Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet Security.ca and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet Security.ca today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

Targeted password guessing is significantly easier than it should be

Sponsered ads:
Read the latest IT news. Visit ItDirection.net. Updated several times daily.

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

November 15, 2016

Various test results by internet security experts confirm that targeted password guessing is significantly easier than it should be, thanks to the online availability of personal information, social media, leaked passwords associated with other accounts, and our tendency to incorporate lots of personal, sensitive information into our passwords.

In a white paper presented at the ACM Conference of Communication and Systems Security a few weeks ago, security researchers from China and Britain describe a system for targeted password guessing that finds that a sizable fraction of people's online passwords are vulnerable to attack.

The security researchers in question are Ding Wang, Zijian Zhang and Ping Wang from Peking University, Jeff Yan of Lancaster University, and Xinyi Huang from Fujian Normal University.

The group claim that this security threat is significantly underestimated. Using a targeted password-guessing framework named TarGuess, the researchers achieved success rates as high as 73 percent with just one-hundred guesses against typical users, and as high as 32 percent against security-savvy users.

The researchers used 10 large real-world password datasets that have been exposed online, five from English sites, including Yahoo and five from Chinese sites including Dodonew.

"Our results suggest that the currently used security mechanisms would be largely ineffective against the targeted password guessing threat, and that has already become much more damaging than expected," the group asserted in their paper.

"We believe that the new algorithms and the knowledge needed of effectiveness of targeted guessing models can shed some light on both existing password practices and future password research," they added.

More or less everyone in the computer security industry and most internet users are aware that passwords offer inadequate security when poorly implemented. As the report depicts, between 0.79 percent and 10.44 percent of user-chosen passwords can be easily guessed using the 10 most popular passwords, a list that includes perennial favorites such as "123456", "sex", "love", "god", "rover" and "password".

The security researchers also note that a small percentage of people use their personal information in their passwords. Between 0.75 percent and 1.87 percent of individuals use their full names as their passwords, for instance.

Among many users in China, where numbers are commonly used in passwords, between 1 percent and 5.16 percent utilize their birthdays as passwords. Email addresses and usernames also get used by about 10 to 15 percent of the time.

Additionally, people often reuse passwords in whole or in part and that represents another security blunder. This research reveals that it's sometimes possible to use publicly accessible data about an individual, from hacked accounts or otherwise, to gain access to several other accounts used by that person.

The researcher's TarGuess algorithms (the group made four of them) proved most successful when "sister" passwords (passwords for another account owned by the target) were already known.

But even when sister passwords weren't available, they still achieved some success ranging from 20 percent with about one-hundred guesses to 50 percent with 106 guesses.

The security researchers also achieved higher success rates when more user information was available to them. For example, they were able to guess the passwords of users of Chinese train ticketing site 12306 about 20 percent of the time when they knew users' email addresses, account names, birthdays, phone numbers, and national identity numbers.

The success rate dropped to about 6 percent when only users' names were known, however. "This suggests that the majority of normal users' passwords are prone to a small number of targeted online guesses," the researchers asserted, noting that this invalidates 2016 NIST guidance that service providers should limit the number of consecutive failed login attempts to 100 or less every month, in an effort to improve security.

The various findings underscore the need for education about how to create strong passwords, and about tools like password managers that allow people to maintain dozens of sufficiently long, complicated codes that have no common patterns whatsoever.

Source: Peking University.

Sponsered ads:
Read the latest IT news. Visit ItDirection.net. Updated several times daily.

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.


Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
Copyright © Internet Security.ca    Terms of use    Privacy agreement    Legal disclaimer