Targeted Online Password Guessing: An Underestimated Threat | |
Wang, Ding ; Zhang, Zijian ; Wang, Ping ; Yan, Jeff ; Huang, Xinyi | |
2016 | |
关键词 | Password authentication Targeted online guessing Personal information Password reuse Probabilistic model |
英文摘要 | While trawling online/offline password guessing has been intensively studied, only a few studies have examined targeted online guessing, where an attacker guesses a specific victim's password for a service, by exploiting the victim's personal information such as one sister password leaked from her another account and some personally identifiable information (PII). A key challenge for targeted online guessing is to choose the most effective password candidates, while the number of guess attempts allowed by a server's lockout or throttling mechanisms is typically very small. We propose TarGuess, a framework that systematically characterizes typical targeted guessing scenarios with seven sound mathematical models, each of which is based on varied kinds of data available to an attacker. These models allow us to design novel and efficient guessing algorithms. Extensive experiments on 10 large real-world password datasets show the effectiveness of TarGuess. Particularly, TarGuess I similar to IV capture the four most representative scenarios and within 100 guesses: (1) TarGuess-I outperforms its foremost counterpart by 142% against security-savvy users and by 46% against normal users; (2) TarGuess-II outperforms its foremost counterpart by 169% on security-savvy users and by 72% against normal users; and (3) Both TarGuess-III and IV gain success rates over 73% against normal users and over 32% against security-savvy users. TarGuess-III and IV, for the first time, address the issue of cross-site online guessing when given the victim's one sister password and some PII.; CPCI-S(ISTP); wangdingg@pku.edu.cn; zhangzj@pku.edu.cn; pwang@pku.edu.cn; jeff.yan@lancaster.ac.uk; xyhuang81@gmail.com; 1242-1254 |
语种 | 英语 |
出处 | 23rd ACM Conference on Computer and Communications Security (CCS) |
DOI标识 | 10.1145/2976749.2978339 |
内容类型 | 其他 |
源URL | [http://ir.pku.edu.cn/handle/20.500.11897/460041] |
专题 | 信息科学技术学院 |
推荐引用方式 GB/T 7714 | Wang, Ding,Zhang, Zijian,Wang, Ping,et al. Targeted Online Password Guessing: An Underestimated Threat. 2016-01-01. |
个性服务 |
查看访问统计 |
相关权益政策 |
暂无数据 |
收藏/分享 |
除非特别说明,本系统中所有内容都受版权保护,并保留所有权利。
修改评论