Results from research conducted by security experts in the UK and China shows, for the first time, that an overwhelming number of passwords for online account – used for anything from banking, social media, and shopping – are vulnerable to targeted online guessing.

Targeted online guessing is when criminals guess a specific victim’s password for an account. They do this by exploiting knowledge of their victim’s personal information – such as the password the target uses from another service as well as personal identifiable information, like their name and birthday.

Many people tend to reuse passwords across multiple web-based services and also use personal information within their passwords. Recent years have seen a large number of data breaches from businesses, putting more personal information into the hands of criminals. These breaches mean that similar passwords used on other services become particularly vulnerable to targeted guessing.

To check the vulnerability of online passwords to targeted guessing, researchers from Lancaster University, Peking University and Fujian Normal University, created different guessing frameworks that prioritise the order of guessing based on attackers having access to different types of personal information – or multiple pieces of information. These prioritising models were tested against ten large real-world datasets from Chinese and English Internet users.

When tested, the researchers’ attack models – particularly those that benefitted from multiple pieces of personal information, including a password from another service - were able to successfully guess the passwords of accounts for more than 73 per cent of normal users, and around a third of security-savvy users with a limit of 100 guesses. In the US, NIST (National Institute of Standards and Technology) guidelines for internet services require password attempts to be limited to 100 within a 30 day period.

The work, which for the first time systematically evaluates how attackers can gain advantages by exploiting personal information including leaked passwords, features in the paper ‘Targeted Online Password Guessing: An Underestimated Threat’, which was presented by Dr Jeff Yan, co-author of the paper and Senior Lecturer at Lancaster University, at the CCS’16 Conference in Vienna.

“Our results suggest that the currently used security mechanisms would be largely ineffective against the targeted online guessing threat, and this threat has already become much more damaging than expected,” said Dr Yan.

“This work shows, for the first time, that targeted password guessing is a much underestimated threat and we have demonstrated that a large number of passwords can be guessed if personal information is known to the attacker – especially if they know passwords from other accounts owned by the potential victim.”, said Mr Ding Wang, the leading student author who has been jointly guided by Professor Ping Wang at Peking University and by Dr Yan at Lancaster on the paper.

“We are finding that targeted online guessing threats are increasingly more damaging and realistic. This is a serious security concern as there are large amounts of personally identifiable information, and leaked passwords readily available to criminals due to lots of million-sized data breaches like Yahoo, Myspace, Linkedin, Dropbox and VK.com,” said Professor Wang, the corresponding author of the paper.

“Our results should encourage people to vary the passwords they use on different websites much more substantially to make it harder for criminals to guess their passwords. This work should also help inform Internet service providers looking to introduce more robust security measures to detect and resist online guessing,” Dr Yan added.

Although the results from this work imply that a website should allow far fewer guesses than 100 for an account to be secure, researchers stress this needs to be balanced against the need for users to have the option to try multiple attempts to access their accounts. In addition, a small limit on password attempts for an account may provide attackers with another malicious option – to lock up selected (or lots of) accounts with multiple failed password guesses. This is the so-called denial of service attack. As the number 100 is already rather small, striking a good balance between guessing attack and denial of service attack outlines the need for security-concerned websites to deploy more robust security measures. A promising approach is to use other implicit user identification signals besides the password, including the user's IP address, geolocation, device fingerprints and user behaviour like the time of login and key-stroke dynamics.

“It was encouraging to see that, in a quick response to our results, the NIST have revised part of SP 800-63-3 Digital Authentication Guideline, and invited our further comments on other related standards,” said Dr Yan.

The paper is available by visiting http://dl.acm.org/citation.cfm?id=2978339&CFID=685234644&CFTOKEN=66042247

The papers authors are Ding Wang, Zijian Zhang and Ping Wang, Peking University; Jeff Yan of Lancaster University’s School of Computing and Communications; and Hinyi Huang, of the School of Mathematics and Computer Science, Fujian Normal Univeristy.

ACM Conference of Communication and Systems Security (CCS) is a flagship international conference on cybersecurity.