Ding Wang
ABSTRACT
While trawling online/offline password guessing has been intensively studied, only a few studies have examined targeted online guessing, where an attacker guesses a specific victim's password for a service, by exploiting the victim's personal information such as one sister password leaked from her another account and some personally identifiable information (PII). A key challenge for targeted online guessing is to choose the most effective password candidates, while the number of guess attempts allowed by a server's lockout or throttling mechanisms is typically very small. We propose TarGuess, a framework that systematically characterizes typical targeted guessing scenarios with seven sound mathematical models, each of which is based on varied kinds of data available to an attacker. These models allow us to design novel and efficient guessing algorithms. Extensive experiments on 10 large real-world password datasets show the effectiveness of TarGuess. Particularly, TarGuess I~IV capture the four most representative scenarios and within 100 guesses: (1) TarGuess-I outperforms its foremost counterpart by 142% against security-savvy users and by 46% against normal users; (2) TarGuess-II outperforms its foremost counterpart by 169% on security-savvy users and by 72% against normal users; and (3) Both TarGuess-III and IV gain success rates over 73% against normal users and over 32% against security-savvy users. TarGuess-III and IV, for the first time, address the issue of cross-site online guessing when given the victim's one sister password and some PII.
- Nearly 80 percent of Internet users suffer identity leaks, July 2015. http://bit.ly/2b9TEdn.Google Scholar
- All Data Breach Sources, May 2016. https://breachalarm.com/all-sources.Google Scholar
- Turkey: personal data of 50 million citizens leaked online, April 2016. http://bit.ly/1TPA4j4.Google Scholar
- Amid Widespread Data Breaches in China, Dec. 2011. http://www.techinasia.com/alipay-hack/.Google Scholar
- D. V. Bailey, M. Dürmuth, and C. Paar. Statistics on password re-use and adaptive strength for financial accounts. In Proc. SCN 2014, pages 218--235.Google ScholarCross Ref
- J. Bonneau. The science of guessing: Analyzing an anonymized corpus of 70 million passwords. In Proc. IEEE S$&$P 2012, pages 538--552. Google ScholarDigital Library
- J. Bonneau, C. Herley, P. van Oorschot, and F. Stajano. Passwords and the evolution of imperfect authentication. Commun. ACM, 58(7):78--87, 2015. Google ScholarDigital Library
- W. Burr, D. Dodson, R. Perlner, and et al.uppercaseNIST SP800--63--2: Electronic authentication guideline. Technical report, NIST, Reston, VA, Aug. 2013.Google Scholar
- X. Carnavalet and M. Mannan. A large-scale evaluation of high-impact password strength meters. ACM Trans. Inform. Syst. Secur., 18(1):1--32, 2015. Google ScholarDigital Library
- A. Chaabane, G. Acs, M. A. Kaafar, et al. You are what you like! information leakage through users' interests. In Proc. NDSS 2012, pages 1--15.Google Scholar
- C. Custer. China's Internet users zoom to 668 million, Jan. 2016. http://www.apira.org/news.php?id=1736.Google Scholar
- A. Das, J. Bonneau, M. Caesar, N. Borisov, and X. Wang. The tangled web of password reuse. In Proc. NDSS 2014.Google ScholarCross Ref
- M. Dell'Amico and M. Filippone. Monte carlo strength evaluation: Fast and reliable password checking. In Proc. ACM CCS 2015, pages 158--169. Google ScholarDigital Library
- M. Dürmuth, D. Freeman, and B. Biggio. Who are you? A statistical approach to measuring user authenticity. In Proc. NDSS 2016, pages 1--15.Google Scholar
- S. Egelman, A. Sotirakopoulos, K. Beznosov, and C. Herley. Does my password go up to eleven?: the impact of password meters on password selection. In Proc. ACM CHI 2013, pages 2379--2388. Google ScholarDigital Library
- D. Florêncio, C. Herley, and P. van Oorschot. An administrator's guide to internet password research. In Proc. USENIX LISA 2014, pages 44--61. Google ScholarDigital Library
- Now it's easy to see if leaked passwords work on other sites, July 2016. http://bit.ly/29AJANh.Google Scholar
- P. A. Grassi and J. L. Fenton. NIST SP800--63B: Digital authentication guideline. Technical report, NIST, Reston, VA, 2016. https://pages.nist.gov/800--63--3/sp800--63b.html.Google Scholar
- S. Ji, S. Yang, X. Hu, W. Han, Z. Li, and R. Beyah. Zero-sum password cracking game: A large-scale empirical study on the crackability, correlation, and security of passwords. IEEE Trans. Depend. Secur. Comput., 2015. Doi: 10.1109/TDSC.2015.2481884.Google Scholar
- Y. Li, H. Wang, and K. Sun. A study of personal information in human-chosen passwords and its security implications. In Proc. IEEE INFOCOM 2016, pages 1--9.Google ScholarDigital Library
- J. Ma, W. Yang, M. Luo, and N. Li. A study of probabilistic password models. In Proc. IEEE S&P 2014, pages 689--704. Google ScholarDigital Library
- M. L. Mazurek, S. Komanduri, T. Vidas, L. F. Cranor, P. G. Kelley, R. Shay, and B. Ur. Measuring password guessability for an entire university. In Proc. CCS 2013, pages 173--186. Google ScholarDigital Library
- E. McCallister, T. Grance, and K. Scarfone. NIST SP800--122: Guide to protecting the confidentiality of personally identifiable information (PII). Technical report, NIST, Reston, VA, April, 2010. Google ScholarDigital Library
- W. Melicher, B. Ur, S. Segreti, S. Komanduri, L. Bauer, N. Christin, and L. Cranor. Fast, lean and accurate: Modeling password guessability using neural networks. In Proc. USENIX SEC 2016, pages 1--17.Google Scholar
- A. Narayanan and V. Shmatikov. Fast dictionary attacks on passwords using time-space tradeoff. In Proc. ACM CCS 2005, pages 364--372. Google ScholarDigital Library
- J. Onaolapo, E. Mariconti, and G. Stringhini. What happens after you are pwnd: Understanding the use of leaked account credentials in the wild. In IMC 2016.Google ScholarDigital Library
- Four Years Later, Anthem Breached Again: Hackers Stole Credentials, Feb. 2015. http://t.cn/RqWrMKC.Google Scholar
- R. Shay, S. Komanduri, A. Durity, and et al. Designing password policies for strength and usability. ACM Trans. Inf. Syst. Secur., 18(4):1--34, 2016. Google ScholarDigital Library
- Senate Bill No. 1386: Personal information, Sep. 2002. http://bit.ly/1WJIIpK.Google Scholar
- B. Ur, S. M. Segreti, L. Bauer, and et al. Measuring real-world accuracies and biases in modeling password guessability. In USENIX SEC 2015, pages 463--481. Google ScholarDigital Library
- R. Veras, C. Collins, and J. Thorpe. On the semantic patterns of passwords and their security impact. In Proc. NDSS 2014.Google ScholarCross Ref
- D. Wang, D. He, H. Cheng, and P. Wang. fuzzy PSM: A new password strength meter using fuzzy probabilistic context-free grammars. In Proc. IEEE/IFIP DSN 2016, pages 595--606. http://bit.ly/2ahJ8CO.Google Scholar
- D. Wang and P. Wang. The emperor's new password creation policies. In Proc. ESORICS 2015, pages 456--477.Google ScholarCross Ref
- D. Wang and P. Wang. On the implications of Zipf's law in passwords. In Proc. ESORICS 2016, pages 1--21.Google ScholarCross Ref
- M. Weir, S. Aggarwal, B. de Medeiros, and B. Glodek. Password cracking using probabilistic context-free grammars. In Proc. IEEE S&P 2009, pages 391--405. Google ScholarDigital Library
- This could be the iCloud flaw that led to celebrity photos being leaked, Sep. 2014. http://bit.ly/Y5vnNc.Google Scholar
- Y. Zhang, F. Monrose, and M. Reiter. The security of modern password expiration: an algorithmic framework and empirical analysis. In Proc. ACM CCS 2010, pages 176--186. Google ScholarDigital Library
Index Terms
- Targeted Online Password Guessing: An Underestimated Threat
Comments