis model.
S4、采用预设口令强度计算模型,以及所述随机生成的一批口令的泄露参数,对用户输入的待分析口令进行口令强度值的计算。S4. Using a preset password strength calculation model and the leaked parameters of a batch of randomly generated passwords, the password strength value of the password to be analyzed input by the user is calculated.
本申请较佳实施例中,所述泄露参数以泄露概率为例对本申请进行说明,所述预设口令强度计算模型可以为蒙特卡洛法。所述蒙特卡洛法又称为随机 抽样法,是以统计理论和概率为基础的一种计算方法。所述蒙特卡洛法的主要思想是利用计算机上的随机数来表示系统元件的概率参数,同时在计算蒙特卡洛模拟机上模拟系统的实际运行情况,进行一段时间的观察,给出所求解的近似值即用估计值的标准差来表示。由于蒙特卡洛法的采样次数与系统的规模无关,所以不存在系统状态数与系统元件数的快速增长关系。In a preferred embodiment of the present application, the leakage parameter is described by taking the leakage probability as an example, and the preset password strength calculation model may be the Monte Carlo method. The Monte Carlo method is also called random sampling method, which is a calculation method based on statistical theory and probability. The main idea of the Monte Carlo method is to use the random numbers on the computer to represent the probability parameters of the system components, and at the same time to simulate the actual operation of the system on the Monte Carlo simulator, observe for a period of time, and give the approximate value of the solution. That is, it is expressed by the standard deviation of the estimated value. Since the sampling times of the Monte Carlo method have nothing to do with the scale of the system, there is no rapid growth relationship between the number of system states and the number of system components.
进一步地,本申请较佳实施例中,所述预设口令强度计算模型的公式如下所示:Further, in a preferred embodiment of the present application, the formula of the preset password strength calculation model is as follows:
Figure PCTCN2019102812-appb-000002
Figure PCTCN2019102812-appb-000002
其中α是待评估口令,Θ是随机生成的一批口令,n是随机生成的这批口令的数量,p(.)是口令的估算概率,CΔ是估算的猜测次数,即可看作该口令强度值。Where α is the password to be evaluated, Θ is a batch of randomly generated passwords, n is the number of randomly generated passwords, p(.) is the estimated probability of the password, CΔ is the estimated number of guesses, which can be regarded as the password Strength value.
本申请较佳实施例将上述随机口令泄露概率集合和所述用户待评估口令泄露概率输入到所述口令强度计算模型当中,计算得到所述用户待评估口令的口令猜测次数,猜测次数越多,口令强度越强,猜测次数越少,口令强度越弱。In a preferred embodiment of the present application, the above random password leakage probability set and the user password leakage probability to be evaluated are input into the password strength calculation model, and the number of password guesses for the user password to be evaluated is calculated. The more guesses there are, The stronger the password, the fewer guesses and the weaker the password.
本申请还提供一种口令强度计算装置。参照图2所示,为本申请一实施例提供的口令强度计算装置的内部结构示意图。This application also provides a password strength calculation device. Referring to FIG. 2, it is a schematic diagram of the internal structure of a password strength calculation device provided by an embodiment of this application.
在本实施例中,所述口令强度计算装置1可以是PC(Personal Computer,个人电脑),或者是智能手机、平板电脑、便携计算机等终端设备,也可以是一种服务器等。该口令强度计算装置1至少包括存储器11、处理器12,通信总线13,以及网络接口14。In this embodiment, the password strength calculation device 1 may be a PC (Personal Computer, personal computer), or a terminal device such as a smart phone, a tablet computer, or a portable computer, or a server. The password strength calculation device 1 at least includes a memory 11, a processor 12, a communication bus 13, and a network interface 14.
其中,存储器11至少包括一种类型的可读存储介质,所述可读存储介质包括闪存、硬盘、多媒体卡、卡型存储器(例如,SD或DX存储器等)、磁性存储器、磁盘、光盘等。存储器11在一些实施例中可以是口令强度计算装置1的内部存储单元,例如该口令强度计算装置1的硬盘。存储器11在另一些实施例中也可以是口令强度计算装置1的外部存储设备,例如口令强度计算装置1上配备的插接式硬盘,智能存储卡(Smart Media Card,SMC),安全数字(Secure Digital,SD)卡,闪存卡(Flash Card)等。进一步地,存储器11还可以既包括口令强度计算装置1的内部存储单元也包括外部存储设备。 存储器11不仅可以用于存储安装于口令强度计算装置1的应用软件及各类数据,例如口令强度计算程序01的代码等,还可以用于暂时地存储已经输出或者将要输出的数据。Wherein, the memory 11 includes at least one type of readable storage medium, and the readable storage medium includes flash memory, hard disk, multimedia card, card-type memory (for example, SD or DX memory, etc.), magnetic memory, magnetic disk, optical disk, etc. The memory 11 may be an internal storage unit of the password strength calculation device 1 in some embodiments, such as a hard disk of the password strength calculation device 1. In other embodiments, the memory 11 may also be an external storage device of the password strength calculation device 1, for example, a plug-in hard disk equipped on the password strength calculation device 1, a smart media card (SMC), and a secure digital (Secure Digital). Digital, SD) card, flash card (Flash Card), etc. Further, the memory 11 may also include both an internal storage unit of the password strength calculation device 1 and an external storage device. The memory 11 can be used not only to store application software and various data installed in the password strength calculation device 1, such as the code of the password strength calculation program 01, etc., but also to temporarily store data that has been output or will be output.
处理器12在一些实施例中可以是一中央处理器(Central Processing Unit,CPU)、控制器、微控制器、微处理器或其他数据处理芯片,用于运行存储器11中存储的程序代码或处理数据,例如执行口令强度计算程序01等。The processor 12 may be a central processing unit (CPU), controller, microcontroller, microprocessor or other data processing chip in some embodiments, and is used to run the program code or processing stored in the memory 11 Data, such as execution of password strength calculation program 01, etc.
通信总线13用于实现这些组件之间的连接通信。The communication bus 13 is used to realize the connection and communication between these components.
网络接口14可选的可以包括标准的有线接口、无线接口(如WI-FI接口),通常用于在该装置1与其他电子设备之间建立通信连接。The network interface 14 may optionally include a standard wired interface and a wireless interface (such as a WI-FI interface), and is usually used to establish a communication connection between the device 1 and other electronic devices.
可选地,该装置1还可以包括用户接口,用户接口可以包括显示器(Display)、输入单元比如键盘(Keyboard),可选的用户接口还可以包括标准的有线接口、无线接口。可选地,在一些实施例中,显示器可以是LED显示器、液晶显示器、触控式液晶显示器以及OLED(Organic Light-Emitting Diode,有机发光二极管)触摸器等。其中,显示器也可以适当的称为显示屏或显示单元,用于显示在口令强度计算装置1中处理的信息以及用于显示可视化的用户界面。Optionally, the device 1 may also include a user interface. The user interface may include a display (Display) and an input unit such as a keyboard (Keyboard). The optional user interface may also include a standard wired interface and a wireless interface. Optionally, in some embodiments, the display may be an LED display, a liquid crystal display, a touch-sensitive liquid crystal display, an OLED (Organic Light-Emitting Diode, organic light emitting diode) touch device, etc. Among them, the display can also be appropriately called a display screen or a display unit, which is used to display the information processed in the password strength calculation device 1 and to display a visualized user interface.
图2仅示出了具有组件11-14以及口令强度计算程序01的口令强度计算装置1,本领域技术人员可以理解的是,图1示出的结构并不构成对口令强度计算装置1的限定,可以包括比图示更少或者更多的部件,或者组合某些部件,或者不同的部件布置。Figure 2 only shows the password strength calculation device 1 with components 11-14 and the password strength calculation program 01. Those skilled in the art will understand that the structure shown in Figure 1 does not constitute a limitation on the password strength calculation device 1 It may include fewer or more components than shown, or a combination of some components, or a different component arrangement.
在图2所示的装置1实施例中,存储器11中存储有口令强度计算程序01;处理器12执行存储器11中存储的口令强度计算程序01时实现如下步骤:In the embodiment of the device 1 shown in FIG. 2, the password strength calculation program 01 is stored in the memory 11; when the processor 12 executes the password strength calculation program 01 stored in the memory 11, the following steps are implemented:
步骤一、收集网络泄露的真实口令以及预设类型的虚拟口令,通过预设第一泄露参数分析模型计算所述真实口令以及虚拟口令的泄露参数。Step 1: Collect real passwords leaked from the network and preset types of virtual passwords, and calculate the leak parameters of the real passwords and virtual passwords through a preset first leak parameter analysis model.
本申请较佳实施例中,所述口令也称明文密码是指没有加密的文字或者字符串,一般人都能看懂的意思,属于密码学术语,一般可以简单地认为口令明文是有意义的字符或比特集,或通过某种公开的编码标准就能获得的消息。所述口令通常包含不同长度的阿拉伯数字、大小写字母、特殊符号集等。In a preferred embodiment of this application, the password is also called a plaintext password which refers to a text or string that is not encrypted. It is a term that can be understood by ordinary people. It is a cryptographic term. Generally speaking, the plaintext password of a password can be simply considered as meaningful characters. Or a set of bits, or a message that can be obtained through some public coding standard. The password usually includes Arabic numerals of different lengths, uppercase and lowercase letters, special symbol sets, etc.
本申请较佳实施例中,所述真实口令包括字母、数字和/或者符号,以及所述虚拟口令包括纯字母、纯字母或者纯符号。In a preferred embodiment of the present application, the real password includes letters, numbers and/or symbols, and the virtual password includes pure letters, pure letters or pure symbols.
本申请较佳实施例中,所述泄露参数以泄露概率为例对本申请进行说明,所述预设第一泄露参数分析模型为马尔可夫模型。所述马尔可夫模型认为,口令中的字符与字符之间存在联系,通常知道了一条口令中的前几位字符,就可以预测该条口令中的下一位字符。因此,本申请可以利用n-gram的马尔可夫模型通过n-1长度的前缀字符串来估算口令中第n个字符的概率。In a preferred embodiment of the present application, the leakage parameter is described by taking the leakage probability as an example, and the preset first leakage parameter analysis model is a Markov model. The Markov model believes that there is a connection between characters and characters in a password, and generally knowing the first few characters in a password can predict the next character in the password. Therefore, this application can use the Markov model of n-gram to estimate the probability of the nth character in the password through the prefix string of n-1 length.
本申请较佳实施例利用所述收集网络泄露的真实口令和预设类型的虚拟口令构建n-gram数据库。The preferred embodiment of the present application constructs an n-gram database using the real password leaked from the collected network and a preset type of virtual password.
进一步地,本申请从所述n-gram数据库中选择其中一个口令S,假设该口令S由字符序列{W 1,W 2…W m}组成,则在该口令S中,前n-1个字符出现的情况下,第n个字符出现的概率可以表示为: Further, this application selects one of the passwords S from the n-gram database. Assuming that the password S consists of a character sequence {W 1 , W 2 …W m }, then in the password S, the first n-1 When a character appears, the probability of the nth character can be expressed as:
P(W n|W 1,…W n-1)=P(W n|W n-i+1,…W n-1)。 P(W n |W 1 ,...W n-1 )=P(W n |W n-i+1 ,...W n-1 ).
因此,所述口令S按照上述字符序列排列的概率为:Therefore, the probability that the password S is arranged according to the above character sequence is:
P(S)=P(W 1W 2…W m)=P(W 1)P(W 2|W 1)…P(W m|W m-i+1,…W m-1), P(S)=P(W 1 W 2 …W m )=P(W 1 )P(W 2 |W 1 )…P(W m |W m-i+1 ,…W m-1 ),
其中,所述P(W m|W m-i+1,…W m-1)指的是在字符串W m-i+1,…W m-1出现的情况下W m出现的概率。 Wherein, the P(W m |W m-i+1 ,...W m-1 ) refers to the probability of W m appearing when the character strings W m-i+1 ,...W m-1 appear.
通过在大规模口令数量的基础上,采用极大似然估计求得所述口令S的泄露概率,所述口令S泄露概率可以表示为:Based on the number of large-scale passwords, the maximum likelihood estimation is used to obtain the leakage probability of the password S, and the leakage probability of the password S can be expressed as:
Figure PCTCN2019102812-appb-000003
Figure PCTCN2019102812-appb-000003
因此,按照上述方法,可以计算出每一个真实口令以及虚拟口令的泄露概率。Therefore, according to the above method, the leakage probability of each real password and virtual password can be calculated.
步骤二、对所述真实口令和虚拟口令进行结构分析,根据所述真实口令以及虚拟口令的结构以及计算的泄露参数,构建第二泄露参数分析模型。Step 2: Analyze the structure of the real password and the virtual password, and construct a second leakage parameter analysis model based on the structure of the real password and the virtual password and the calculated leakage parameters.
本申请较佳实施例对所述网络泄露的真实口令进行结构分析,通过统计所述真实口令和虚拟口令中包含的字母、数字和/或者符号的数量得到所述真实口令和虚拟口令的结构L mD nS i,其中,L表示字母,D表示数字,S表示符号,m、n、及i为自然数,分别表示所述真实口令和虚拟口令中字母、数字及符号的数量。例如,口令Abc1234^、qwe456&等就可以表示为L 3D 4S 1(即3个字母、4个数字以及1个符号)的口令结构。 The preferred embodiment of the present application analyzes the structure of the real password leaked from the network, and obtains the structure L of the real password and the virtual password by counting the number of letters, numbers and/or symbols contained in the real password and the virtual password. m D n S i , where L represents a letter, D represents a number, S represents a symbol, m, n, and i are natural numbers, respectively representing the number of letters, numbers, and symbols in the real password and the virtual password. For example, the passwords Abc1234^, qwe456&, etc. can be expressed as a password structure of L 3 D 4 S 1 (that is, 3 letters, 4 numbers, and 1 symbol).
本申请较佳实施例根据上述计算出来的每一个真实口令的泄露概率,将所有具有相同口令结构的所述真实口令的概率取平均值操作,得到该种口令 结构对应的概率。例如,根据平均值操作,可以得到L 3D 4S 1这种口令结构的泄露概率为0.3,D6这种口令结构的泄露概率为0.7。 In the preferred embodiment of the present application, based on the calculated leakage probability of each real password, the probability of all the real passwords with the same password structure is averaged to obtain the probability corresponding to the password structure. For example, according to the average operation, the leakage probability of the password structure L 3 D 4 S 1 is 0.3, and the leakage probability of the password structure D6 is 0.7.
本申请较佳实施例中,所述平均值操作可以采取加权平均值算法。In a preferred embodiment of the present application, the average operation may adopt a weighted average algorithm.
进一步地,如上所述,本申请所述虚拟口令只包含字母、阿拉伯数字或者特殊符号,因此,利用上述的马尔可夫模型可以得到每一个虚拟口令的口令结构对应的概率。例如,6个纯数字组成虚拟口令中,口令123456的泄露概率为0.8,口令111111的泄露概率为0.2。Further, as described above, the virtual passwords described in this application only contain letters, Arabic numerals or special symbols. Therefore, the probability corresponding to the password structure of each virtual password can be obtained by using the Markov model described above. For example, in a virtual password composed of 6 pure numbers, the leakage probability of the password 123456 is 0.8, and the leakage probability of the password 111111 is 0.2.
进一步地,泄露参数以泄露概率为例对本申请进行说明,本申请较佳实施例根据所述真实口令得到的口令结构对应的概率以及每一个虚拟口令得的口令结构对应的泄露概率,形成第二泄露参数分析模型。详细地,本申请根据上述每一个真实口令的结构,和对应的泄露概率,生成基础概率表,根据上述每一个虚拟口令的结构和对应的泄露概率,生成分段概率表ST,并利用下述公式形成所述第二泄露参数分析模型:Further, the leakage parameter is explained by taking the leakage probability as an example. The preferred embodiment of the application will form the second according to the probability corresponding to the password structure obtained by the real password and the leakage probability corresponding to the password structure obtained by each virtual password. Leak parameter analysis model. In detail, this application generates a basic probability table based on the structure of each real password and the corresponding leakage probability, and generates a segmented probability table ST based on the structure of each virtual password and the corresponding leakage probability, and uses the following The formula forms the second leakage parameter analysis model:
P(S)=P(S′)*P(L m)*P(D n)*P(S i), P(S)=P(S′)*P(L m )*P(D n )*P(S i ),
其中,所述P(S′)的值取自所述基础概率表BT,以及所述P(L m)、P(D n)及P(S i)的值取至所述分段概率表ST。 Wherein, the value of P(S′) is taken from the basic probability table BT, and the values of P(L m ), P(D n ) and P(S i ) are taken from the segment probability table ST.
如图4所示,对于口令abc1234^,利用本申请所述的口令概率模型公式可以得到其泄露概率为:As shown in Figure 4, for the password abc1234^, using the password probability model formula described in this application, the leakage probability can be obtained as:
P(abc1234 ^) P(abc1234 ^ )
=P(S→L 3D 4S 1)*P(L 3→abc)*P(D 4→1234)*P(S 1^) =P(S→L 3 D 4 S 1 )*P(L 3 →abc)*P(D 4 →1234)*P(S 1^ )
=0.3*0.7*0.6*0.1=0.0126。=0.3*0.7*0.6*0.1=0.126.
步骤三、随机生成一批口令,利用所述第二泄露参数分析模型,计算得到所述随机生成的一批口令的泄露参数。Step 3: Generate a batch of passwords randomly, and use the second leakage parameter analysis model to calculate the leakage parameters of the randomly generated batch of passwords.
本申请较佳实施例所述泄露参数以泄露概率为例对本申请进行说明,随机生成一批口令Password,并假设每一个随机生成的口令有N个字符组成,其中S i代表第i个字符,Q i代表所述字符出现概率。随机抽取包含N个字符S 1,S 2,…,S N的口令。其构成一个完整的口令S如下: The leakage parameters described in the preferred embodiment of the application illustrate the application by taking the leakage probability as an example. A batch of passwords are randomly generated, and it is assumed that each randomly generated password consists of N characters, where S i represents the i-th character, Q i represents the occurrence probability of the character. A password containing N characters S 1 , S 2 ,..., S N is randomly selected. It constitutes a complete password S as follows:
S=(S 1,S 2,…,S I,…,S N), S=(S 1 ,S 2 ,…,S I ,…,S N ),
进一步地,本申请较佳实施例分析所述随机生成的口令的结构,并通过上述第二泄露参数分析模型,计算所述随机生成的一批口令中每一个口令的 泄露概率。Further, a preferred embodiment of the present application analyzes the structure of the randomly generated password, and calculates the leakage probability of each password in the batch of randomly generated passwords through the above-mentioned second leakage parameter analysis model.
步骤四、采用预设口令强度计算模型,以及所述随机生成的一批口令的泄露参数,对用户输入的待分析口令进行口令强度值的计算。Step 4: Using a preset password strength calculation model and the leaked parameters of a batch of randomly generated passwords, the password strength value of the password to be analyzed input by the user is calculated.
本申请较佳实施例中,所述泄露参数以泄露概率为例对本申请进行说明,所述预设口令强度计算模型可以为蒙特卡洛法。所述蒙特卡洛法又称为随机抽样法,是以统计理论和概率为基础的一种计算方法。所述蒙特卡洛法的主要思想是利用计算机上的随机数来表示系统元件的概率参数,同时在计算蒙特卡洛模拟机上模拟系统的实际运行情况,进行一段时间的观察,给出所求解的近似值即用估计值的标准差来表示。由于蒙特卡洛法的采样次数与系统的规模无关,所以不存在系统状态数与系统元件数的快速增长关系。In a preferred embodiment of the present application, the leakage parameter is described by taking the leakage probability as an example, and the preset password strength calculation model may be the Monte Carlo method. The Monte Carlo method is also called random sampling method, which is a calculation method based on statistical theory and probability. The main idea of the Monte Carlo method is to use the random numbers on the computer to represent the probability parameters of the system components, and at the same time to simulate the actual operation of the system on the Monte Carlo simulator, observe for a period of time, and give the approximate value of the solution. That is, it is expressed by the standard deviation of the estimated value. Since the sampling times of the Monte Carlo method have nothing to do with the scale of the system, there is no relationship between the number of system states and the number of system components.
进一步地,本申请较佳实施例中,所述预设口令强度计算模型的公式如下所示:Further, in a preferred embodiment of the present application, the formula of the preset password strength calculation model is as follows:
Figure PCTCN2019102812-appb-000004
Figure PCTCN2019102812-appb-000004
其中α是待评估口令,Θ是随机生成的一批口令,n是随机生成的这批口令的数量,p(.)是口令的估算概率,CΔ是估算的猜测次数,即可看作该口令强度值。Where α is the password to be evaluated, Θ is a batch of randomly generated passwords, n is the number of randomly generated passwords, p(.) is the estimated probability of the password, CΔ is the estimated number of guesses, which can be regarded as the password Strength value.
本申请较佳实施例将上述随机口令泄露概率集合和所述用户待评估口令泄露概率输入到所述口令强度计算模型当中,计算得到所述用户待评估口令的口令猜测次数,猜测次数越多,口令强度越强,猜测次数越少,口令强度越弱。In a preferred embodiment of the present application, the above random password leakage probability set and the user password leakage probability to be evaluated are input into the password strength calculation model, and the number of password guesses for the user password to be evaluated is calculated. The more guesses there are, The stronger the password, the fewer guesses and the weaker the password.
可选地,在其他实施例中,口令强度计算程序还可以被分割为一个或者多个模块,一个或者多个模块被存储于存储器11中,并由一个或多个处理器(本实施例为处理器12)所执行以完成本申请,本申请所称的模块是指能够完成特定功能的一系列计算机程序指令段,用于描述口令强度计算程序在口令强度计算装置中的执行过程。Optionally, in other embodiments, the password strength calculation program can also be divided into one or more modules, one or more modules are stored in the memory 11, and are executed by one or more processors (in this embodiment The processor 12) is executed to complete the application. The module referred to in the application refers to a series of computer program instruction segments capable of completing specific functions, and is used to describe the execution process of the password strength calculation program in the password strength calculation device.
例如,参照图3所示,为本申请口令强度计算装置一实施例中的口令强度计算程序的程序模块示意图,该实施例中,所述口令强度计算程序可以被分割为口令获取模块10、结构分析模块20、口令预设模块30以及强度评估模块40,示例性地:For example, referring to FIG. 3, which is a schematic diagram of the program modules of the password strength calculation program in an embodiment of the password strength calculation device of this application. In this embodiment, the password strength calculation program can be divided into a password acquisition module 10 and a structure The analysis module 20, the password preset module 30, and the strength evaluation module 40 are illustratively:
所述口令获取模块10用于收集网络泄露的真实口令以及预设类型的虚拟口令,通过预设第一泄露参数概率分析模型估算计算所述真实口令以及虚拟口令的泄露概率参数,其中,所述真实口令包括字母、数字和/或者符号,以及所述虚拟口令包括纯字母、纯字母或者纯符号。The password acquisition module 10 is used to collect real passwords leaked from the network and preset types of virtual passwords, and estimate and calculate the leak probability parameters of the real passwords and virtual passwords through the preset first leak parameter probability analysis model, wherein The real password includes letters, numbers and/or symbols, and the virtual password includes pure letters, pure letters or pure symbols.
所述结构分析模块20用于:对所述真实口令和虚拟口令进行结构分析,根据所述真实口令以及虚拟口令的结构以及计算的泄露参数概率,形成第二泄露参数分析模型。The structure analysis module 20 is configured to: perform structure analysis on the real password and the virtual password, and form a second leakage parameter analysis model according to the structure of the real password and the virtual password and the calculated leakage parameter probability.
所述口令预设模块30用于:随机生成一批口令,利用所述第二泄露参数分析模型,计算得到所述随机生成的一批口令的泄露概率。The password preset module 30 is configured to randomly generate a batch of passwords, and use the second leakage parameter analysis model to calculate the leakage probability of the randomly generated batch of passwords.
所述强度评估40用于:采用预设口令强度计算模型,以及所述随机生成的一批口令的泄露概率,对用户输入的待评估口令进行口令强度值的估算。The strength evaluation 40 is used for: using a preset password strength calculation model and the leakage probability of a batch of randomly generated passwords to estimate the password strength value of the password to be evaluated input by the user.
上述口令获取模块10、结构分析模块20、口令预设模块30以及搜索强度评估模块40等程序模块被执行时所实现的功能或操作步骤与上述实施例大体相同,在此不再赘述。The functions or operation steps implemented when the program modules such as the password acquisition module 10, the structure analysis module 20, the password preset module 30, and the search strength evaluation module 40 are executed are substantially the same as those in the foregoing embodiment, and will not be repeated here.
此外,本申请实施例还提出一种计算机可读存储介质,所述计算机可读存储介质上存储有口令强度计算程序,所述口令强度计算程序可被一个或多个处理器执行,以实现如下操作:In addition, an embodiment of the present application also proposes a computer-readable storage medium having a password strength calculation program stored on the computer-readable storage medium, and the password strength calculation program can be executed by one or more processors to achieve the following operating:
收集网络泄露的真实口令以及预设类型的虚拟口令,通过预设第一泄露参数分析模型计算所述真实口令以及虚拟口令的泄露参数,其中,所述真实口令包括字母、数字和/或者符号,以及所述虚拟口令包括纯字母、纯字母或者纯符号;Collect real passwords leaked from the network and preset types of virtual passwords, and calculate the leak parameters of the real passwords and virtual passwords through a preset first leak parameter analysis model, where the real passwords include letters, numbers and/or symbols, And the virtual password includes pure letters, pure letters or pure symbols;
对所述真实口令和虚拟口令进行结构分析,根据所述真实口令以及虚拟口令的结构以及计算的泄露参数,构建第二泄露参数分析模型;Perform structural analysis on the real password and the virtual password, and construct a second leakage parameter analysis model based on the structure of the real password and the virtual password and the calculated leakage parameters;
随机生成一批口令,利用所述第二泄露参数分析模型,计算得到所述随机生成的一批口令的泄露参数;Randomly generating a batch of passwords, using the second leakage parameter analysis model to calculate the leakage parameters of the randomly generated batch of passwords;
采用预设口令强度计算模型,以及所述随机生成的一批口令的泄露参数,对用户输入的待分析口令进行口令强度值的计算。Using a preset password strength calculation model and the leakage parameters of a batch of randomly generated passwords, the password strength value of the password to be analyzed input by the user is calculated.
本申请计算机可读存储介质具体实施方式与上述口令强度计算装置和方法各实施例基本相同,在此不作累述。The specific implementation of the computer-readable storage medium of the present application is basically the same as the foregoing embodiments of the password strength calculation device and method, and will not be repeated here.
需要说明的是,上述本申请实施例序号仅仅为了描述,不代表实施例的 优劣。并且本文中的术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、装置、物品或者方法不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、装置、物品或者方法所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括该要素的过程、装置、物品或者方法中还存在另外的相同要素。It should be noted that the serial numbers of the above-mentioned embodiments of the present application are only for description, and do not represent the advantages and disadvantages of the embodiments. And the terms "include", "include" or any other variants thereof in this article are intended to cover non-exclusive inclusion, so that a process, device, article or method including a series of elements not only includes those elements, but also includes The other elements listed may also include elements inherent to the process, device, article, or method. If there are no more restrictions, the element defined by the sentence "including a..." does not exclude the existence of other identical elements in the process, device, article or method that includes the element.
通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到上述实施例方法可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件,但很多情况下前者是更佳的实施方式。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在如上所述的一个存储介质(如ROM/RAM、磁碟、光盘)中,包括若干指令用以使得一台终端设备(可以是手机,计算机,服务器,或者网络设备等)执行本申请各个实施例所述的方法。Through the description of the above embodiments, those skilled in the art can clearly understand that the method of the above embodiments can be implemented by means of software plus the necessary general hardware platform. Of course, it can also be implemented by hardware, but in many cases the former is better.的实施方式。 Based on this understanding, the technical solution of this application essentially or the part that contributes to the existing technology can be embodied in the form of a software product, and the computer software product is stored in a storage medium (such as ROM/RAM) as described above. , Magnetic disk, optical disk), including several instructions to make a terminal device (which can be a mobile phone, a computer, a server, or a network device, etc.) execute the method described in each embodiment of the present application.
以上仅为本申请的优选实施例,并非因此限制本申请的专利范围,凡是利用本申请说明书及附图内容所作的等效结构或等效流程变换,或直接或间接运用在其他相关的技术领域,均同理包括在本申请的专利保护范围内。The above are only preferred embodiments of this application, and do not limit the scope of this application. Any equivalent structure or equivalent process transformation made using the content of the description and drawings of this application, or directly or indirectly used in other related technical fields , The same reason is included in the scope of patent protection of this application.

Claims (20)

  1. 一种口令强度计算方法,其特征在于,所述方法包括:A method for calculating password strength, characterized in that the method includes:
    收集网络泄露的真实口令以及预设类型的虚拟口令,通过预设第一泄露参数分析模型计算所述真实口令以及虚拟口令的泄露参数,其中,所述真实口令包括字母、数字和/或者符号,以及所述虚拟口令包括纯字母、纯字母或者纯符号;Collect real passwords leaked from the network and preset types of virtual passwords, and calculate the leak parameters of the real passwords and virtual passwords through a preset first leak parameter analysis model, where the real passwords include letters, numbers and/or symbols, And the virtual password includes pure letters, pure letters or pure symbols;
    对所述真实口令和虚拟口令进行结构分析,根据所述真实口令以及虚拟口令的结构以及计算的泄露参数,构建第二泄露参数分析模型;Perform structural analysis on the real password and the virtual password, and construct a second leakage parameter analysis model based on the structure of the real password and the virtual password and the calculated leakage parameters;
    随机生成一批口令,利用所述第二泄露参数分析模型,计算得到所述随机生成的一批口令的泄露参数;Randomly generating a batch of passwords, using the second leakage parameter analysis model to calculate the leakage parameters of the randomly generated batch of passwords;
    采用预设口令强度计算模型,以及所述随机生成的一批口令的泄露参数,对用户输入的待分析口令进行口令强度值的计算。Using a preset password strength calculation model and the leakage parameters of a batch of randomly generated passwords, the password strength value of the password to be analyzed input by the user is calculated.
  2. 如权利要求1所述的口令强度计算方法,其特征在于,所述预设第一泄露参数分析模型为马尔可夫模型,以及所述收集网络泄露的真实口令以及预设类型的虚拟口令,通过预设第一泄露参数分析模型计算所述真实口令以及虚拟口令的泄露参数,包括:The password strength calculation method according to claim 1, wherein the preset first leakage parameter analysis model is a Markov model, and the collection of real passwords leaked from the network and preset types of virtual passwords is passed The preset first leakage parameter analysis model to calculate the leakage parameters of the real password and the virtual password includes:
    利用所述真实口令和虚拟口令构建n-gram数据库;Constructing an n-gram database using the real password and the virtual password;
    从所述n-gram数据库中选择其中一个口令S,该口令S由字符序列{W 1,W 2…W m}组成,n大于2,m大于2的正整数; Select one of the passwords S from the n-gram database, the password S consists of a character sequence {W 1 , W 2 …W m }, n is greater than 2, and m is a positive integer greater than 2;
    根据马尔可夫模型,利用所述口令S中前n-1个字符,估算该口令中第n个字符的参数:According to the Markov model, use the first n-1 characters in the password S to estimate the parameter of the nth character in the password:
    P(W n|W 1,…W n-1)=P(W n|W n-i+1,…W n-1),i为小于n、m的正整数; P(W n |W 1 ,...W n-1 )=P(W n |W n-i+1 ,...W n-1 ), i is a positive integer smaller than n and m;
    得到所述口令S按照上述字符序列排列的参数:Obtain the parameters of the password S arranged according to the above-mentioned character sequence:
    P(S)=P(W 1W 2…W m)=P(W 1)P(W 2|W 1)…P(W m|W m-i+1,…W m-1), P(S)=P(W 1 W 2 …W m )=P(W 1 )P(W 2 |W 1 )…P(W m |W m-i+1 ,…W m-1 ),
    其中所述P(W m|W m-i+1,…W m-1)指的是在字符串W m-i+1,…W m-1出现的情况下W m出现的参数; Wherein, the P(W m |W m-i+1 ,...W m-1 ) refers to the parameter that W m appears when the character string W m-i+1 ,...W m-1 appears;
    通过在大规模口令数量的基础上,采用极大似然计算得到所述口令S的泄露参数,所述口令S泄露参数表示为:Based on the large-scale number of passwords, the maximum likelihood calculation is used to obtain the leakage parameters of the password S, and the leakage parameters of the password S are expressed as:
    Figure PCTCN2019102812-appb-100001
    Figure PCTCN2019102812-appb-100001
  3. 如权利要求1所述的口令强度计算方法,其特征在于,对所述真实口令和虚拟口令进行结构分析,包括:The password strength calculation method according to claim 1, wherein the structural analysis of the real password and the virtual password comprises:
    通过统计所述真实口令和虚拟口令中包含的字母、数字和/或者符号的数量得到所述真实口令和虚拟口令的结构L mD nS i,其中,L表示字母,D表示数字,S表示符号,m、n、及i为自然数,分别表示所述真实口令和虚拟口令中字母、数字及符号的数量。 The structure L m D n S i of the real password and the virtual password is obtained by counting the number of letters, numbers and/or symbols contained in the real password and the virtual password, where L represents a letter, D represents a number, and S represents Symbols, m, n, and i are natural numbers, respectively representing the number of letters, numbers, and symbols in the real password and the virtual password.
  4. 如权利要求3所述的口令强度计算方法,其特征在于,根据所述真实口令以及虚拟口令的结构以及计算的泄露参数,构建第二泄露参数分析模型,包括:The password strength calculation method according to claim 3, wherein the construction of the second leakage parameter analysis model according to the structure of the real password and the virtual password and the calculated leakage parameters includes:
    根据上述每一个真实口令的结构,和对应的泄露参数,生成基础参数表;According to the structure of each real password mentioned above and the corresponding leaked parameters, generate a basic parameter table;
    根据上述每一个虚拟口令的结构和对应的泄露参数,生成分段参数表;According to the structure of each virtual password and the corresponding leakage parameters, a segmented parameter table is generated;
    利用下述公式形成所述第二泄露参数分析模型:Use the following formula to form the second leakage parameter analysis model:
    P(S)=P(S′)*P(L m)*P(D n)*P(S i), P(S)=P(S′)*P(L m )*P(D n )*P(S i ),
    其中,所述P(S′)的值取自所述基础参数表,以及所述P(L m)、P(D n)及P(S i)的值取至所述分段参数表。 Wherein, the value of P(S′) is taken from the basic parameter table, and the values of P(L m ), P(D n ) and P(S i ) are taken from the segment parameter table.
  5. 如权利要求4所述的口令强度计算方法,其特征在于,所述口令强度计算模型公式为:8. The password strength calculation method according to claim 4, wherein the password strength calculation model formula is:
    Figure PCTCN2019102812-appb-100002
    Figure PCTCN2019102812-appb-100002
    其中,α是待评估口令,Θ是所述随机生成的一批口令,n是随机生成的这批口令的数量,p(.)是口令的计算参数,CΔ是对待计算口令计算的猜测次数,即该口令强度值。Among them, α is the password to be evaluated, Θ is the randomly generated batch of passwords, n is the number of randomly generated passwords, p(.) is the password calculation parameter, and CΔ is the number of guesses to be calculated for the password calculation, That is, the password strength value.
  6. 如权利要求2所述的口令强度计算方法,其特征在于,对所述真实口令和虚拟口令进行结构分析,包括:The password strength calculation method according to claim 2, wherein the structural analysis of the real password and the virtual password comprises:
    通过统计所述真实口令和虚拟口令中包含的字母、数字和/或者符号的数量得到所述真实口令和虚拟口令的结构L mD nS i,其中,L表示字母,D表示数字,S表示符号,m、n、及i为自然数,分别表示所述真实口令和虚拟口令中字母、数字及符号的数量。 The structure L m D n S i of the real password and the virtual password is obtained by counting the number of letters, numbers and/or symbols contained in the real password and the virtual password, where L represents a letter, D represents a number, and S represents Symbols, m, n, and i are natural numbers, respectively representing the number of letters, numbers, and symbols in the real password and the virtual password.
  7. 如权利要求1所述的口令强度计算方法,其特征在于,所述预设口令强度计算模型为蒙特卡洛法。8. The password strength calculation method according to claim 1, wherein the preset password strength calculation model is Monte Carlo.
  8. 一种口令强度计算装置,其特征在于,所述装置包括存储器和处理器,所述存储器上存储有可在所述处理器上运行的口令强度计算程序,所述口令强度计算程序被所述处理器执行时实现如下步骤:A password strength calculation device, characterized in that the device includes a memory and a processor, the memory stores a password strength calculation program that can be run on the processor, and the password strength calculation program is processed by the processor. The following steps are implemented when the device is executed:
    收集网络泄露的真实口令以及预设类型的虚拟口令,通过预设第一泄露参数分析模型计算所述真实口令以及虚拟口令的泄露参数,其中,所述真实口令包括字母、数字和/或者符号,以及所述虚拟口令包括纯字母、纯字母或者纯符号;Collect real passwords leaked from the network and preset types of virtual passwords, and calculate the leak parameters of the real passwords and virtual passwords through a preset first leak parameter analysis model, where the real passwords include letters, numbers and/or symbols, And the virtual password includes pure letters, pure letters or pure symbols;
    对所述真实口令和虚拟口令进行结构分析,根据所述真实口令以及虚拟口令的结构以及计算的泄露参数,构建第二泄露参数分析模型;Perform structural analysis on the real password and the virtual password, and construct a second leakage parameter analysis model based on the structure of the real password and the virtual password and the calculated leakage parameters;
    随机生成一批口令,利用所述第二泄露参数分析模型,计算得到所述随机生成的一批口令的泄露参数;Randomly generating a batch of passwords, using the second leakage parameter analysis model to calculate the leakage parameters of the randomly generated batch of passwords;
    采用预设口令强度计算模型,以及所述随机生成的一批口令的泄露参数,对用户输入的待分析口令进行口令强度值的计算。Using a preset password strength calculation model and the leakage parameters of a batch of randomly generated passwords, the password strength value of the password to be analyzed input by the user is calculated.
  9. 如权利要求8所述的口令强度计算装置,其特征在于,所述预设第一泄露参数分析模型为马尔可夫模型,以及所述收集网络泄露的真实口令以及预设类型的虚拟口令,通过预设第一泄露参数分析模型计算所述真实口令以及虚拟口令的泄露参数,包括:8. The password strength calculation device according to claim 8, wherein the preset first leakage parameter analysis model is a Markov model, and the collection of real passwords leaked from the network and preset types of virtual passwords is passed The preset first leakage parameter analysis model to calculate the leakage parameters of the real password and the virtual password includes:
    利用所述真实口令和虚拟口令构建n-gram数据库;Constructing an n-gram database using the real password and the virtual password;
    从所述n-gram数据库中选择其中一个口令S,该口令S由字符序列{W 1,W 2…W m}组成,n大于2,m大于2的正整数; Select one of the passwords S from the n-gram database, the password S consists of a character sequence {W 1 , W 2 …W m }, n is greater than 2, and m is a positive integer greater than 2;
    根据马尔可夫模型,利用所述口令S中前n-1个字符,估算该口令中第n个字符的参数:According to the Markov model, use the first n-1 characters in the password S to estimate the parameter of the nth character in the password:
    P(W n|W 1,…W n-1)=P(W n|W n-i+1,…W n-1),i为小于n、m的正整数; P(W n |W 1 ,...W n-1 )=P(W n |W n-i+1 ,...W n-1 ), i is a positive integer smaller than n and m;
    得到所述口令S按照上述字符序列排列的参数:Obtain the parameters of the password S arranged according to the above-mentioned character sequence:
    P(S)=P(W 1W 2…W m)=P(W 1)P(W 2|W 1)…P(W m|W m-i+1,…W m-1), P(S)=P(W 1 W 2 …W m )=P(W 1 )P(W 2 |W 1 )…P(W m |W m-i+1 ,…W m-1 ),
    其中所述P(W m|W m-i+1,…W m-1)指的是在字符串W m-i+1,…W m-1出现的情况下W m出现的参数; Wherein, the P(W m |W m-i+1 ,...W m-1 ) refers to the parameter that W m appears when the character string W m-i+1 ,...W m-1 appears;
    通过在大规模口令数量的基础上,采用极大似然计算得到所述口令S的泄露参数,所述口令S泄露参数表示为:Based on the large-scale number of passwords, the maximum likelihood calculation is used to obtain the leakage parameters of the password S, and the leakage parameters of the password S are expressed as:
    Figure PCTCN2019102812-appb-100003
    Figure PCTCN2019102812-appb-100003
  10. 如权利要求8所述的口令强度计算装置,其特征在于,对所述真实口令和虚拟口令进行结构分析,包括:8. The password strength calculation device of claim 8, wherein the structural analysis of the real password and the virtual password comprises:
    通过统计所述真实口令和虚拟口令中包含的字母、数字和/或者符号的数量得到所述真实口令和虚拟口令的结构L mD nS i,其中,L表示字母,D表示数字,S表示符号,m、n、及i为自然数,分别表示所述真实口令和虚拟口令中字母、数字及符号的数量。 The structure L m D n S i of the real password and the virtual password is obtained by counting the number of letters, numbers and/or symbols contained in the real password and the virtual password, where L represents a letter, D represents a number, and S represents Symbols, m, n, and i are natural numbers, respectively representing the number of letters, numbers, and symbols in the real password and the virtual password.
  11. 如权利要求10所述的口令强度计算装置,其特征在于,根据所述真实口令以及虚拟口令的结构以及计算的泄露参数,构建第二泄露参数分析模型,包括:The password strength calculation device according to claim 10, wherein the construction of the second leakage parameter analysis model according to the structure of the real password and the virtual password and the calculated leakage parameters comprises:
    根据上述每一个真实口令的结构,和对应的泄露参数,生成基础参数表;According to the structure of each real password mentioned above and the corresponding leaked parameters, generate a basic parameter table;
    根据上述每一个虚拟口令的结构和对应的泄露参数,生成分段参数表;According to the structure of each virtual password and the corresponding leakage parameters, a segmented parameter table is generated;
    利用下述公式形成所述第二泄露参数分析模型:Use the following formula to form the second leakage parameter analysis model:
    P(S)=P(S′)*P(L m)*P(D n)*P(S i), P(S)=P(S′)*P(L m )*P(D n )*P(S i ),
    其中,所述P(S′)的值取自所述基础参数表,以及所述P(L m)、P(D n)及P(S i)的值取至所述分段参数表。 Wherein, the value of P(S′) is taken from the basic parameter table, and the values of P(L m ), P(D n ) and P(S i ) are taken from the segment parameter table.
  12. 如权利要求11所述的所述的口令强度计算装置,其特征在于,,所述口令强度计算模型公式为:The password strength calculation device according to claim 11, wherein the password strength calculation model formula is:
    Figure PCTCN2019102812-appb-100004
    Figure PCTCN2019102812-appb-100004
    其中,α是待评估口令,Θ是所述随机生成的一批口令,n是随机生成的这批口令的数量,p(.)是口令的计算参数,CΔ是对待计算口令计算的猜测次数,即该口令强度值。Among them, α is the password to be evaluated, Θ is the randomly generated batch of passwords, n is the number of randomly generated passwords, p(.) is the password calculation parameter, and CΔ is the number of guesses to be calculated for the password calculation, That is, the password strength value.
  13. 如权利要求9所述的口令强度计算装置,其特征在于,对所述真实口令和虚拟口令进行结构分析,包括:The password strength calculation device according to claim 9, wherein the structural analysis of the real password and the virtual password comprises:
    通过统计所述真实口令和虚拟口令中包含的字母、数字和/或者符号的数量得到所述真实口令和虚拟口令的结构L mD nS i,其中,L表示字母,D表示数字,S表示符号,m、n、及i为自然数,分别表示所述真实口令和虚拟口令中字母、数字及符号的数量。 The structure L m D n S i of the real password and the virtual password is obtained by counting the number of letters, numbers and/or symbols contained in the real password and the virtual password, where L represents a letter, D represents a number, and S represents Symbols, m, n, and i are natural numbers, respectively representing the number of letters, numbers, and symbols in the real password and the virtual password.
  14. 如权利要求8所述的口令强度计算装置,其特征在于,所述预设口令强度计算模型为蒙特卡洛法。8. The password strength calculation device according to claim 8, wherein the preset password strength calculation model is Monte Carlo method.
  15. 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质中包括口令强度计算程序,所述口令强度计算程序被处理器执行时,可实现如下步骤:A computer-readable storage medium, wherein the computer-readable storage medium includes a password strength calculation program, and when the password strength calculation program is executed by a processor, the following steps can be implemented:
    收集网络泄露的真实口令以及预设类型的虚拟口令,通过预设第一泄露参数分析模型计算所述真实口令以及虚拟口令的泄露参数,其中,所述真实口令包括字母、数字和/或者符号,以及所述虚拟口令包括纯字母、纯字母或者纯符号;Collect real passwords leaked from the network and preset types of virtual passwords, and calculate the leak parameters of the real passwords and virtual passwords through a preset first leak parameter analysis model, where the real passwords include letters, numbers and/or symbols, And the virtual password includes pure letters, pure letters or pure symbols;
    对所述真实口令和虚拟口令进行结构分析,根据所述真实口令以及虚拟口令的结构以及计算的泄露参数,构建第二泄露参数分析模型;Perform structural analysis on the real password and the virtual password, and construct a second leakage parameter analysis model based on the structure of the real password and the virtual password and the calculated leakage parameters;
    随机生成一批口令,利用所述第二泄露参数分析模型,计算得到所述随机生成的一批口令的泄露参数;Randomly generating a batch of passwords, using the second leakage parameter analysis model to calculate the leakage parameters of the randomly generated batch of passwords;
    采用预设口令强度计算模型,以及所述随机生成的一批口令的泄露参数,对用户输入的待分析口令进行口令强度值的计算。Using a preset password strength calculation model and the leakage parameters of a batch of randomly generated passwords, the password strength value of the password to be analyzed input by the user is calculated.
  16. 如权利要求15所述的计算机可读存储介质,其特征在于,所述预设第一泄露参数分析模型为马尔可夫模型,以及所述收集网络泄露的真实口令以及预设类型的虚拟口令,通过预设第一泄露参数分析模型计算所述真实口令以及虚拟口令的泄露参数,包括:15. The computer-readable storage medium of claim 15, wherein the preset first leakage parameter analysis model is a Markov model, and the collected real passwords leaked from the network and preset types of virtual passwords, The calculation of the leakage parameters of the real password and the virtual password by the preset first leakage parameter analysis model includes:
    利用所述真实口令和虚拟口令构建n-gram数据库;Constructing an n-gram database using the real password and the virtual password;
    从所述n-gram数据库中选择其中一个口令S,该口令S由字符序列{W 1,W 2…W m}组成,n大于2,m大于2的正整数; Select one of the passwords S from the n-gram database, the password S consists of a character sequence {W 1 , W 2 …W m }, n is greater than 2, and m is a positive integer greater than 2;
    根据马尔可夫模型,利用所述口令S中前n-1个字符,估算该口令中第n个字符的参数:According to the Markov model, use the first n-1 characters in the password S to estimate the parameter of the nth character in the password:
    P(W n|W 1,…W n-1)=P(W n|W n-i+1,…W n-1),i为小于n、m的正整数; P(W n |W 1 ,...W n-1 )=P(W n |W n-i+1 ,...W n-1 ), i is a positive integer smaller than n and m;
    得到所述口令S按照上述字符序列排列的参数:Obtain the parameters of the password S arranged according to the above-mentioned character sequence:
    P(S)=P(W 1W 2…W m)=P(W 1)P(W 2|W 1)…P(W m|W m-i+1,…W m-1), P(S)=P(W 1 W 2 …W m )=P(W 1 )P(W 2 |W 1 )…P(W m |W m-i+1 ,…W m-1 ),
    其中所述P(W m|W m-i+1,…W m-1)指的是在字符串W m-i+1,…W m-1出现的情况下W m出现的参数; Wherein, the P(W m |W m-i+1 ,...W m-1 ) refers to the parameter that W m appears when the character string W m-i+1 ,...W m-1 appears;
    通过在大规模口令数量的基础上,采用极大似然计算得到所述口令S的泄露参数,所述口令S泄露参数表示为:Based on the large-scale number of passwords, the maximum likelihood calculation is used to obtain the leakage parameters of the password S, and the leakage parameters of the password S are expressed as:
    Figure PCTCN2019102812-appb-100005
    Figure PCTCN2019102812-appb-100005
  17. 如权利要求15所述的计算机可读存储介质,其特征在于,对所述真实口令和虚拟口令进行结构分析,包括:15. The computer-readable storage medium of claim 15, wherein the structural analysis of the real password and the virtual password comprises:
    通过统计所述真实口令和虚拟口令中包含的字母、数字和/或者符号的数量得到所述真实口令和虚拟口令的结构L mD nS i,其中,L表示字母,D表示数字,S表示符号,m、n、及i为自然数,分别表示所述真实口令和虚拟口令中字母、数字及符号的数量。 The structure L m D n S i of the real password and the virtual password is obtained by counting the number of letters, numbers and/or symbols contained in the real password and the virtual password, where L represents a letter, D represents a number, and S represents Symbols, m, n, and i are natural numbers, respectively representing the number of letters, numbers, and symbols in the real password and the virtual password.
  18. 如权利要求17所述的计算机可读存储介质,其特征在于,根据根据所述真实口令以及虚拟口令的结构以及计算的泄露参数,构建第二泄露参数分析模型,包括:17. The computer-readable storage medium according to claim 17, wherein the construction of the second leakage parameter analysis model according to the structure of the real password and the virtual password and the calculated leakage parameters comprises:
    根据上述每一个真实口令的结构,和对应的泄露参数,生成基础参数表;According to the structure of each real password mentioned above and the corresponding leaked parameters, generate a basic parameter table;
    根据上述每一个虚拟口令的结构和对应的泄露参数,生成分段参数表;According to the structure of each virtual password and the corresponding leakage parameters, a segmented parameter table is generated;
    利用下述公式形成所述第二泄露参数分析模型:Use the following formula to form the second leakage parameter analysis model:
    P(S)=P(S′)*P(L m)*P(D n)*P(S i), P(S)=P(S′)*P(L m )*P(D n )*P(S i ),
    其中,所述P(S′)的值取自所述基础参数表,以及所述P(L m)、P(D n)及P(S i)的值取至所述分段参数表。 Wherein, the value of P(S′) is taken from the basic parameter table, and the values of P(L m ), P(D n ) and P(S i ) are taken from the segment parameter table.
  19. 如权利要求18所述的计算机可读存储介质,其特征在于,所述口令强度评估模型公式为:The computer-readable storage medium of claim 18, wherein the password strength evaluation model formula is:
    Figure PCTCN2019102812-appb-100006
    Figure PCTCN2019102812-appb-100006
    其中,α是待评估口令,Θ是所述随机生成的一批口令,n是随机生成的这批口令的数量,p(.)是口令的估算概率,CΔ是对待评估口令估算的猜测次数,即该口令强度值。Where α is the password to be evaluated, Θ is the randomly generated batch of passwords, n is the number of randomly generated passwords, p(.) is the estimated probability of the password, CΔ is the estimated number of guesses for the password to be evaluated, That is, the password strength value.
  20. 如权利要求15所述的计算机可读存储介质,其特征在于,所述预设口令强度计算模型为蒙特卡洛法。15. The computer-readable storage medium of claim 15, wherein the preset password strength calculation model is Monte Carlo method.
PCT/CN2019/102812 2019-04-08 2019-08-27 Method and apparatus for calculating password strength, and computer-readable storage medium WO2020206909A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910274077.0 2019-04-08
CN201910274077.0A CN110110518B (en) 2019-04-08 2019-04-08 Password strength evaluation method, device and computer readable storage medium

Publications (1)

Publication Number Publication Date
WO2020206909A1 true WO2020206909A1 (en) 2020-10-15

Family

ID=67485258

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/102812 WO2020206909A1 (en) 2019-04-08 2019-08-27 Method and apparatus for calculating password strength, and computer-readable storage medium

Country Status (2)

Country Link
CN (1) CN110110518B (en)
WO (1) WO2020206909A1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110110518B (en) * 2019-04-08 2024-01-19 平安科技(深圳)有限公司 Password strength evaluation method, device and computer readable storage medium
CN111353147B (en) * 2020-03-11 2023-03-03 鹏城实验室 Password strength evaluation method, device, equipment and readable storage medium
CN112257433B (en) * 2020-12-23 2021-05-14 四川大学 Password dictionary generation method and system based on Markov chain and neural network
CN113032765A (en) * 2021-04-29 2021-06-25 中国工商银行股份有限公司 Password authentication method, device and equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9577827B2 (en) * 2012-09-25 2017-02-21 Sony Corporation Information processing device, information processing method, and program
CN106934275A (en) * 2017-01-22 2017-07-07 华东师范大学 A kind of password intensity evaluating method based on personal information
CN108509790A (en) * 2018-03-14 2018-09-07 华东师范大学 A kind of password strength assessment method based on group
CN110110518A (en) * 2019-04-08 2019-08-09 平安科技(深圳)有限公司 Password strength assessment method, apparatus and computer readable storage medium

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107122479B (en) * 2017-05-03 2020-08-04 西安交通大学 User password guessing system based on deep learning
CN107947921A (en) * 2017-11-22 2018-04-20 上海交通大学 Based on recurrent neural network and the password of probability context-free grammar generation system
CN109145582B (en) * 2018-06-05 2021-07-23 中国科学院信息工程研究所 Password guess set generation method based on byte pair encoding, password cracking method and device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9577827B2 (en) * 2012-09-25 2017-02-21 Sony Corporation Information processing device, information processing method, and program
CN106934275A (en) * 2017-01-22 2017-07-07 华东师范大学 A kind of password intensity evaluating method based on personal information
CN108509790A (en) * 2018-03-14 2018-09-07 华东师范大学 A kind of password strength assessment method based on group
CN110110518A (en) * 2019-04-08 2019-08-09 平安科技(深圳)有限公司 Password strength assessment method, apparatus and computer readable storage medium

Also Published As

Publication number Publication date
CN110110518B (en) 2024-01-19
CN110110518A (en) 2019-08-09

Similar Documents

Publication Publication Date Title
WO2020206909A1 (en) Method and apparatus for calculating password strength, and computer-readable storage medium
US20200159909A1 (en) Systems and methods evaluating password complexity and strength
Golla et al. On the accuracy of password strength meters
AU2017408801B2 (en) User keyword extraction device and method, and computer-readable storage medium
Ma et al. A study of probabilistic password models
WO2019184217A1 (en) Hotspot event classification method and apparatus, and storage medium
US9367879B2 (en) Determining influence in a network
US8539247B2 (en) Password checking
WO2019227716A1 (en) Method for generating influenza prediction model, apparatus, and computer readable storage medium
CN112541338A (en) Similar text matching method and device, electronic equipment and computer storage medium
CN113821622B (en) Answer retrieval method and device based on artificial intelligence, electronic equipment and medium
CN114782237A (en) Watermark generation method, device and equipment based on pattern coding and storage medium
CN114861746A (en) Anti-fraud identification method and device based on big data and related equipment
CN113706322A (en) Service distribution method, device, equipment and storage medium based on data analysis
WO2019095568A1 (en) Enterprise abbreviation generation method and device, and storage medium
Houshmand et al. Using personal information in targeted grammar-based probabilistic password attacks
Zhang et al. Deep learning for password guessing and password strength evaluation, A survey
CN112329443B (en) Method, device, computer equipment and medium for determining new words
US20150339786A1 (en) Forensic system, forensic method, and forensic program
Wang et al. Password guessing using random forest
CN116578690B (en) Insurance customer service method and system based on artificial intelligence
He et al. Password enhancement based on Semantic Transformation
CN113051475B (en) Content recommendation method, device, electronic equipment and readable storage medium
CN113886784B (en) Password guessing method for improving guessing efficiency of small training set based on corpus
Wu A Novel Weak Deduction Password Strength Meter of Chinese Websites

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19923954

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19923954

Country of ref document: EP

Kind code of ref document: A1