1. Targeted Online Password Guessing: An Underestimated Threat
ACM CCS 2016
Ding Wang, Zijian Zhang, Ping Wang
(Peking University,China)
Jeff Yan (Lancaster University, UK)
Xinyi Huang (Fujian Normal University, China)

2. Password

3. Password authentication is ubiqutously used

4. The question we aim to answer
Given some info about the victim, how to use the least attempts to online guess her password?
Can be splited into
7 sub-questions
1. Given some demographic info about the victim, how to use the least attempts to online guess her password?
2. Given one password leaked from the victim at one account, how to use the least attempts to online guess her password at another account? ……

5. Outline
The problem
Explication of personal information and Security model
Understanding user behavior
Our approach
TarGuess: a unified attacking framework
Senven targeted cracking algorithms
Experimental results
Conclusion

6. Outline
The problem
Explication of personal information and Security model
Understanding user behavior
Our approach
TarGuess: a unified attacking framework
Senven targeted cracking algorithms
Experimental results
Conclusion

7. 口令的“魔咒” 口令的“魔咒” 可记忆 Vs. 抗猜测 数以百计的替代方案 “可记忆”要求口令尽量短、有规律、不复杂
“抗猜测”要求口令尽量长、无规律、越复杂越好
数以百计的替代方案
图形口令认证
生物认证
多因子认证

8. A comparison of alternative schemes
对比结果：
没有一种认证方案可实现“文本”口令方案的所有优点，都顾此失彼。

9. Password is likely to keep its place
low cost
成本低廉
usability
可用性
Reproducible
可再生性
口令password 是 中 硬件
Hardware token 否 低
生物特征
biometric 高
在可预见未来，口令认证仍将是最主要的认证方式。

10. Password security Security can only be achieved under some
attacker model.
There are two broad classes of attackers
against passwords [NIST SP ].
Guessing attacker (relevant to password strength)
e.g., brute-force guessing, dictionary guessing
Capture attacker (irrelevant to password strength)
e.g., phishing, keylogging, sniffing, password
replacing, etc.

11. Password guessing attacker
She needs to guess the real password from a
set of candidate ones.
Classification
Four types
Targeted online guessing is becoming more
and more realistic.

12. Targeted online password guessing
Trawling online password guessing
The attacker generates a single list of guesses for
all users, and thus the attacker will not be effective.
Targeted online password guessing
The attacker generates a list of guesses for one
targete (user), but how effective this kind of
attacker will be is largely unknown.

13. Why targeted online password guessing attacks are realistic threats?
An inherent conflict: Online guessing vs. DoS
If the number of failed attempts allowed is
small, DoS will be serious;
increased, online guessing will be serious;
“ …… the verifier SHALL effectively limit online attackers to 100 consecutive failed attempts on a single account in any 30 day period ……” [NIST SP , NIST SP ]
本文研究结果显示，即使允许的失败猜测次数低至100/月，攻击者仍有远超此前预期的在线猜测成功率。
Personal info is readily available.

14. Why there is little research on targeted online password guessing?
Subjective reasons
Lack of real-world passowrd data with personal info
Involve some recent advancements in the
inter-discipline knowledge (e.g., Statistics, NLP)
Objective reasons
It is a challenging problem to design targeted
online guessing algorithms.
The guess number allowed is small, e.g., <1000
There are multiple dimensions of info can be
used by the attacker.
How the attacker prioritizes his passwrd guesses?

15. It is difficult to prioritize the guesses per user
People’s password choices vary much
among each other.
Many people have their own password composition
strategies. [CHI’16, SOUPS’15]
Users’ personal info is highly heterogeneous.
Users employ a diversified set of transformation
rules to modify passwords for cross-site reuse.
Users’ transformation rules are often context-
dependent.
Some PII (e.g., name, birthday and hobby), as shown can be directly used as password components, while others (e.g., gender and education) cannot.

16. Current perceptions about targeted online password guessing
Easy to launch
Personal info is easy to acquire;
Any one with access to newwork can launch.
Easy to be resisted by using current security
mechanisms like lockout, throttling.
“ …… online guessing can be readily addressed by throttling the rate of login attempts permitted……” [NIST SP , 2016]
How to characterize targeted (online) guessing attackers?

17. 这一问题涉及 NSA提出的 信息安全领域 5个困难问题中 的2个。
How to characterize targeted attackers?
这一问题涉及 NSA提出的 信息安全领域 5个困难问题中 的2个。
2015：
2010：

18. Outline
The problem
Explication of personal information and security model
Understanding user behavior
Our approach
TarGuess: a unified attacking framework
Senven targeted cracking algorithms
Experimental results
Conclusion

19. Explication of personal information
Three inter-changeably used terms
Personal information (PI)
Personally identifiable information (PII)
Demographic information
Sometimes, their definitions vary greatly in
different situations, laws, regulations.
Generally, a user’s personal information is
“any information relating to” this user, and
thus PI is broader than PII.

20. Classification of personal information in the case of password cracking
Personal information (PI)
Personally identifiable information (PII)
1) Type-1 PII : explicit role, e.g, birthdday
2) Type-2 PII : implicit role, e.g., gender
User identification credentials
e.g., sister passwords, PINs
Other kinds of personal data (not considered)

21. System architecture
We consider the most generic case C/S.

22. Security model We assume that all the public info (e.g.,
leaked password lists and site policies)
should be available to .
We define a series of attacking scenarios
based on varied types of users’ personal info
given to
We consider 3 kinds of personal info
Type-1 PII, Type-2 PII, Sister password
A total of 7 attacking scenarios

23. Security model (2) We mainly consider the most typical 4 types
of attacking scenarios
With TarGuess-I~IV, all 7 targeted guessing
scenarios can be tackled.

24. Outline
The problem
Explication of personal information and security model
Understanding user behavior
Our approach
TarGuess: a unified attacking framework
Senven targeted cracking algorithms
Experimental results
Conclusion

25. Real-world password datasets
Five Chinese datasets, Five English ones
A total of million

26. Real-world personal info datasets
Three Chinese ones, One English
We get 7 PII-associated password datasets by matching with PW datasets.

27. Users love to choose popular passwords
90年代有人统计，人类最常用的
口令是12345；
20年后，人类
进步了一位：123456。

28. How popular and unpopular user-chosen passwords are?
Passwords follow the Zipf’s law, satisfying
the 20/50, or 20/80 rule.
8.21% of users choose the top-100 passwords,
while there are 40% of users choose
passwords that occur only once.

29. Users love to reuse passwords —— Survey results
77%的用户重用（或修改）一个现有的口令。

30. Users love to reuse passwords —— Empirical evidence
We find passwords from the same user by matching .
34.02% ∼51.11% of Chinese users’ sister password pairs
are identical, while this figure for English users is
6.25% ∼ 21.96%.
Among these non-identical password pairs, 70% are not
very similar.
Most users modify
passwords in a
non-trivial way.

31. Users love to build passwords using their own type-1 PII
Popular Type-1 PII in passwords
name, birthday, prefix, user name.

32. Type-2 PII also shows their impact
Gender and age show tangible impact.

33. Outline
The problem
Explication of personal information and security model
Understanding user behavior
Our approach
TarGuess: a unified attacking framework
Senven targeted cracking algorithms
Experimental results
Conclusion

34. TarGuess: A framework for targeted online password guessing
TarGuess is proposed to model various targeted online guessing scenarios
3 phases: preparing, training and guessing

35. Our four primary formal models
TarGuess-I~IV
With TarGuess-I~IV, all 7 targeted guessing
scenarios can be tackled.

36. TarGuess-I: Public info+Type-1 PII
Based on probabilistic context-free grammars (PCFG)
Key idea: type-based PII matching/segment
We suggest the idea for the first time.

37. 上下文无关文法 上下文无关文法: Context-Free Grammars 简称：CFG 形式定义:上下文无关文法 是一个四元组,即
形式定义:上下文无关文法 是一个四元组,即
=( ， ， ， )：
终结符集合 ；
非终结符集合 (与 不相交)；
产生式或文法规则 A →β形成的集合 , 其中A∈ ， β∈( ∪ )；
开始符号 ∈ .
文法的左部一定是非终结符。
文法的右部可以是终结符也可以是非终结符。

38. 概率上下文无关文法 与CFG相比，PCFG文法中每条规则 A →β都被 赋予概率 P(A→β)∈[0,1],并且满足 ΣP(A→β)=1
Probabilistic context-free grammars (PCFG)
与CFG相比，PCFG文法中每条规则 A →β都被
赋予概率 P(A→β)∈[0,1],并且满足
ΣP(A→β)=1

39. PCFG-based password cracking model
Originally disigned to characterize trawling guessing attackers. [IEEE S&P’09, IEEE S&P’14]
Key idea: Parse passwords into the the letter (L)-, digital (D)- and symbol (S) segments, and learn the probabilities of basic structures, L-, D- and S- segments from real password datasets.
E.g., password123  L8D3, and one can get
P(password123)=P(L8D3)*P(L8password)
* P(D3123)

40. PCFG-based password cracking model (2)
P(love1314)=P(L4D4)*P(L4love)* P(D41314)
=0.2*0.25*0.2
=0.01

41. PCFG-based password cracking model (3)
Suitable for trawling guessing
Essentially, it only employs the
user weakness in choosing popular
Passwords.
Do not take into account user
PII and password reuse.
Unsuitable for targeted guessing

42. TarGuess-I: targeted PCFG
To capture PII semantics, besides the L, D,
S tags as with PCFG, we introduce a number of type-based PII tags:
1) N for name;
2) B for birthday;
3) E for prefix;
4) A for user name;
5) I for national ID number;
6) P for phone number;
……..

43. TarGuess-I: targeted PCFG (2)
PCFG：wang.123  L4S1D3
TarGuess-I: wang.123 N3S1D3
For each type-based PII tag, its subscript number stands for a particular sub-type of one kind of PII usages but not the length matched, as opposed to the L, D, S tags.
1) N1∼N7: N1 for the usage of full name, N2 for the
abbr. of full name, N3 for family name …….
2) B1∼B10: B1 for birthday in YMD format, B2 for
birthday in YMD format, ……
3) E1∼E3:
4) A1∼A3:
5) I1∼I2:
6) P1∼P3:

44. TarGuess-I: targeted PCFG (3)
Training phase

45. TarGuess-I: targeted PCFG (4)
Guess generation phase
文法产生的语言。

46. Comparison with existing algorithms
A comparison of TarGuess-I (and its variants) with
Personal-PCFG [20], trained on the 50% of dataset and tested on the remaining 50%.
TarGuess-I and Personal-PCFG: six kinds of the type-1 PII;
TarGuess-I′ eliminates phone # and NID;
TarGuess-I′′ further
eliminates
and user name;
4) TarGuess-I′′′ further
eliminates birthday.
TarGuess-I cracks
37.11%∼73.33%
more passwords.

47. TarGuess-II: Public info+Sister PW
Key idea: password reuse behaviors are
context-dependent.
Training phase: given one password pair
(PWA, PWB) in training set,

48. TarGuess-II（2）

49. Comparing TarGuess-II with existing algorithms
Comparing TarGuess II∼ IV and Das et al.’s algorithm,
trained on the 66,573 non-identical PW pairs of
126 → CSDN and tested on the 30,8045 non-identical
password pairs of Dodonew→CSDN.
Besides a sister password, TarGuess-III uses four types
of 51job type-1 PII and
TarGuess-IV further
uses the gender info.
TarGuess-II outperforms Das et al.’s algorithm by
111.06%.

50. TarGuess-III: Sister password+ type-1 PII
Insert {N 1∼N 7, B1∼B10, A1, A2 , A3 ; E1, E2 , E3 ; P1 , P2 ; I1 , I2 , I3} into V.
To solve this attacking scenario, we only need to introduce the type-based PII-tags into TarGuess-II.
Now we come to our third attacking model.
In this model, we aim to tackle the guessing scenario where the attacker has gotten the victim’s one sister password that was leaked from the victim’s another account. And also some type-1 PII. (Of course, the smart attacker also knows any piece of public informaton.)
This model is based TarGuess-II. To caputre user PII in passwords, we needs to add the PII tags into the original grammar G-II.
In the training phase, all the PII-based password segments (each
of which is parsed with one kind of PII tag) only involve the six
structure-level transformation rules as defined in G-II , and all the
other things in G-III remain the same with that of G-II .
Probabilistic Context-Free Grammar

51. TarGuess-IV: Sister password +type-1 PII +type-2 PII
To solve this attacking scenario, we first prove a theorem and then leverage the Bayesian theory.

52. TarGuess-IV (2)
To solve this attacking scenario, we prove a theorem and leverage the Bayesian theory.

53. The remaining three scenarios
Scenario #5: type-2 PII
Scenario #6: type-1 PII + type-2 PII
Scenario #7: 1 sister PW + type-2 PII

54. Experiments on large-scale data
To make our experiments as realistic as possible, our choices of the training set(s) for a given test set (attacking scenario) adhere to three rules:
(1) They never come from the same service;
(2) They are of the same language and PW policy;
(3) The training set(s) shall be as large as possible.

55. Experimental results on normal users With 100 guesses,
TarGuess-I outperforms Personal-PCFG by 46%;
TarGuess-II outperforms Das et al. ‘s by 72%;
Both TarGuess-III and IV gain 73%+ success rates.

56. on security-savvy users
Experimental results
on security-savvy users
With 100 guesses,
TarGuess-I outperforms Personal-PCFG by 142%;
TarGuess-II outperforms Das et al. ‘s by 169%;
Both TarGuess-III and IV gain 32%+ success rates.

57. ——A further validation
Experimental results
——A further validation
Cracking real Xiaomi cloud accounts
5.3K Xiaomi MD5-salted hashes, obtained by matching the 8.28 million Xiaomi dataset with the 130K dataset using .
Very consistent results with these plaintext-based experiments on normal users.

58. Targeted online password guessing is difficult to resist against
When allowed 100 attempts (e.g., 100 as recommended
by NIST), we show the success rates of online guessing
are at least:
TarGuess-I 20%;
TarGuess-IV 77%;
Current mechanisms like throttling, CAPTCHA,IP blacklist
are not real obstacles
for small number of
attempts.

59. Some immediate impact (in 2 months)
NIST SP confired revision
“ …… online guessing can be readily addressed by throttling the rate of login attempts permitted……” [NIST SP , 2016]
Sep. 18, 20016,根据我们的结果，NIST已将此过于乐观的说法修正为“…can be mitigated..”，并正在征询我们相应的对策。
Media coverage 200+
Daily Mail, Forbes, Science daily, Comm. ACM

60. Future work Consider attacking scenarios with 2+ sister passwords;
Design targeted password strength meter;
How to detect password compromise;
For instance, Yahoo, Dopbox, LinkedIn all lekaed passwords without detection for years.

61. THANK YOU & QUESTIONS