How Viable is Password Cracking in Digital Forensic Investigation? Analyzing the Guessability of over 3.9 Billion Real-World Accounts

Kanta, Aikaterini; Coray, Sein; Coisel, Iwen; Scanlon, Mark

Publication Date:  July 2021

Publication Name:  Forensic Science International: Digital Investigation

Abstract:   Passwords have been and still remain the most common method of authentication in computer systems. These systems are therefore privileged targets of attackers, and the number of data breaches in the last few years attests to that. A detailed analysis of such data can provide insight on password trends and patterns users follow when they create a password. To this end, this paper presents the largest and most comprehensive analysis of real-world passwords to date – associated with over 3.9 billion accounts from Have I Been Pwned. This analysis includes statistics on use and most common patterns found in passwords and innovates with a breakdown of the constituent fragments that make each password. Furthermore, a classification of these fragments according to their semantic meaning, provides insight on the role of context in password selection. Finally, we provide an in-depth analysis on the guessability of these real-world passwords.

Download Paper:

Download Paper as PDF

BibTeX Entry:


      @article{kanta2021PasswordCracking3Billion,
author={Kanta, Aikaterini and Coray, Sein and Coisel, Iwen and Scanlon, Mark},
title="{How Viable is Password Cracking in Digital Forensic Investigation? Analyzing the Guessability of over 3.9 Billion Real-World Accounts}",
journal="{Forensic Science International: Digital Investigation}",
volume = {37},
pages = {301186},
year=2021,
month=07,
publisher={Elsevier},
doi = {https://doi.org/10.1016/j.fsidi.2021.301186},
url = {https://www.sciencedirect.com/science/article/pii/S2666281721000949},
abstract={Passwords have been and still remain the most common method of authentication in computer systems. These systems are therefore privileged targets of attackers, and the number of data breaches in the last few years attests to that. A detailed analysis of such data can provide insight on password trends and patterns users follow when they create a password. To this end, this paper presents the largest and most comprehensive analysis of real-world passwords to date – associated with over 3.9 billion accounts from Have I Been Pwned. This analysis includes statistics on use and most common patterns found in passwords and innovates with a breakdown of the constituent fragments that make each password. Furthermore, a classification of these fragments according to their semantic meaning, provides insight on the role of context in password selection. Finally, we provide an in-depth analysis on the guessability of these real-world passwords.}
}