Password Guessing Research Articles

Modified Password Guessing Methods Based on TarGuess-I

TarGuess − I is a leading online targeted password guessing model using users’ personally identifiable information (PII) proposed at ACM CCS 2016 by Wang et al. It has attracted widespread attention in password security owing to its superior guessing performance. Yet, after analyzing the users’ vulnerable behaviors of using popular passwords and constructing passwords with users’ PII, we find that this model does not take into account popular passwords, keyboard patterns, and the special strings. The special strings are the strings related to users but do not appear in the users’ demographic information. Thus, we propose TarGuess − I + K P X , a modified password guessing model with three semantic methods, including (1) identifying popular passwords by generating top-300 lists from similar websites, (2) recognizing keyboard patterns by relative position, and (3) catching the special strings by extracting continuous characters from user-generated PII. We conduct a series of evaluations on six large-scale real-world leaked password datasets. The experimental results show that our modified model outperforms TarGuess − I by 2.62% within 100 guesses.

A privacy and session key based authentication scheme for medical IoT networks

Due to rapid increase rate of smart medical devices, the existing security internet of things (IoT) protocols cannot guaranty to perform better in-term of various threats. In this paper, the Secure Addressing and Mutual Authentication protocol (SAMA) scheme is proposed to protect the network from multiple attacks. The SAMA scheme uses the unique addressing and identification method to authenticates the smart medical monitoring devices, so that they can uniquely identifies in medical IoT network. Additionally, the proposed scheme also preserves anonymity with the help of session key establishment to secure communication between the user and medical server. The performance of SAMA scheme has been evaluated in-term of functionality, computation and communication cost, and results are compared with existing schemes. Finally for security, the proposed scheme is also analyzed formally and informally using AVISPA tool and widely-accepted BAN logic model. The security analysis shows that the SAMA scheme ensures security against, such as, impersonation, password guessing, man-in-the-middle attack replay, etc.

A Provably Secure Two-Factor Authentication Scheme for USB Storage Devices

Universal Serial Bus (USB) is widely used, for example to facilitate hot-swapping and plug-and-play. However, USB ports can be exploited by an adversary to extract private or personal data from the connected devices. Hence, a number of organizations and workplaces have prohibited their employees from using USB devices, and there have been efforts to design secure USB storage device schemes to more effectively resist different known security attacks. However, designing such schemes is challenging. For example, in this article we revisit the Wei et al.’s scheme, and demonstrate that it is vulnerable to attacks such as password guessing and user impersonation. We also explain that the scheme does not verify the correctness of user’s input in the login phase, which is another design flaw. Then, we present an improved scheme and prove it secure in the random oracle model.

Generating Optimized Guessing Candidates toward Better Password Cracking from Multi-Dictionaries Using Relativistic GAN

Despite their well-known weaknesses, passwords are still the de-facto authentication method for most online systems. Due to its importance, password cracking has been vibrantly researched both for offensive and defensive purposes. Hashcat and John the Ripper are the most popular cracking tools, allowing users to crack millions of passwords in a short time. However, their rule-based cracking has an explicit limitation of depending on password-cracking experts to come up with creative rules. To overcome this limitation, a recent trend has been to apply machine learning techniques to research on password cracking. For instance, state-of-the-art password guessing studies such as PassGAN and rPassGAN adopted a Generative Adversarial Network (GAN) and used it to generate high-quality password guesses without knowledge of password structures. However, compared with the probabilistic context-free grammar (PCFG), rPassGAN shows inferior password cracking performance in some cases. It was also observed that each password cracker has its own cracking space that does not overlap with other models. This observation led us to realize that an optimized candidate dictionary can be made by combining the password candidates generated by multiple password generation models. In this paper, we suggest a deep learning-based approach called REDPACK that addresses the weakness of the cutting-edge cracking tools based on GAN. To this end, REDPACK combines multiple password candidate generator models in an effective way. Our approach uses the discriminator of rPassGAN as the password selector. Then, by collecting passwords selectively, our model achieves a more realistic password candidate dictionary. Also, REDPACK improves password cracking performance by incorporating both the generator and the discriminator of GAN. We evaluated our system on various datasets with password candidates composed of symbols, digits, upper and lowercase letters. The results clearly show that our approach outperforms all existing approaches, including rule-based Hashcat, GAN-based PassGAN, and probability-based PCFG. The proposed model was also able to reduce the number of password candidates by up to 65%, with only 20% cracking performance loss compared to the union set of passwords cracked by multiple-generation models.

Lightweight authentication and key management in mobile-sink for smart IoT-assisted systems

Internet of Things (IoT) utilizes an intelligent technique to facilitate the design and development of smart-urban projects. As the smart devices have limited battery sources, IoT services should initiate its setup with low-power consumption. Most of the existing approaches use Long Range Wide Area Network (LoRa-WAN) as a media access layer. It provides a long-range communication between the smart devices and application systems over Low Power Wide Area Network (LP-WAN). However, it fails to achieve end-to-end security and perfect secrecy to guarantee access security of the channels. An objective of mobile-sink is to solve the problem of data confidentiality, mutual authentication, session-key agreement, and preventing potential attacks. Thus, this paper presents a lightweight based authentication and key management (L-AKM) scheme for Smart IoT-Assisted Systems. To accomplish the key objectives of L-AKM, a lightweight continuous authentication was preferred that adopts the valid authentication period and continuous user authentication session to speed up the authentication process. The performance analysis proves that the L-AKM scheme achieves better security efficiencies to resist various potential attacks such as forgery, replay, password guessing, etc. However, the experimental analysis shows that the proposed L-AKM consumes more transmission delay and throughput rate due to extra authentication phases.

Lightweight authentication protocol for e-health clouds in IoT-based applications through 5G technology

Modern information technology has been utilized progressively to store and distribute a large amount of healthcare data to reduce costs and improve medical facilities. In this context, the emergence of e-Health clouds offers novel opportunities, like easy and remote accessibility of medical data. However, this achievement produces plenty of new risks and challenges like how to provide integrity, security, and confidentiality to the highly susceptible e-Health data. Among these challenges, authentication is a major issue that ensures that the susceptible medical data in clouds is not available to illegal participants. The smart card, password and biometrics are three factors of authentication which fulfill the requirement of giving high security. Numerous three-factor ECC-based authentication protocols on e-Health clouds have been presented so far. However, most of the protocols have serious security flaws and produce high computation and communication overheads. Therefore, we introduce a novel protocol for the e-Health cloud, which thwarts some major attacks, such as user anonymity, offline password guessing, impersonation, and stolen smart card attacks. Moreover, we evaluate our protocol through formal security analysis using the Random Oracle Model (ROM). The analysis shows that our proposed protocol is more efficient than many existing protocols in terms of computation and communication costs. Thus, our proposed protocol is proved to be more efficient, robust and secure.

TransPCFG: Transferring the Grammars From Short Passwords to Guess Long Passwords Effectively

Long passwords are gaining popularity in password policy recommendations; however, data-driven guessing studies are woefully inadequate in adapting to long passwords, lacking in both guessing efficiency and their composition guidelines. For state-of-the-art data-driven password guessing methods such as PCFGs (Probabilistic Context-free Grammars), their guessing efficiency is limited by the presence of a large scale training data, or the lack thereof. Given that long passwords leaked in the real world are typically scarce, coupled with the fact that the data-driven methods’ performance depends on training data, obtaining good performance on long passwords has become a key challenge. To overcome the dataset limitation, we propose a framework <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">TransPCFG</i> , that transfers the knowledge, (i.e., grammars in PCFGs), from short passwords to facilitate long password guessing. We further perform an empirical evaluation based on three real-world datasets and the results demonstrate superior performance over the state-of-the-art data-driven guessing methods under <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">${10}^{14}$ </tex-math></inline-formula> offline guesses. For passwords with 16 characters, <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">TransPCFG</i> can compromise an average of 23.30% of the passwords, outperforming PCFG_v4.1 by 56.10%. Additionally,for better password-composition guidelines, we find that long password-composition policies requiring more segments are more resistant to guessing attacks. For the segment, the password <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">12zxcvbnword1997</i> has four segments since it follows the template <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">${Digit}_{2}{Keyboard}_{6}{Letter}_{4}{Year}_{4}$ </tex-math></inline-formula> . We thus recommend users to create long passwords with four or more segments instead of the widely recommended more character classes for security.

Design of secure session key using unique addressing and identification scheme for smart home Internet of Things network

AbstractInternet of Things (IoT) defines as internetworks of physical smart devices embedded with electronic software, sensors, actuators, and network connectivity. Due to an increase in the number of smart devices, objects, and appliances, the existing addressing schemes and security protocols cannot guaranty to perform well in all situations. The main requirement includes a unique secure unique addressing scheme that ensures data privacy and reliable communication in the IoT system. In this article, a secure session key unique addressing and identification scheme proposed by modifying the standard IPv6 protocol. The proposed scheme provides a unique way of assigning the addressing for smart devices/appliances and uniquely authenticates them at the destination end. In addition, this scheme also establishes a secure session and mutual authentication by using the Diffie‐Hellman key exchange protocol. The network simulation of the proposed scheme simulates network throughput and end‐to‐end delay. Moreover, the informal security verification and formal security analysis with the help of the ROR model carried out in this work. This analysis proves that the proposed scheme is safe against various possible attacks, for example, device impersonation, password guessing, man‐in‐the‐middle, attacks replay, masquerade attacks, maintain anonymity, and secure end to end mutual authentication.

Indistinguishability and unextractablility of password-based authentication in blockchain

Password is commonly used to protect Bitcoin wallet, the most known application of blockchain. In this paper, we investigate a subtle issue when forgetting password: The account owner uses guessed passwords during the authentication with a service provider. This is different from password guessing by cyber attackers, because passwords guessed by the account owner are (most likely) his/her passwords (or their minor variations) registered with other service providers. Thus, the confidentiality of incorrect passwords in unsuccessful authentication needs protection. To capture this security requirement, we define two security goals: Indistinguishability of Incorrect Passwords (IND-PW) and Unextractablility of Incorrect Passwords (UNE-PW). Our analysis shows that: (1) IND-PW is NOT achievable if password is the only authentication credential of the client, and (2) Two common authentication methods in online services, Basic and Digest Access Authentication (in conjunction with SSL), CANNOT provide UNE-PW.

An effective feature engineering for DNN using hybrid PCA-GWO for intrusion detection in IoMT architecture

The entire computing paradigm is changed due to the technological advancements in Information and Communication Technology (ICT). Due to these advancements, various new communication channels are being introduced, out of which the Internet of Things (IoT) plays a significant role. The Internet of Medical Things (IoMT) is a special category of IoT in which the medical devices communicate with each other for sharing sensitive data. These advancements help the healthcare industry to have better contact and care towards their patients. But they too have certain drawbacks since there are so many security and privacy issues like replay, man-in-the-middle, impersonation, privileged-insider, remote hijacking, password guessing, denial of service (DoS) attacks and malware attacks. When the sensitive data is being attacked by any of these attacks, there is a chance of losing the authorized data to the attacker or getting altered due to which the data is not available for the authorized users and customers. Machine learning algorithms are widely used in the Intrusion Detection System (IDS) for detecting and classifying the attacks at the network and host level in a dynamic manner. Many supervised and unsupervised algorithms have been designed by researchers from the area of machine learning and data mining to identify the reliable detection of an anomaly. However, the main challenge in the IDS models are changed in dynamic and random behavior of malicious attacks and designing a scalable solution that can handle this behavior. The rapid change in network behavior and the fast evolution of various attacks paved the way for evaluating various datasets that are generated over the years and to design different dynamic approaches. In this paper, a deep neural network (DNN) is used to develop effective and efficient IDS in the IoMT environment to classify and predict unforeseen cyberattacks. The network parameter are preprocessed, optimized and tuned by hyperparameter selection methods. A comprehensive analysis of experiments in DNN with other machine learning algorithms are compared on the benchmark intrusion detection dataset. Through rigorous testing, it has proved that the proposed DNN model performs better than the existing machine learning approaches with an increase in accuracy by 15% and decreases in time complexity by 32%, which helps in faster alerts to avoid post effects of intrusion in sensitive cloud data storage.

StopGuessing: Using Guessed Passwords to Thwart Online Password Guessing

Practitioners who are seeking to defend against online password-guessing attacks usually find a shortage of techniques. We present an open source system to defend against password-guessing attacks using information ignored previously: the guessed passwords themselves. We examine passwords to detect and are more forgiving of login failures caused by users mistyping their passwords.

Secure two-factor lightweight authentication protocol using self-certified public key cryptography for multi-server 5G networks

Recently Ying and Nayak proposed a multi-server supported lightweight authentication protocol for 5G networks and confirmed the security of their protocol against all prominent attacks. Nevertheless, this paper will show certain shortcomings in their protocol, like vulnerability against identity guessing, password guessing, and user impersonation attacks. Additionally, it lacks in rendering strong user anonymity and truly two-factor security. Following the crypt-analysis, we propose an improved multi-server authentication protocol, that resists all recognized attacks, including these traps. The formal analysis using broadly accepted BAN-logic assures that the proposed protocol provides mutual authentication among the user and service-providing server. Additionally, the automated verification using the “Automated Validation of Internet Security Protocols and Applications” (AVISPA) tool asserts that improved protocol is safe toward active attacks. The performance comparison with the Ying-Nayak's protocol is evident that the proposed protocol is efficient concerning computational complexity and communication costs.

Convergence of Password Guessing to Optimal Success Rates.

Password guessing is one of the most common methods an attacker will use for compromising end users. We often hear that passwords belonging to website users have been leaked and revealed to the public. These leaks compromise the users involved but also feed the wealth of knowledge attackers have about users’ passwords. The more informed attackers are about password creation, the better their password guessing becomes. In this paper, we demonstrate using proofs of convergence and real-world password data that the vulnerability of users increases as a result of password leaks. We show that a leak that reveals the passwords of just 1% of the users provides an attacker with enough information to potentially have a success rate of over 84% when trying to compromise other users of the same website. For researchers, it is often difficult to quantify the effectiveness of guessing strategies, particularly when guessing different datasets. We construct a model of password guessing that can be used to offer visual comparisons and formulate theorems corresponding to guessing success.

A secure authentication scheme framework for mobile-sinks used in the Internet of Drones applications

Within the last decade, communication technologies have evolved rapidly, and this caused significant advancements for Internet of Things (IoT) applications and services. Unmanned aerial vehicles (UAVs), popularly known as drones, has attracted the interest of researches because of their fundamental attributes such as mobility, flexibility, reliability and energy efficiency in wireless networks. Similar to wireless sensor networks (WSNs) and other remote sensing applications, these devices are generally not designed with integrated security mechanisms. Furthermore, the existing solutions in which the main focus is on drone communication security are quite limited in the literature. Since the UAVs have the potential to handle very sensitive data, the exchange of information over wireless channels can cause serious exposures. The authentication schemes to be employed should be handled with care because of the limited resources and energy available with the sensor nodes. The existing enabling UAV technologies have restricted authentication privileges for their interaction with WSNs. In this paper, UAVs which can act like mobile-sinks are considered and existing work on WSN-UAV environment authentication is extended. A secure authentication framework using elliptic-curve crypto-systems is presented. The proposed framework is evaluated to ensure it is resilient to significant well-known potential attacks related with data confidentiality, mutual authentication, password guessing, and key impersonation.

Evaluating the strength of a multilingual passphrase policy

A number of studies have advocated for the use of long passwords (passphrases) with the aim of attaining a balance between security and usability. This study investigated the security gains of using a multilingual passphrase policy in user generated passphrases that are based on African and Indo-European languages. The research on passwords has been largely focused on the Global North where English is often the first or only language. Targeted password guessing of English and Chinese-based passwords shows that a user's mother tongue language can influence password structure, something that reflects on security. Given a multilingual user group, for example in Africa, it is interesting to establish whether such a population can generate secure multilingual passphrases. Accordingly, the findings of this study could be extrapolated to other contexts with multilingual users. In this study, a total of 224 university students in Southern Africa were invited to take part in an experiment that involved the generation of passwords and passphrases guided by a short password and multilingual passphrase policy. The results show that English language-oriented passwords dominated the short password corpora. Moreover, the use of a multilingual passphrase policy reduced the dominance of English language-oriented passwords. Security tests using a Probabilistic Context-Free Grammar (PCFG) suggest that short passwords are weaker, with marginally more than 50% of the short passwords being guessed while none of the multilingual passphrases were guessed. Further analysis shows that short passwords oriented towards an Indo-European language were easier to guess when compared to short passwords based on African languages. Hence, this study encourages orienting passwords to other languages, with the use of a multilingual passphrase policy expected to offer more security.

Cryptanalysis of Security Analysis and Enhancements of a Remote User Authentication Scheme

The main purpose of user authentication schemes is to verify the authorized user using a server via an insecure channel. With the authentication, a server and a user could have a mutual authentication. In 2019, Cao proposed an improvement of a user authentication scheme. The scheme was postulated in that it could protect from the several possible attacks and have the following advantages: Identity preservation, not only to resist the slow wrong password detection, to resist the user masquerading, the password guessing, and the sever masquerading attacks, but also to have a mutual authentication between servers and users. However, we will show his scheme is not with the capacity to against the denial of service and on-line password guessing attacks in this article. In order to improve that authentication scheme, this work proposes an enhanced remote authentication scheme with the capacity to resist those vulnerabilities as shown in Cao-Sun-Cao’s scheme.

Superword: A honeyword system for achieving higher security goals

Generating honeywords for each user’s account is an effective way to detect whether password databases are compromised. However, there are several underlying security issues associated with honeyword techniques that need to be addressed, for example, (1) How to make it more difficult for an attacker to find an accurate match of “username-real password”? (2) How to prevent the intersection attack in multiple systems caused by password reuse without reducing usability? (3) How to reduce the success rate of targeted password guessing? In this study, we first propose a “matching attack” model and find that although Erguler’s honeyword system can achieve perfect flatness, the success rate of the attacker is 100% under matching attack. Secondly, we propose a new honeyword approach named Superword that isolates the direct relationship between username and the corresponding hashed password in password files. Additional honeypots are mixed with real accounts to detect online guessing attacks. The analysis reveals that our approach makes a matching attacker difficult to find a real password from N password hashes. Since there is no connection between the username and password in password files, our honeyword system also alleviates the multiple systems intersection attack and targeted password guessing.

GENPass: A Multi-Source Deep Learning Model for Password Guessing

The password has become today's dominant method of authentication. While brute-force attack methods such as HashCat and John the Ripper have proven unpractical, the research then switches to password guessing. State-of-the-art approaches such as the Markov Model and probabilistic context-free grammar (PCFG) are all based on statistical probability. These approaches require a large amount of calculation, which is time-consuming. Neural networks have proven more accurate and practical in password guessing than traditional methods. However, a raw neural network model is not qualified for cross-site attacks because each dataset has its own features. Our work aims to generalize those leaked passwords and improves the performance in cross-site attacks. In this paper, we propose GENPass, a multi-source deep learning model for generating “general” password. GENPass learns from several datasets and ensures the output wordlist can maintain high accuracy for different datasets using adversarial generation. The password generator of GENPass is PCFG+LSTM (PL). We are the first to combine a neural network with PCFG. Compared with Long short-term memory (LSTM), PL increases the matching rate by 16%–30% in cross-site tests when learning from a single dataset. GENPass uses several PL models to learn datasets and generate passwords. The results demonstrate that the matching rate of GENPass is 20% higher than by simply mixing datasets in the cross-site test. Furthermore, we propose GENPass with probability (GENPass-pro), the updated version of GENPass, which can further increase the matching rate of GENPass.

Security analysis and application of Chebyshev Chaotic map in the authentication protocols

ABSTRACT Due to the quick expansion and fast growth of computer networks, remote user's authentication and key agreement protocol is required. Chaotic maps play a very important role in the construction of authentication and key agreement protocol. Recently, many of the key agreement protocols are proposed based on chaotic maps and it can generate secure session key as well as resist known-key attacks. In this paper, it has been illustrated that most of the existing schemes cannot establish secure communication. Moreover, chaotic map-based authentications schemes have been found vulnerable to identity guessing, password guessing, impersonation, stolen smart card, and violation of session key attacks. Although some of the protocol has advantages of low computation cost but they lacks to attain security attributes. Moreover, these schemes do not support verified session key security with a minimum number of messages exchanged. Therefore, a chaotic map-based authentication scheme is essential to overcome existing weaknesses.

Lightweight Secure Message Broadcasting Protocol for Vehicle-to-Vehicle Communication

Vehicular communications are used in various safety and business applications in today's technological world for user benefits. In this, vehicle-to-vehicle (V2V) communication enables users to exchange meaningful information with nearby vehicles directly. In general, vehicles move faster on the highway rather than the intersection road environment, and thus, a robust system is required to communicate efficiently and securely. Recently, researchers have designed various message dissemination schemes, but different concerns (i.e., security threats, more execution time, high communication overhead, and storage cost) are present in these systems, and it leads to unreliability for on-the-fly communication. Therefore, in this article, we propose an efficient and secure V2V data transmission protocol using a one-way hash function to send valuable information at the receiver side quickly. The results present that the suggested scheme performs better in execution time, storage cost, communication overhead, and energy consumption compared to the existing V2V protocols. Further, the proposed method resists various security attacks, i.e., modification, impersonation, replay, man-in-the-middle, stolen on-board-unit, password guessing, and concatenation.