中文摘要：

身份认证是确保信息系统安全的第一道防线，口令是应用最为广泛的身份认证方法.尽管口令存在众多的安全性和可用性缺陷，大量的新型认证技术陆续被提出，但由于口令具有简单易用、成本低廉、容易更改等特性，在可预见的未来仍将是最主要的认证方法.因此，口令近年来引起了国内外学者的广泛关注，涌现出了一大批关于口令安全性的研究成果.从用户生成口令时的脆弱行为入手，介绍了中英文用户口令的特征、分布和重用程度；总结了近30年来提出的几个主流口令猜测算法，并根据它们所依赖的攻击对象的信息不同进行了分类；然后，回顾了当前广泛使用的基于统计学的口令策略强度评价标准；此外，对比了当前主流的几个口令强度评价器.最后，对当前研究现状进行了总结，并对未来研究方向进行了展望.

英文摘要：

Identity authentication is the first line of defense for information systems? and passwords are the most widely used authentication method. Though there are a number of issues in passwords regarding security and usability, and various alternative authentication methods have also been successively proposed, password-based authentication will remain the dominant method in the foreseeable future due to its simplicity, low cost and easiness to change. Thus, this topic has attracted extensive interests from worldwide researchers, and many important results have been revealed. This work begins with the introduction of users’ vulnerable behaviors and details the password characteristics, distribution and reuse rate. Next we summarize the primary cracking algorithms thathave appeared in the past 30 years, and classify them into groups in terms of the difference independence on what information is exploited by the attacker. Then, we revisit the various statisticalbasedevaluation metrics for measuring the strength of password distributions. Further, we comparethe state-of-the-art password strength meters. Finally? we summarize our results and outline some future research trends.