OMEN: Faster Password Guessing Using an Ordered Markov Enumerator

Dürmuth, Markus; Angelstorf, Fabian; Castelluccia, Claude; Perito, Daniele; Chaabane, Abdelberi

doi:10.1007/978-3-319-15618-7_10

Cited by 68 publications

(58 citation statements)

References 14 publications

(22 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Modern password crackers have been proven to be effective in efficiently guessing a large number of passwords. Notable example of password crackers use various artificial intelligence techniques such as Probabilistic Context-Free Grammar (PCFG) [18,19], Ordered Markov Enumerators (OME) [20], and Artificial Neural Networks (ANNs) [21]. These recent development in password cracking has motivated the investigation of alternative primary authentication systems.…”

Section: Related Workmentioning

confidence: 99%

Geographical Security Questions for Fallback Authentication

Addas

Salehi‐Abari

Thorpe

2019

2019 17th International Conference on Privacy, Security and Trust (PST)

View full text Add to dashboard Cite

Fallback authentication is the backup authentication method used when the primary authentication method (e.g., passwords, fingerprints, etc.) fails. Currently, widely-deployed fallback authentication methods (e.g., security questions, email resets, and SMS resets) suffer from documented security and usability flaws that threaten the security of accounts. These flaws motivate us to design and study Geographical Security Questions (GeoSQ), a system for fallback authentication. GeoSQ is an Android application that utilizes autobiographical location data for fallback authentication. We performed security and usability analyses of GeoSQ through an in-person two-session lab study (n=36, 18 pairs). Our results indicate that GeoSQ exceeds the security of its counterparts, while its usability (specifically login time) has room for improvement.

show abstract

Section: Related Workmentioning

confidence: 99%

Geographical Security Questions for Fallback Authentication

Addas

Salehi‐Abari

Thorpe

2019

2019 17th International Conference on Privacy, Security and Trust (PST)

View full text Add to dashboard Cite

show abstract

“…Weak passwords is also a widely known problem. The strength of user-chosen passwords against password guessing attacks has been studied since the early times of password-based authentication [8], [56], [40] Current techniques for password guessing are Markov models [44], [21], [37] and probabilistic context-free grammars [55]; stateof-the-art tools include John the Ripper [51] and HashCat [52]. Historically, the strength of passwords against guessing attacks has been assessed by using password crackers to find weak passwords [42].…”

Section: Related Workmentioning

confidence: 99%

Who Are You? A Statistical Approach to Measuring User Authenticity

Jain

Freeman²,

Biggio

et al. 2016

Proceedings 2016 Network and Distributed System Security Symposium

129

View full text Add to dashboard Cite

Abstract-Passwords are used for user authentication by almost every Internet service today, despite a number of wellknown weaknesses. Numerous attempts to replace passwords have failed, in part because changing users' behavior has proven to be difficult. One approach to strengthening password-based authentication without changing user experience is to classify login attempts into normal and suspicious activity based on a number of parameters such as source IP, geo-location, browser configuration, and time of day. For the suspicious attempts, the service can then require additional verification, e.g., by an additional phone-based authentication step. Systems working along these principles have been deployed by a number of Internet services but have never been studied publicly. In this work, we perform the first public evaluation of a classification system for user authentication. In particular:(i) We develop a statistical framework for identifying suspicious login attempts. (ii) We develop a fully functional prototype implementation that can be evaluated efficiently on large datasets. (iii) We validate our system on a sample of real-life login data from LinkedIn as well as simulated attacks, and demonstrate that a majority of attacks can be prevented by imposing additional verification steps on only a small fraction of users. (iv) We provide a systematic study of possible attackers against such a system, including attackers targeting the classifier itself.

show abstract

“…With PCFGs, Weir et al [92] demonstrated how to "learn" these rules from password distributions. Ma et al [49] and Durmuth et al [20] have subsequently extended this early work.…”

Section: Password Guessingmentioning

confidence: 90%

PassGAN: A Deep Learning Approach for Password Guessing

Hitaj

Gasti

Ateniese

et al. 2019

Applied Cryptography and Network Security

151

114

View full text Add to dashboard Cite

State-of-the-art password guessing tools, such as HashCat and John the Ripper, enable users to check billions of passwords per second against password hashes. In addition to performing straightforward dictionary attacks, these tools can expand password dictionaries using password generation rules, such as concatenation of words (e.g., "password123456") and leet speak (e.g., "password" becomes "p4s5w0rd"). Although these rules work well in practice, expanding them to model further passwords is a laborious task that requires specialized expertise.To address this issue, in this paper we introduce PassGAN, a novel approach that replaces human-generated password rules with theory-grounded machine learning algorithms. Instead of relying on manual password analysis, PassGAN uses a Generative Adversarial Network (GAN) to autonomously learn the distribution of real passwords from actual password leaks, and to generate high-quality password guesses. Our experiments show that this approach is very promising. When we evaluated PassGAN on two large password datasets, we were able to surpass rule-based and state-of-the-art machine learning password guessing tools. However, in contrast with the other tools, PassGAN achieved this result without any a-priori knowledge on passwords or common password structures. Additionally, when we combined the output of PassGAN with the output of HashCat, we were able to match 51%-73% more passwords than with HashCat alone. This is remarkable, because it shows that PassGAN can autonomously extract a considerable number of password properties that current state-of-the art rules do not encode.

show abstract

OMEN: Faster Password Guessing Using an Ordered Markov Enumerator

Cited by 68 publications

References 14 publications

Geographical Security Questions for Fallback Authentication

Geographical Security Questions for Fallback Authentication

Who Are You? A Statistical Approach to Measuring User Authenticity

PassGAN: A Deep Learning Approach for Password Guessing

Contact Info

Product

Resources

About