A study of personal information in human-chosen passwords and its security implications

Zhang

Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

et al. 2016

261

221

While trawling online/offline password guessing has been intensively studied, only a few studies have examined targeted online guessing, where an attacker guesses a specific victim's password for a service, by exploiting the victim's personal information such as one sister password leaked from her another account and some personally identifiable information (PII). A key challenge for targeted online guessing is to choose the most effective password candidates, while the number of guess attempts allowed by a server's lockout or throttling mechanisms is typically very small.We propose TarGuess, a framework that systematically characterizes typical targeted guessing scenarios with seven sound mathematical models, each of which is based on varied kinds of data available to an attacker. These models allow us to design novel and efficient guessing algorithms. Extensive experiments on 10 large real-world password datasets show the effectiveness of TarGuess. Particularly, TarGuess I∼IV capture the four most representative scenarios and within 100 guesses: (1) TarGuess-I outperforms its foremost counterpart by 142% against security-savvy users and by 46% against normal users; (2) TarGuess-II outperforms its foremost counterpart by 169% on security-savvy users and by 72% against normal users; and (3) Both TarGuess-III and IV gain success rates over 73% against normal users and over 32% against security-savvy users. TarGuess-III and IV, for the first time, address the issue of cross-site online guessing when given the victim's one sister password and some PII.

Section: Related Workmentioning

confidence: 99%

Section: Explication Of Personal Informationmentioning

confidence: 99%

Section: Password Containing Personal Infomentioning

confidence: 99%

See 1 more Smart Citation

Targeted Online Password Guessing

Zhang

Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

et al. 2016

261

221

Human Aspects of Information Security, Privacy and Trust

“…Much research [13,16,23,30,33] has therefore been done to develop more robust PSMs so that the estimated password strength matches the actual risk against password crackers better.…”

Section: Related Workmentioning

confidence: 99%

PSV (Password Security Visualizer): From Password Checking to User Education

Aljaffan

Yuan

2017

Abstract. This paper presents the Password Security Visualizer (PSV), an interactive visualization system specifically designed for password security education. PSV can be seen as a reconfigurable "box" containing different proactive password checkers (PPCs) and visualizers of password security information, allowing it to be used like a "many in one" or "hybrid" PPC. PSV can provide many new features that do not exist in traditional PPCs, thus having a greater potential to achieve its goals of educating users. Using purely client-side Web-based technologies, we implemented a prototype of PSV as an open-source software tool on a 2-D animated canvas. To evaluate the actual performance of our implemented PSV prototype against traditional PPCs, we conducted a semistructured interview involving 20 human participants. Our qualitative analysis of the results showed that PSV was considered the most informative and recommended by most participants as a good educational tool. To the best of our knowledge, PSV is the first system combining different PPCs together for user education, and the user study is the first of this kind on comparing educational effectiveness of different PPCs (and PPC-like password security tools such as PSV).

Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security

“…Though prior work[33,46] suggests knowledge of only username can improve efficacy of guessing user passwords, the improvement is minimal. See Appendix A for more on this analysis.…”

mentioning

confidence: 99%

Protocols for Checking Compromised Credentials

Pal

Ali³

et al. 2019

To prevent credential stuffing attacks, industry best practice now proactively checks if user credentials are present in known data breaches. Recently, some web services, such as HaveIBeenPwned (HIBP) and Google Password Checkup (GPC), have started providing APIs to check for breached passwords. We refer to such services as compromised credential checking (C3) services. We give the first formal description of C3 services, detailing different settings and operational requirements, and we give relevant threat models.One key security requirement is the secrecy of a user's passwords that are being checked. Current widely deployed C3 services have the user share a small prefix of a hash computed over the user's password. We provide a framework for empirically analyzing the leakage of such protocols, showing that in some contexts knowing the hash prefixes leads to a 12x increase in the efficacy of remote guessing attacks. We propose two new protocols that provide stronger protection for users' passwords, implement them, and show experimentally that they remain practical to deploy.