University researchers have developed a framework that can guess passwords 73% of the time.
The system, called Targuess, was built by researchers from Lancaster University, Peking University and Fujian Normal University, whopublisheda paper on their efforts, saying thatagainst more security-conscious users, the framework can still claim success 32% of the time.
While trawling online/offline password guessing has been intensively studied, only a few studies have examined targeted online guessing, where an attacker guesses a specific victim's password for a service, by exploiting the victim's personal information, such as one sister password leaked from another account and some personally identifiable information (PII).
"A key challenge for targeted online guessing is to choose the most effective password candidates, while the number of guess attempts allowed by a server's lockout or throttling mechanisms is typically very small," said the authors.
The researchers said that TarGuess "systematically characterises typical targeted guessing scenarios with seven sound mathematical models", each of which is based on varied kinds of data available to an attacker. These models allow the team to design novel and efficient guessing algorithms.
The team then carried out experiments using 10 large real-world password datasets, notably including ones found in the Yahoo breach. Among the ten most popular passwords used on Yahoo were (unsurprisingly) 123456, password, welcome, and ninja, among others.
Targuess was trained up on one set of passwords from one website and then used its training to guess passwords users used on other websites.
The researchers said that the results from the framework suggested that currently used security mechanisms would be largely ineffective against the targeted online guessing threat, and this threat has already become much more damaging than expected.
"We believe that the new algorithms and knowledge of effectiveness of targeted guessing models can shed light on both existing password practice and future password research," said the authors.
-
Should AI PCs be part of your next hardware refresh?AI PCs are fast becoming a business staple and a surefire way to future-proof your business
-
Westcon-Comstor and Vectra AI launch brace of new channel initiativesNews Westcon-Comstor and Vectra AI have announced the launch of two new channel growth initiatives focused on the managed security service provider (MSSP) space and AWS Marketplace.
-
Capita tells pension provider to 'assume' nearly 500,000 customers' data stolenCapita told the pension provider to “work on the assumption” that data had been stolen
-
Gumtree site code made personal data of users and sellers publicly accessibleNews Anyone could scan the website's HTML code to reveal personal information belonging to users of the popular second-hand classified adverts website
-
Pizza chain exposed 100,000 employees' Social Security numbersNews Former and current staff at California Pizza Kitchen potentially burned by hackers
-
83% of critical infrastructure companies have experienced breaches in the last three yearsNews Survey finds security practices are weak if not non-existent in critical firms
-
Identity Automation launches credential breach monitoring serviceNews New monitoring solution adds to the firm’s flagship RapidIdentity platform
-
Neiman Marcus data breach hits 4.6 million customersNews The breach took place last year, but details have only now come to light
-
Indiana notifies 750,000 after COVID-19 tracing data accessedNews The state is following up to ensure no information was transferred to bad actors
-
Pearson fined $1 million for downplaying severity of 2018 breachNews The SEC found the London-based firm made “misleading statements and omissions” about the intrusion
