The Experts below are selected from a list of 144 Experts worldwide ranked by ideXlab platform
Huang Xinyi - One of the best experts on this subject based on the ideXlab platform.
-
Targeted Online Password guessing:an underestimated threat
'Association for Computing Machinery (ACM)', 2016Co-Authors: Wang Ding, Zhang Zijian, Wang Ping, Yan Jeff, Huang XinyiAbstract:While trawling Online/offline Password guessing has been intensively studied, only a few studies have examined targeted Online guessing, where an attacker guesses a specific victim's Password for a service, by exploiting the victim's personal information such as one sister Password leaked from her another account and some personally identifiable information (PII). A key challenge for targeted Online guessing is to choose the most effective Password candidates, while the number of guess attempts allowed by a server's lockout or throttling mechanisms is typically very small. We propose TarGuess, a framework that systematically characterizes typical targeted guessing scenarios with seven sound mathematical models, each of which is based on varied kinds of data available to an attacker. These models allow us to design novel and efficient guessing algorithms. Extensive experiments on 10 large real-world Password datasets show the effectiveness of TarGuess. Particularly, TarGuess I~IV capture the four most representative scenarios and within 100 guesses: (1) TarGuess-I outperforms its foremost counterpart by 142% against security-savvy users and by 46% against normal users; (2) TarGuess-II outperforms its foremost counterpart by 169% on security-savvy users and by 72% against normal users; and (3) Both TarGuess-III and IV gain success rates over 73% against normal users and over 32% against security-savvy users. TarGuess-III and IV, for the first time, address the issue of cross-site Online guessing when given the victim's one sister Password and some PII
-
Targeted Online Password Guessing: An Underestimated Threat
23rd ACM Conference on Computer and Communications Security (CCS), 2016Co-Authors: Wang Ding, Zhang Zijian, Wang Ping, Yan Jeff, Huang XinyiAbstract:While trawling Online/offline Password guessing has been intensively studied, only a few studies have examined targeted Online guessing, where an attacker guesses a specific victim's Password for a service, by exploiting the victim's personal information such as one sister Password leaked from her another account and some personally identifiable information (PII). A key challenge for targeted Online guessing is to choose the most effective Password candidates, while the number of guess attempts allowed by a server's lockout or throttling mechanisms is typically very small. We propose TarGuess, a framework that systematically characterizes typical targeted guessing scenarios with seven sound mathematical models, each of which is based on varied kinds of data available to an attacker. These models allow us to design novel and efficient guessing algorithms. Extensive experiments on 10 large real-world Password datasets show the effectiveness of TarGuess. Particularly, TarGuess I similar to IV capture the four most representative scenarios and within 100 guesses: (1) TarGuess-I outperforms its foremost counterpart by 142% against security-savvy users and by 46% against normal users; (2) TarGuess-II outperforms its foremost counterpart by 169% on security-savvy users and by 72% against normal users; and (3) Both TarGuess-III and IV gain success rates over 73% against normal users and over 32% against security-savvy users. TarGuess-III and IV, for the first time, address the issue of cross-site Online guessing when given the victim's one sister Password and some PII.CPCI-S(ISTP)wangdingg@pku.edu.cn; zhangzj@pku.edu.cn; pwang@pku.edu.cn; jeff.yan@lancaster.ac.uk; xyhuang81@gmail.com1242-125
Paul C. Van Oorschot - One of the best experts on this subject based on the ideXlab platform.
-
Revisiting defenses against large-scale Online Password guessing attacks
IEEE Transactions on Dependable and Secure Computing, 2012Co-Authors: Mansour Alsaleh, Mohammad Mannan, Paul C. Van OorschotAbstract:Brute force and dictionary attacks on Password-only remote login services are now widespread and ever increasing. Enabling convenient login for legitimate users while preventing such attacks is a difficult problem. Automated Turing Tests (ATTs) continue to be an effective, easy-to-deploy approach to identify automated malicious login attempts with reasonable cost of inconvenience to users. In this paper, we discuss the inadequacy of existing and proposed login protocols designed to address large-scale Online dictionary attacks (e.g., from a botnet of hundreds of thousands of nodes). We propose a new Password Guessing Resistant Protocol (PGRP), derived upon revisiting prior proposals designed to restrict such attacks. While PGRP limits the total number of login attempts from unknown remote hosts to as low as a single attempt per username, legitimate users in most cases (e.g., when attempts are made from known, frequently-used machines) can make several failed login attempts before being challenged with an ATT. We analyze the performance of PGRP with two real-world data sets and find it more promising than existing proposals.
-
On countering Online dictionary attacks with login histories and humans-in-the-loop
ACM Transactions on Information and System Security, 2006Co-Authors: Paul C. Van Oorschot, Stuart StubblebineAbstract:Automated Turing Tests {(ATTs),} also known as human-in-the-loop techniques,\nwere recently employed in a login protocol by Pinkas and Sander (2002)\nto protect against Online Password-guessing attacks. We present modifications\nproviding a new history-based login protocol with {ATTs,} which uses\nfailed-login counts. Analysis indicates that the new protocol offers\nopportunities for improved security and user friendliness (fewer\n{ATTs} to legitimate users) and greater flexibility (e.g., allowing\nprotocol parameter customization for particular situations and users).\nWe also note that the {Pinkas--Sander} and other protocols involving\n{ATTs} are susceptible to minor variations of well-known middle-person\nattacks. We discuss complementary techniques to address such attacks,\nand to augment the security of the original protocol.
Wang Ding - One of the best experts on this subject based on the ideXlab platform.
-
Targeted Online Password guessing:an underestimated threat
'Association for Computing Machinery (ACM)', 2016Co-Authors: Wang Ding, Zhang Zijian, Wang Ping, Yan Jeff, Huang XinyiAbstract:While trawling Online/offline Password guessing has been intensively studied, only a few studies have examined targeted Online guessing, where an attacker guesses a specific victim's Password for a service, by exploiting the victim's personal information such as one sister Password leaked from her another account and some personally identifiable information (PII). A key challenge for targeted Online guessing is to choose the most effective Password candidates, while the number of guess attempts allowed by a server's lockout or throttling mechanisms is typically very small. We propose TarGuess, a framework that systematically characterizes typical targeted guessing scenarios with seven sound mathematical models, each of which is based on varied kinds of data available to an attacker. These models allow us to design novel and efficient guessing algorithms. Extensive experiments on 10 large real-world Password datasets show the effectiveness of TarGuess. Particularly, TarGuess I~IV capture the four most representative scenarios and within 100 guesses: (1) TarGuess-I outperforms its foremost counterpart by 142% against security-savvy users and by 46% against normal users; (2) TarGuess-II outperforms its foremost counterpart by 169% on security-savvy users and by 72% against normal users; and (3) Both TarGuess-III and IV gain success rates over 73% against normal users and over 32% against security-savvy users. TarGuess-III and IV, for the first time, address the issue of cross-site Online guessing when given the victim's one sister Password and some PII
-
Targeted Online Password Guessing: An Underestimated Threat
23rd ACM Conference on Computer and Communications Security (CCS), 2016Co-Authors: Wang Ding, Zhang Zijian, Wang Ping, Yan Jeff, Huang XinyiAbstract:While trawling Online/offline Password guessing has been intensively studied, only a few studies have examined targeted Online guessing, where an attacker guesses a specific victim's Password for a service, by exploiting the victim's personal information such as one sister Password leaked from her another account and some personally identifiable information (PII). A key challenge for targeted Online guessing is to choose the most effective Password candidates, while the number of guess attempts allowed by a server's lockout or throttling mechanisms is typically very small. We propose TarGuess, a framework that systematically characterizes typical targeted guessing scenarios with seven sound mathematical models, each of which is based on varied kinds of data available to an attacker. These models allow us to design novel and efficient guessing algorithms. Extensive experiments on 10 large real-world Password datasets show the effectiveness of TarGuess. Particularly, TarGuess I similar to IV capture the four most representative scenarios and within 100 guesses: (1) TarGuess-I outperforms its foremost counterpart by 142% against security-savvy users and by 46% against normal users; (2) TarGuess-II outperforms its foremost counterpart by 169% on security-savvy users and by 72% against normal users; and (3) Both TarGuess-III and IV gain success rates over 73% against normal users and over 32% against security-savvy users. TarGuess-III and IV, for the first time, address the issue of cross-site Online guessing when given the victim's one sister Password and some PII.CPCI-S(ISTP)wangdingg@pku.edu.cn; zhangzj@pku.edu.cn; pwang@pku.edu.cn; jeff.yan@lancaster.ac.uk; xyhuang81@gmail.com1242-125
Hugo Krawczyk - One of the best experts on this subject based on the ideXlab platform.
-
a hidden Password Online Password manager
ACM Symposium on Applied Computing, 2021Co-Authors: Maliheh Shirvanian, Nitesh Saxena, Christopher Robert Price, Mohammed Jubur, Stanislaw Jarecki, Hugo KrawczykAbstract:The most commonly adopted Password management technique is to store web account Passwords on a Password manager and lock them using a master Password. However, current Online Password managers do not hide the account Passwords or the master Password from the Password manager itself, which highlights their real-world vulnerability and lack of user confidence in the face of malicious insiders and outsiders that compromise the Password management service especially given its Online nature. We attempt to address this crucial vulnerability in the design of Online Password managers by proposing HIPPO, a cloud-based Password manager that does not learn or store master Passwords and account Passwords. HIPPO is based on the cryptographic notion of device-enhanced Password authenticated key exchange proven by Jarecki et al. to resist Online guessing attacks and dictionary attacks. We introduce the HIPPO protocol design and report on a full implementation of the system.
Tzonelih Hwang - One of the best experts on this subject based on the ideXlab platform.
-
on a simple three party Password based key exchange protocol
International Journal of Communication Systems, 2011Co-Authors: Chingying Lin, Tzonelih HwangAbstract:In 2009, Huang (Int. J. Commun. Syst., 22, 857–862) proposed a simple and efficient three-party Password-based key exchange protocol without server's public key. This work shows that the protocol could be vulnerable to an undetectable Online Password guessing attack. Furthermore, an improved protocol is proposed to avoid the attack. Copyright © 2011 John Wiley & Sons, Ltd.