Passwords: Divided they Stand, United they Fall

by   Harshal Tupsamudre, et al.

Today, offline attacks are one of the most severe threats to password security. These attacks have claimed millions of passwords from prominent websites including Yahoo, LinkedIn, Twitter, Sony, Adobe and many more. Therefore, as a preventive measure, it is necessary to gauge the offline guessing resistance of a password database and to help users choose secure passwords. The rule-based mechanisms that rely on minimum password length and different character classes are too naive to capture the intricate human behavior whereas those based on probabilistic models require the knowledge of an entire password distribution which is not always easy to learn. In this paper, we propose a space partition attack model which uses information from previous leaks, surveys, attacks and other sources to divide the password search space into non-overlapping partitions and learn partition densities. We prove that the expected success of a partition attacker is maximum if the resulting partitions are explored in decreasing order of density. We show that the proposed attack model is more general and various popular attack techniques including probabilistic-based, dictionary-based, grammar-based and brute-force are just different instances of a partition attacker. Later, we introduce bin attacker, another instance of a partition attacker, and measure the guessing resistance of real-world password databases. We demonstrate that the utilized search space is very small and as a result even a weak attacker can cause sufficient damage to the system. We prove that partition attacks can be countered only if partition densities are uniform. We use this result and propose a system that thwarts partition attacker by distributing users across different partitions. Finally, we demonstrate how some of the well-known password schemes can be adapted to help users in choosing passwords from the system assigned partitions.


page 1

page 2

page 3

page 4


Kidemonas: The Silent Guardian

Advanced Persistent Threats or APTs are big challenges to the security o...

BGPeek-a-Boo: Active BGP-based Traceback for Amplification DDoS Attacks

Amplification DDoS attacks inherently rely on IP spoofing to steer attac...

A Smart Backtracking Algorithm for Computing Set Partitions with Parts of Certain Sizes

Let α={a_1,a_2,a_3,...,a_n} be a set of elements, δ < n be a positive in...

Efficient attack sequences in m-eternal domination

We study the m-eternal domination problem from the perspective of the at...

A Probabilistic Analysis on a Lattice Attack against DSA

Analyzing the security of cryptosystems under attacks based on the malic...

The Curse of Correlations for Robust Fingerprinting of Relational Databases

Database fingerprinting schemes have been widely adopted to prevent unau...

When Textbook RSA is Used to Protect the Privacy of Hundreds of Millions of Users

We evaluate Tencent's QQ Browser, a popular mobile browser in China with...