Breach, Data Security, Network Security

Guessing passwords of targeted users easier than you think, warn researchers

A new academic report that demonstrates how hackers can easily crack a targeted user's passwords with a minimal amount of information underscores the dangers of data leaks, as well as the practice of sharing the exact same or similar passwords across multiple sites.

The multinational study, conducted by Lancaster University in the U.K. and Peking University and Fujian Normal University in China, presents a framework labeled “TarGuess,” which is designed to systemically categorize various password guessing scenarios based on information commonly available to hackers. This, in turns, allows researchers to design algorithms that can optimally guess a specific individual's passwords.

To conduct their study, the researchers looked at 10 previously breached datasets from various online services and attempted to use their TarGuess framework to guess victims' passwords based on the available leaked information. Researchers were successful at guessing an average user's account password 73 percent of the time when they had at least some personally identifiable information on the victim, plus a “sister password” that was used at another website and likely reused or modified elsewhere. Even when guessing the passwords of security-savvy users, the researchers were still successful under these same circumstances over 32 percent of the time.

"Our results suggest that... currently used security mechanisms would be largely ineffective against the targeted online guessing threat, and this threat has already become much more damaging than expected," reads the study, entitled "Targeted Online Password Guessing: An Underestimated Threat," and authored by Ding Wang, Zijian Zhang, Ping Wang, Jeff Yan and Xinyi Huang. "We believe that the new algorithms and knowledge of effectiveness of targeted guessing models can shed light on both existing password practice and future password research."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.