A new academic report that demonstrates how hackers can easily crack a targeted user's passwords with a minimal amount of information underscores the dangers of data leaks, as well as the practice of sharing the exact same or similar passwords across multiple sites.
The multinational study, conducted by Lancaster University in the U.K. and Peking University and Fujian Normal University in China, presents a framework labeled “TarGuess,” which is designed to systemically categorize various password guessing scenarios based on information commonly available to hackers. This, in turns, allows researchers to design algorithms that can optimally guess a specific individual's passwords.
To conduct their study, the researchers looked at 10 previously breached datasets from various online services and attempted to use their TarGuess framework to guess victims' passwords based on the available leaked information. Researchers were successful at guessing an average user's account password 73 percent of the time when they had at least some personally identifiable information on the victim, plus a “sister password” that was used at another website and likely reused or modified elsewhere. Even when guessing the passwords of security-savvy users, the researchers were still successful under these same circumstances over 32 percent of the time.
"Our results suggest that... currently used security mechanisms would be largely ineffective against the targeted online guessing threat, and this threat has already become much more damaging than expected," reads the study, entitled "Targeted Online Password Guessing: An Underestimated Threat," and authored by Ding Wang, Zijian Zhang, Ping Wang, Jeff Yan and Xinyi Huang. "We believe that the new algorithms and knowledge of effectiveness of targeted guessing models can shed light on both existing password practice and future password research."