Stolen passwords integrated into the ultimate dictionary attack

Humans still the weakest link

Targeted password guessing turns out to be significantly easier than it should be, thanks to the online availability of personal information, leaked passwords associated with other accounts, and our tendency to incorporate personal data into our security codes.

In a paper [PDF] presented at the ACM Conference of Communication and Systems Security (CCS) in late October, security researchers from China and the UK describe a system for targeted password guessing that finds that a sizable fraction of people's online passwords are vulnerable to attack.

The researchers – Ding Wang, Zijian Zhang and Ping Wang from Peking University, Jeff Yan of Lancaster University, and Xinyi Huang from Fujian Normal University – claim that this threat is significantly underestimated.

Using a targeted password-guessing framework named TarGuess, the researchers achieved success rates as high as 73 per cent with just 100 guesses against typical users, and as high as 32 per cent against security-savvy users.

The researchers used ten large real-world password datasets that have been exposed online, five from English sites, including Yahoo, and five from Chinese sites, including Dodonew.

"Our results suggest that the currently used security mechanisms would be largely ineffective against the targeted online guessing threat, and this threat has already become much more damaging than expected," the researchers state in their paper. "We believe that the new algorithms and knowledge of effectiveness of targeted guessing models can shed light on both existing password practice and future password research."

More or less everyone in the computer security industry and many internet users are aware that passwords offer inadequate security when poorly constructed. As the report notes, between 0.79 per cent and 10.44 per cent of user-chosen passwords, depending on the sample breach data set, can be guessed using the ten most popular passwords, a list that includes perennial favorites "12345" and "password."

Low-hanging fruit aside, the researchers note that a small percentage of people use their personal information in their passwords. Between 0.75 per cent and 1.87 per cent of individuals use their full names as their passwords, for instance. Among users in China, where numbers are commonly used in passwords, between 1 per cent and 5.16 per cent use their birthdays as passwords. Email addresses and usernames also get used.

What's more, people often reuse passwords, in whole or in part. And thanks to security breaches that have resulted in the exposure of personal information for hundreds of millions of online accounts, this research shows that it's sometimes possible to use publicly accessible data about an individual, from hacked accounts or otherwise, to gain access to other accounts used by that person.

The researcher's TarGuess algorithms – they made four of them – proved most successful when "sister" passwords – passwords for another account owned by the target – were known. But even when sister passwords were not available, they still achieved success rates ranging from 20% with 100 guesses to 50% with 106 guesses.

The researchers achieved higher success rates when more user information was available to them: They were able to guess the passwords of users of Chinese train ticketing site 12306 about 20 per cent of the time when they knew users' email addresses, account names, birthdays, phone numbers, and national identity numbers. The success rate dropped to about 6 per cent when only users' names were known.

"This suggests that the majority of normal users' passwords are prone to a small number of targeted online guesses," the researchers said, noting that this invalidates 2016 NIST guidance that service providers should limit the number of consecutive failed login attempts to 100 each month.

The findings underscore the need for education about how to create strong passwords, and about tools like password managers that allow people to maintain dozens of sufficiently long, complicated codes that have no common patterns. ®

Broader topics

Other stories you might like

  • Makers of ad blockers and browser privacy extensions fear the end is near
    Overhaul of Chrome add-ons set for January, Google says it's for all our own good

    Special report Seven months from now, assuming all goes as planned, Google Chrome will drop support for its legacy extension platform, known as Manifest v2 (Mv2). This is significant if you use a browser extension to, for instance, filter out certain kinds of content and safeguard your privacy.

    Google's Chrome Web Store is supposed to stop accepting Mv2 extension submissions sometime this month. As of January 2023, Chrome will stop running extensions created using Mv2, with limited exceptions for enterprise versions of Chrome operating under corporate policy. And by June 2023, even enterprise versions of Chrome will prevent Mv2 extensions from running.

    The anticipated result will be fewer extensions and less innovation, according to several extension developers.

    Continue reading
  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • 1Password's Insights tool to help admins monitor users' security practices
    Find the clown who chose 'password' as a password and make things right

    1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.

    Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.

    "We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.

    Continue reading

Biting the hand that feeds IT © 1998–2022