The University of Southampton
×
Filter your search:
University of Southampton Institutional Repository

Targeted online password guessing: an underestimated threat

Targeted online password guessing: an underestimated threat
Targeted online password guessing: an underestimated threat

While trawling online/offline password guessing has been intensively studied, only a few studies have examined targeted online guessing, where an attacker guesses a specific victim's password for a service, by exploiting the victim's personal information such as one sister password leaked from her another account and some personally identifiable information (PII). A key challenge for targeted online guessing is to choose the most effective password candidates, while the number of guess attempts allowed by a server's lockout or throttling mechanisms is typically very small. We propose TarGuess, a framework that systematically characterizes typical targeted guessing scenarios with seven sound mathematical models, each of which is based on varied kinds of data available to an attacker. These models allow us to design novel and efficient guessing algorithms. Extensive experiments on 10 large real-world password datasets show the effectiveness of TarGuess. Particularly, TarGuess I∼IV capture the four most representative scenarios and within 100 guesses: (1) TarGuess-I outperforms its foremost counterpart by 142% against security-savvy users and by 46% against normal users; (2) TarGuess-II outperforms its foremost counterpart by 169% on security-savvy users and by 72% against normal users; and (3) Both TarGuess-III and IV gain success rates over 73% against normal users and over 32% against security-savvy users. TarGuess-III and IV, for the first time, address the issue of cross-site online guessing when given the victim's one sister password and some PII.

Password authentication, Password reuse, Personal information, Probabilistic model, Targeted online guessing
1543-7221
1242-1254
Association for Computing Machinery
Wang, Ding
dea90a6e-5c3c-4438-87bc-d2fd25602923
Zhang, Zijian
31f33c9d-51d3-49d7-beeb-c7f02e9ee9a8
Wang, Ping
5256bf1d-c73b-47ae-875c-b1a8e5c95175
Yan, Jeff
a2c03187-3722-46c8-b73b-439eb9d1a10e
Huang, Xinyi
7492b4ab-34ad-4016-b879-c062e21deef5
Wang, Ding
dea90a6e-5c3c-4438-87bc-d2fd25602923
Zhang, Zijian
31f33c9d-51d3-49d7-beeb-c7f02e9ee9a8
Wang, Ping
5256bf1d-c73b-47ae-875c-b1a8e5c95175
Yan, Jeff
a2c03187-3722-46c8-b73b-439eb9d1a10e
Huang, Xinyi
7492b4ab-34ad-4016-b879-c062e21deef5

Wang, Ding, Zhang, Zijian, Wang, Ping, Yan, Jeff and Huang, Xinyi (2016) Targeted online password guessing: an underestimated threat. In CCS 2016 - Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. vol. 24-28-October-2, Association for Computing Machinery. pp. 1242-1254 . (doi:10.1145/2976749.2978339).

Record type: Conference or Workshop Item (Paper)

Abstract

While trawling online/offline password guessing has been intensively studied, only a few studies have examined targeted online guessing, where an attacker guesses a specific victim's password for a service, by exploiting the victim's personal information such as one sister password leaked from her another account and some personally identifiable information (PII). A key challenge for targeted online guessing is to choose the most effective password candidates, while the number of guess attempts allowed by a server's lockout or throttling mechanisms is typically very small. We propose TarGuess, a framework that systematically characterizes typical targeted guessing scenarios with seven sound mathematical models, each of which is based on varied kinds of data available to an attacker. These models allow us to design novel and efficient guessing algorithms. Extensive experiments on 10 large real-world password datasets show the effectiveness of TarGuess. Particularly, TarGuess I∼IV capture the four most representative scenarios and within 100 guesses: (1) TarGuess-I outperforms its foremost counterpart by 142% against security-savvy users and by 46% against normal users; (2) TarGuess-II outperforms its foremost counterpart by 169% on security-savvy users and by 72% against normal users; and (3) Both TarGuess-III and IV gain success rates over 73% against normal users and over 32% against security-savvy users. TarGuess-III and IV, for the first time, address the issue of cross-site online guessing when given the victim's one sister password and some PII.

This record has no associated files available for download.

More information

Published date: 24 October 2016
Additional Information: Publisher Copyright: © 2016 ACM.
Venue - Dates: 23rd ACM Conference on Computer and Communications Security, CCS 2016, , Vienna, Austria, 2016-10-24 - 2016-10-28
Keywords: Password authentication, Password reuse, Personal information, Probabilistic model, Targeted online guessing
Learn more about Cyber Security research

Identifiers

Local EPrints ID: 500865
URI: http://eprints.soton.ac.uk/id/eprint/500865
DOI: doi:10.1145/2976749.2978339
ISSN: 1543-7221
PURE UUID: 1e5ba5ad-95b2-47b7-a94a-2842c6026c90

Catalogue record

Date deposited: 14 May 2025 16:51
Last modified: 14 May 2025 16:51

Export record

Altmetrics

Contributors

Author: Ding Wang
Author: Zijian Zhang
Author: Ping Wang
Author: Jeff Yan
Author: Xinyi Huang

Download statistics

Downloads from ePrints over the past year. Other digital versions may also be available to download e.g. from the publisher's website.

View more statistics

Library staff additional information
Atom RSS 1.0 RSS 2.0

Contact ePrints Soton: eprints@soton.ac.uk

ePrints Soton supports OAI 2.0 with a base URL of http://eprints.soton.ac.uk/cgi/oai2

This repository has been built using EPrints software, developed at the University of Southampton, but available to everyone to use.

We use cookies to ensure that we give you the best experience on our website. If you continue without changing your settings, we will assume that you are happy to receive cookies on the University of Southampton website.

×