research-article

Targeted Online Password Guessing: An Underestimated Threat

Authors:

Xinyi HuangAuthors Info & Claims

CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

Pages 1242 - 1254

https://doi.org/10.1145/2976749.2978339

Published: 24 October 2016 Publication History

Abstract

While trawling online/offline password guessing has been intensively studied, only a few studies have examined targeted online guessing, where an attacker guesses a specific victim's password for a service, by exploiting the victim's personal information such as one sister password leaked from her another account and some personally identifiable information (PII). A key challenge for targeted online guessing is to choose the most effective password candidates, while the number of guess attempts allowed by a server's lockout or throttling mechanisms is typically very small. We propose TarGuess, a framework that systematically characterizes typical targeted guessing scenarios with seven sound mathematical models, each of which is based on varied kinds of data available to an attacker. These models allow us to design novel and efficient guessing algorithms. Extensive experiments on 10 large real-world password datasets show the effectiveness of TarGuess. Particularly, TarGuess I~IV capture the four most representative scenarios and within 100 guesses: (1) TarGuess-I outperforms its foremost counterpart by 142% against security-savvy users and by 46% against normal users; (2) TarGuess-II outperforms its foremost counterpart by 169% on security-savvy users and by 72% against normal users; and (3) Both TarGuess-III and IV gain success rates over 73% against normal users and over 32% against security-savvy users. TarGuess-III and IV, for the first time, address the issue of cross-site online guessing when given the victim's one sister password and some PII.

References

[1]

Nearly 80 percent of Internet users suffer identity leaks, July 2015. http://bit.ly/2b9TEdn.

[2]

All Data Breach Sources, May 2016. https://breachalarm.com/all-sources.

[3]

Turkey: personal data of 50 million citizens leaked online, April 2016. http://bit.ly/1TPA4j4.

[4]

Amid Widespread Data Breaches in China, Dec. 2011. http://www.techinasia.com/alipay-hack/.

[5]

D. V. Bailey, M. Dürmuth, and C. Paar. Statistics on password re-use and adaptive strength for financial accounts. In Proc. SCN 2014, pages 218--235.

[6]

J. Bonneau. The science of guessing: Analyzing an anonymized corpus of 70 million passwords. In Proc. IEEE S$&$P 2012, pages 538--552.

Digital Library

[7]

J. Bonneau, C. Herley, P. van Oorschot, and F. Stajano. Passwords and the evolution of imperfect authentication. Commun. ACM, 58(7):78--87, 2015.

Digital Library

[8]

W. Burr, D. Dodson, R. Perlner, and et al.uppercaseNIST SP800--63--2: Electronic authentication guideline. Technical report, NIST, Reston, VA, Aug. 2013.

[9]

X. Carnavalet and M. Mannan. A large-scale evaluation of high-impact password strength meters. ACM Trans. Inform. Syst. Secur., 18(1):1--32, 2015.

Digital Library

[10]

A. Chaabane, G. Acs, M. A. Kaafar, et al. You are what you like! information leakage through users' interests. In Proc. NDSS 2012, pages 1--15.

[11]

C. Custer. China's Internet users zoom to 668 million, Jan. 2016. http://www.apira.org/news.php?id=1736.

[12]

A. Das, J. Bonneau, M. Caesar, N. Borisov, and X. Wang. The tangled web of password reuse. In Proc. NDSS 2014.

[13]

M. Dell'Amico and M. Filippone. Monte carlo strength evaluation: Fast and reliable password checking. In Proc. ACM CCS 2015, pages 158--169.

Digital Library

[14]

M. Dürmuth, D. Freeman, and B. Biggio. Who are you? A statistical approach to measuring user authenticity. In Proc. NDSS 2016, pages 1--15.

[15]

S. Egelman, A. Sotirakopoulos, K. Beznosov, and C. Herley. Does my password go up to eleven?: the impact of password meters on password selection. In Proc. ACM CHI 2013, pages 2379--2388.

Digital Library

[16]

D. Florêncio, C. Herley, and P. van Oorschot. An administrator's guide to internet password research. In Proc. USENIX LISA 2014, pages 44--61.

Digital Library

[17]

Now it's easy to see if leaked passwords work on other sites, July 2016. http://bit.ly/29AJANh.

[18]

P. A. Grassi and J. L. Fenton. NIST SP800--63B: Digital authentication guideline. Technical report, NIST, Reston, VA, 2016. https://pages.nist.gov/800--63--3/sp800--63b.html.

[19]

S. Ji, S. Yang, X. Hu, W. Han, Z. Li, and R. Beyah. Zero-sum password cracking game: A large-scale empirical study on the crackability, correlation, and security of passwords. IEEE Trans. Depend. Secur. Comput., 2015.

[20]

Y. Li, H. Wang, and K. Sun. A study of personal information in human-chosen passwords and its security implications. In Proc. IEEE INFOCOM 2016, pages 1--9.

Digital Library

[21]

J. Ma, W. Yang, M. Luo, and N. Li. A study of probabilistic password models. In Proc. IEEE S&P 2014, pages 689--704.

Digital Library

[22]

M. L. Mazurek, S. Komanduri, T. Vidas, L. F. Cranor, P. G. Kelley, R. Shay, and B. Ur. Measuring password guessability for an entire university. In Proc. CCS 2013, pages 173--186.

Digital Library

[23]

E. McCallister, T. Grance, and K. Scarfone. NIST SP800--122: Guide to protecting the confidentiality of personally identifiable information (PII). Technical report, NIST, Reston, VA, April, 2010.

Digital Library

[24]

W. Melicher, B. Ur, S. Segreti, S. Komanduri, L. Bauer, N. Christin, and L. Cranor. Fast, lean and accurate: Modeling password guessability using neural networks. In Proc. USENIX SEC 2016, pages 1--17.

[25]

A. Narayanan and V. Shmatikov. Fast dictionary attacks on passwords using time-space tradeoff. In Proc. ACM CCS 2005, pages 364--372.

Digital Library

[26]

J. Onaolapo, E. Mariconti, and G. Stringhini. What happens after you are pwnd: Understanding the use of leaked account credentials in the wild. In IMC 2016.

Digital Library

[27]

Four Years Later, Anthem Breached Again: Hackers Stole Credentials, Feb. 2015. http://t.cn/RqWrMKC.

[28]

R. Shay, S. Komanduri, A. Durity, and et al. Designing password policies for strength and usability. ACM Trans. Inf. Syst. Secur., 18(4):1--34, 2016.

Digital Library

[29]

Senate Bill No. 1386: Personal information, Sep. 2002. http://bit.ly/1WJIIpK.

[30]

B. Ur, S. M. Segreti, L. Bauer, and et al. Measuring real-world accuracies and biases in modeling password guessability. In USENIX SEC 2015, pages 463--481.

Digital Library

[31]

R. Veras, C. Collins, and J. Thorpe. On the semantic patterns of passwords and their security impact. In Proc. NDSS 2014.

[32]

D. Wang, D. He, H. Cheng, and P. Wang. fuzzy PSM: A new password strength meter using fuzzy probabilistic context-free grammars. In Proc. IEEE/IFIP DSN 2016, pages 595--606. http://bit.ly/2ahJ8CO.

[33]

D. Wang and P. Wang. The emperor's new password creation policies. In Proc. ESORICS 2015, pages 456--477.

[34]

D. Wang and P. Wang. On the implications of Zipf's law in passwords. In Proc. ESORICS 2016, pages 1--21.

[35]

M. Weir, S. Aggarwal, B. de Medeiros, and B. Glodek. Password cracking using probabilistic context-free grammars. In Proc. IEEE S&P 2009, pages 391--405.

Digital Library

[36]

This could be the iCloud flaw that led to celebrity photos being leaked, Sep. 2014. http://bit.ly/Y5vnNc.

[37]

Y. Zhang, F. Monrose, and M. Reiter. The security of modern password expiration: an algorithmic framework and empirical analysis. In Proc. ACM CCS 2010, pages 176--186.

Digital Library

Cited By

Singla DVerma N(2024)Performance Analysis of Authentication System: A Systematic Literature ReviewRecent Advances in Computer Science and Communications10.2174/012666255824653123112111551417:7Online publication date: Oct-2024
https://doi.org/10.2174/0126662558246531231121115514
An CXiao YLiu HWu HZhang R(2024)Honey password vaults tolerating leakage of both personally identifiable information and passwordsCybersecurity10.1186/s42400-024-00236-67:1Online publication date: 4-Oct-2024
https://doi.org/10.1186/s42400-024-00236-6
Zou YLe KMayer PAcquisti AAviv ASchaub F(2024)Encouraging Users to Change Breached Passwords Using the Protection Motivation TheoryACM Transactions on Computer-Human Interaction10.1145/368943231:5(1-45)Online publication date: 30-Aug-2024
https://dl.acm.org/doi/10.1145/3689432
Show More Cited By

Index Terms

Targeted Online Password Guessing: An Underestimated Threat
1. Security and privacy

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

October 2016

1924 pages

ISBN:9781450341394

DOI:10.1145/2976749

General Chairs:
Edgar Weippl
SBA Research, Austria
,
Stefan Katzenbeisser
TU Darmstadt, CYSEC, Germany
,
Program Chairs:
Christopher Kruegel
University of California, Santa Barbara, USA
,
Andrew Myers
Cornell University, USA
,
Shai Halevi
IBM Research, USA

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 24 October 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

National Key Research and Development Plan
National Natural Science Foundation of China

Conference

CCS'16

Sponsor:

SIGSAC

CCS'16: 2016 ACM SIGSAC Conference on Computer and Communications Security

October 24 - 28, 2016

Vienna, Austria

Acceptance Rates

CCS '16 Paper Acceptance Rate 137 of 831 submissions, 16%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

239
Total Citations
View Citations
3,075
Total Downloads

Downloads (Last 12 months)224
Downloads (Last 6 weeks)17

Reflects downloads up to 09 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Singla DVerma N(2024)Performance Analysis of Authentication System: A Systematic Literature ReviewRecent Advances in Computer Science and Communications10.2174/012666255824653123112111551417:7Online publication date: Oct-2024
https://doi.org/10.2174/0126662558246531231121115514
An CXiao YLiu HWu HZhang R(2024)Honey password vaults tolerating leakage of both personally identifiable information and passwordsCybersecurity10.1186/s42400-024-00236-67:1Online publication date: 4-Oct-2024
https://doi.org/10.1186/s42400-024-00236-6
Zou YLe KMayer PAcquisti AAviv ASchaub F(2024)Encouraging Users to Change Breached Passwords Using the Protection Motivation TheoryACM Transactions on Computer-Human Interaction10.1145/368943231:5(1-45)Online publication date: 30-Aug-2024
https://dl.acm.org/doi/10.1145/3689432
Huang ZWang DZou Y(2024)Prob-Hashcat: Accelerating Probabilistic Password Guessing with Hashcat by Hundreds of TimesProceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3678890.3678919(674-692)Online publication date: 30-Sep-2024
https://dl.acm.org/doi/10.1145/3678890.3678919
Xiao Y(2024)PassRVAE: Improved Trawling Attacks via Recurrent Variational AutoencoderProceedings of the 2024 3rd International Conference on Cryptography, Network Security and Communication Technology10.1145/3673277.3673295(98-106)Online publication date: 19-Jan-2024
https://dl.acm.org/doi/10.1145/3673277.3673295
Gao GZhang YSong YLi S(2024)PrivSSO: Practical Single-Sign-On Authentication Against Subscription/Access Pattern LeakageIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.339253319(5075-5089)Online publication date: 2024
https://doi.org/10.1109/TIFS.2024.3392533
Xie ZShi FZhang MMa HWang HLi ZZhang Y(2024) GuessFuse : Hybrid Password Guessing With Multi-View IEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.337624619(4215-4230)Online publication date: 2024
https://doi.org/10.1109/TIFS.2024.3376246
Qu ZLing XWang TChen XJi SWu C(2024)AdvSQLi: Generating Adversarial SQL Injections Against Real-World WAF-as-a-ServiceIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.335091119(2623-2638)Online publication date: 2024
https://doi.org/10.1109/TIFS.2024.3350911
Song YXu CZhang YLi S(2024)Hardening Password-Based Credential DatabasesIEEE Transactions on Information Forensics and Security10.1109/TIFS.2023.332432619(469-484)Online publication date: 2024
https://doi.org/10.1109/TIFS.2023.3324326
Duan FWang DJia C(2024)A Security Analysis of Honey Vaults2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00219(1424-1442)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00219
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents