Targeted online password guessing : an underestimated threat

Wang, Ding and Zhang, Zijian and Wang, Ping and Yan, Jeff and Huang, Xinyi; (2016) Targeted online password guessing : an underestimated threat. In: CCS 2016 - Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. Proceedings of the ACM Conference on Computer and Communications Security . Association for Computing Machinery, AUT, pp. 1242-1254. ISBN 9781450341394 (https://doi.org/10.1145/2976749.2978339)

Preview

Text. Filename: Wang_etal_CCS2016_Targeted_online_password_guessing.pdf Accepted Author Manuscript Download (3MB)| Preview

Abstract

While trawling online/offline password guessing has been intensively studied, only a few studies have examined targeted online guessing, where an attacker guesses a specific victim's password for a service, by exploiting the victim's personal information such as one sister password leaked from her another account and some personally identifiable information (PII). A key challenge for targeted online guessing is to choose the most effective password candidates, while the number of guess attempts allowed by a server's lockout or throttling mechanisms is typically very small. We propose TarGuess, a framework that systematically characterizes typical targeted guessing scenarios with seven sound mathematical models, each of which is based on varied kinds of data available to an attacker. These models allow us to design novel and efficient guessing algorithms. Extensive experiments on 10 large real-world password datasets show the effectiveness of TarGuess. Particularly, TarGuess I∼IV capture the four most representative scenarios and within 100 guesses: (1) TarGuess-I outperforms its foremost counterpart by 142% against security-savvy users and by 46% against normal users; (2) TarGuess-II outperforms its foremost counterpart by 169% on security-savvy users and by 72% against normal users; and (3) Both TarGuess-III and IV gain success rates over 73% against normal users and over 32% against security-savvy users. TarGuess-III and IV, for the first time, address the issue of cross-site online guessing when given the victim's one sister password and some PII.

• Share and Export
  

  RDF+XMLBibTeXRIOXX2 XMLRDF+N-TriplesJSONDublin CoreAtomSimple MetadataReferMETSHTML CitationASCII CitationOpenURL ContextObjectEndNoteOpenURL ContextObject in SpanMODSMPEG-21 DIDLEP3 XMLData Cite XMLRIS (EndNote Online, Zotero, Ref manager, etc)RDF+N3Multiline CSV
• Item metadata

  Item type:	Book Section
  ID code:	79325
  Dates:	Date Event 24 October 2016 Published 8 July 2016 Accepted
  Notes:	Funding Information: The authors are grateful to the anonymous reviewers for their constructive comments. We also give our special thanks to Dinei Flor?ncio, Cormac Herley, Hugo Krawczyk, Haining Wang, Yue Li, Joseph Gardiner, Haibo Cheng and Qianchen Gu for their insightful suggestions and invaluable help. Ping Wang is the corresponding author. This research was in part supported by the National Natural Science Foundation of China (NSFC) under Grants Nos. 61472016 and 61472083, and by the National Key Research and Development Plan under Grant No. 2016YFB0800600. Publisher Copyright: © 2016 ACM.
  Subjects:	Science > Mathematics > Electronic computers. Computer science
  Department:	Faculty of Science > Computer and Information Sciences
  Depositing user:	Pure Administrator
  Date deposited:	27 Jan 2022 11:25
  Last modified:	15 Nov 2024 01:20
  Related URLs:	Scopus publication Related item
  URI:	https://strathprints.strath.ac.uk/id/eprint/79325