Abstract
Passwords are the primary means of authentication and security for online accounts and are commonly used to encrypt files and disks. This research demonstrates how personal information about users can be added systematically to enhance password cracking. Specifically, a dictionary-based probabilistic context-free grammar approach is proposed that effectively incorporates personal information about a targeted user into component grammars and dictionaries used for password cracking. The component grammars model various types of personal information such as family names and dates, previous password information and possible information about sequential passwords. A mathematical model for merging multiple grammars that combines the characteristics of the component grammars is presented. The resulting merged target grammar, which is also merged with a standard grammar, is used along with various dictionaries to generate guesses that quickly match target passwords. The experimental results demonstrate that the approach significantly improves password cracking performance.
Chapter PDF
Similar content being viewed by others
References
Castelluccia, C., Chaabane, A., Durmuth, M., Perito, D.: When privacy meets security: Leveraging personal information for password cracking. Computing Research Repository (2013). abs/1304.6584
Damerau, F.: A technique for computer detection and correction of spelling errors. Communications of the ACM 7(3), 171–176 (1964)
Das, A., Bonneau, J., Caesar, M., Borisov, N., Wang, X.: The tangled web of password reuse. In: Proceedings of the Network and Distributed Systems Security Symposium (2014)
Dürmuth, M., Angelstorf, F., Castelluccia, C., Perito, D., Chaabane, A.: OMEN: faster password guessing using an ordered markov enumerator. In: Piessens, F., Caballero, J., Bielova, N. (eds.) ESSoS 2015. LNCS, vol. 8978, pp. 119–132. Springer, Cham (2015). doi:10.1007/978-3-319-15618-7_10
Houshmand, S., Aggarwal, S.: Building better passwords using probabilistic techniques. In: Proceedings of the Twenty-Eighth Annual Computer Security Applications Conference, pp. 109–118 (2012)
Houshmand, S., Aggarwal, S., Flood, R.: Next Gen PCFG password cracking. IEEE Transactions on Information Forensics and Security 10(8), 1776–1791 (2015)
Li, Y., Wang, H., Sun, K.: A study of personal information in human-chosen passwords and their security implications. In: Proceedings of the Thirty-Fifth Annual IEEE International Conference on Computer Communications (2016)
Loge, K.: The English Open Word List, Dreamsteep (2017). dreamsteep.com/projects/the-english-open-word-list.html
Musil, S.: Hackers post 450K credentials pilfered from Yahoo, CNET, July 11, 2012
Narayanan, A., Shmatikov, V.: Fast dictionary attacks on passwords using time-space tradeoff. In: Proceedings of the Twelfth ACM Conference on Computer and Communications Security, pp. 364–372 (2005)
Outpost9.com, Word Lists..., (2004). www.outpost9.com/files/WordLists.html
Shay, R., Komanduri, S., Kelley, P., Leon, P., Mazurek, M., Bauer, L., Christin, N., Cranor, L.: Encountering stronger password requirements: user attitudes and behaviors. In: Proceedings of the Sixth Symposium on Usable Privacy and Security, article no. 2 (2010)
Vance, A.: If your password is 123456, just make it hackme. The New York Times, January 20, 2010
Wang, D., Zhang, Z., Wang, P., Yan, J., Huang, X.: Targeted online password guessing: an underestimated threat. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, pp. 1242–1254 (2016)
Waugh, R.: No wonder hackers have it easy: Most of us now have 26 different online accounts – but only five passwords, Daily Mail, July 16, 2102
Weir, M., Aggarwal, S., Collins, M., Stern, H.: Testing metrics for password creation policies by attacking large sets of revealed passwords. In: Proceedings of the Seventeenth ACM Conference on Computer and Communications Security, pp. 162–175 (2010)
Weir, M., Aggarwal, S., de Medeiros, B., Glodek, B.: Password cracking using probabilistic context-free grammars. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 391–405 (2009)
Zhang, Y., Monrose, F., Reiter, M.: The security of modern password expiration: an algorithmic framework and empirical analysis. In: Proceedings of the Seventeenth ACM Conference on Computer and Communications Security, pp. 176–186 (2010)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 IFIP International Federation for Information Processing
About this paper
Cite this paper
Houshmand, S., Aggarwal, S. (2017). Using Personal Information in Targeted Grammar-Based Probabilistic Password Attacks. In: Peterson, G., Shenoi, S. (eds) Advances in Digital Forensics XIII. DigitalForensics 2017. IFIP Advances in Information and Communication Technology, vol 511. Springer, Cham. https://doi.org/10.1007/978-3-319-67208-3_16
Download citation
DOI: https://doi.org/10.1007/978-3-319-67208-3_16
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-67207-6
Online ISBN: 978-3-319-67208-3
eBook Packages: Computer ScienceComputer Science (R0)