Abstract
TarGuess − I is a leading online targeted password guessing model using users’ personally identifiable information (PII) proposed at ACM CCS 2016 by Wang et al. It has attracted widespread attention in password security owing to its superior guessing performance. Yet, after analyzing the users’ vulnerable behaviors of using popular passwords and constructing passwords with users’ PII, we find that this model does not take into account popular passwords, keyboard patterns, and the special strings. The special strings are the strings related to users but do not appear in the users’ demographic information. Thus, we propose TarGuess − I + K P X , a modified password guessing model with three semantic methods, including (1) identifying popular passwords by generating top-300 lists from similar websites, (2) recognizing keyboard patterns by relative position, and (3) catching the special strings by extracting continuous characters from user-generated PII. We conduct a series of evaluations on six large-scale real-world leaked password datasets. The experimental results show that our modified model outperforms TarGuess − I by 2.62% within 100 guesses.
Highlights
Password-based authentication is still an essential method in cybersecurity [1]
After analyses of the users’ vulnerable behaviors in constructing passwords on a total of 163,041,192 public leaked data based on TarGuess − I, we find that some effective semantic tags have not been testified and employed in TarGuess − I
The guessing phase is similar to the probabilistic context-free grammar- (PCFG-)based algorithm, but a part of products are intermediate candidates consisting of personally identifiable information (PII) tags (e.g., N3B5 and N3 1234)
Summary
Password-based authentication is still an essential method in cybersecurity [1]. To understand password security, people have gone through several stages, from some heuristic methods that lack theoretical foundations to those algorithms that conform to strict probability models [2]. Our modified model TarGuess − I+KPX works best among the 10 models we experimented with It can successfully crack a target user’s password with an optimal chance of 20.9% within 100 guesses when it gets the same users’ PII as TarGuess − I gets, which outperforms TarGuess − I by 2.62% (the target user is come from the four sites, see Table 1). We propose a new method to modify the password guessing model: parsing the passwords into the special strings X tag, such as anniversary dates or someone’s name, that do not appear in users’ demographic PII It can be identified by adding incremental information to the model or refining the model recognitions of usergenerated PII (such as e-mail addresses and user names). This method gives a new insight into targeted password guessing
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
