Targeted Online Password Guessing: An Underestimated Threat ACM CCS 2016 Ding Wang, Zijian Zhang, Ping Wang (Peking University,China) Jeff Yan (Lancaster University, UK) Xinyi Huang (Fujian Normal University, China)

Real-world password datasets Five Chinese datasets, Five English ones A total of 95.83 million

Real-world personal info datasets Three Chinese ones, One English Finally, we get 7 PII-associated datasets by by matching email with password datasets.

Experimental results on normal users With 100 guesses, TarGuess-I outperforms Personal-PCFG by 46%; TarGuess-II outperforms Das et al. ‘s by 72%; Both TarGuess-III and IV gain 73%+ success rates.

on security-savvy users Experimental results on security-savvy users With 100 guesses, TarGuess-I outperforms Personal-PCFG by 142%; TarGuess-II outperforms Das et al. ‘s by 169%; Both TarGuess-III and IV gain 32%+ success rates.

——A further validation Experimental results ——A further validation Cracking real Xiaomi cloud accounts 5.3K Xiaomi MD5-salted hashes, obtained by matching the 8.28 million Xiaomi dataset with the 130K 12306 dataset using email. Very consistent results with these plaintext-based experiments on normal users.

THANK YOU & QUESTIONS