120 likes | 271 Views
Targeted Online Password Guessing: An Underestimated Threat. Ding Wang, Zijian Zhang, Ping Wang (Peking University,China) Jeff Yan (Lancaster University, UK) Xinyi Huang (Fujian Normal University, China). ACM CCS 2016. Five Chinese datasets, Five English ones
E N D
Targeted Online Password Guessing: An Underestimated Threat Ding Wang, Zijian Zhang, Ping Wang (Peking University,China) Jeff Yan (Lancaster University, UK) Xinyi Huang (Fujian Normal University, China) ACM CCS 2016
Five Chinese datasets, Five English ones A total of 95.83 million Real-world password datasets
Three Chinese ones, One English Finally, we get 7 PII-associated datasets by by matching email with password datasets. Real-world personal info datasets
Experimental results on normal users • With 100 guesses, • TarGuess-I outperforms Personal-PCFG by 46%; • TarGuess-II outperforms Das et al. ‘s by 72%; • Both TarGuess-III and IV gain 73%+ success rates.
Experimental results on security-savvy users • With 100 guesses, • TarGuess-I outperforms Personal-PCFG by 142%; • TarGuess-II outperforms Das et al. ‘s by 169%; • Both TarGuess-III and IV gain 32%+ success rates.
Experimental results ——A further validation • Cracking real Xiaomi cloud accounts • 5.3K Xiaomi MD5-salted hashes, obtained by matching the 8.28 million Xiaomi dataset with the 130K 12306 dataset using email. Very consistent results with these plaintext-based experiments on normal users.