Beyond Credential Stuffing: Password Similarity Models Using Neural Networks

2019 IEEE Symposium on Security and Privacy (SP) Pub Date : 2019-04-01 DOI:10.1109/SP.2019.00056

Bijeeta Pal, Tal Daniel, Rahul Chatterjee, T. Ristenpart

{"title":"Beyond Credential Stuffing: Password Similarity Models Using Neural Networks","authors":"Bijeeta Pal, Tal Daniel, Rahul Chatterjee, T. Ristenpart","doi":"10.1109/SP.2019.00056","DOIUrl":null,"url":null,"abstract":"Attackers increasingly use passwords leaked from one website to compromise associated accounts on other websites. Such targeted attacks work because users reuse, or pick similar, passwords for different websites. We recast one of the core technical challenges underlying targeted attacks as the task of modeling similarity of human-chosen passwords. We show how to learn good password similarity models using a compilation of 1.4 billion leaked email, password pairs. Using our trained models of password similarity, we exhibit the most damaging targeted attack to date. Simulations indicate that our attack compromises more than 16% of user accounts in less than a thousand guesses, should one of their other passwords be known to the attacker and despite the use of state-of-the art countermeasures. We show via a case study involving a large university authentication service that the attacks are also effective in practice. We go on to propose the first-ever defense against such targeted attacks, by way of personalized password strength meters (PPSMs). These are password strength meters that can warn users when they are picking passwords that are vulnerable to attacks, including targeted ones that take advantage of the user’s previously compromised passwords. We design and build a PPSM that can be compressed to less than 3 MB, making it easy to deploy in order to accurately estimate the strength of a password against all known guessing attacks.","PeriodicalId":272713,"journal":{"name":"2019 IEEE Symposium on Security and Privacy (SP)","volume":"22 10","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2019-04-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"57","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2019 IEEE Symposium on Security and Privacy (SP)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SP.2019.00056","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 57

Abstract

Attackers increasingly use passwords leaked from one website to compromise associated accounts on other websites. Such targeted attacks work because users reuse, or pick similar, passwords for different websites. We recast one of the core technical challenges underlying targeted attacks as the task of modeling similarity of human-chosen passwords. We show how to learn good password similarity models using a compilation of 1.4 billion leaked email, password pairs. Using our trained models of password similarity, we exhibit the most damaging targeted attack to date. Simulations indicate that our attack compromises more than 16% of user accounts in less than a thousand guesses, should one of their other passwords be known to the attacker and despite the use of state-of-the art countermeasures. We show via a case study involving a large university authentication service that the attacks are also effective in practice. We go on to propose the first-ever defense against such targeted attacks, by way of personalized password strength meters (PPSMs). These are password strength meters that can warn users when they are picking passwords that are vulnerable to attacks, including targeted ones that take advantage of the user’s previously compromised passwords. We design and build a PPSM that can be compressed to less than 3 MB, making it easy to deploy in order to accurately estimate the strength of a password against all known guessing attacks.

查看原文本刊更多论文

超越凭证填充:使用神经网络的密码相似度模型

攻击者越来越多地使用从一个网站泄露的密码来破坏其他网站的相关帐户。这种有针对性的攻击之所以有效，是因为用户在不同的网站上重复使用或选择相似的密码。我们将目标攻击的核心技术挑战之一重新定义为人为选择密码的相似性建模任务。我们展示了如何使用14亿个泄露的电子邮件、密码对的汇编来学习良好的密码相似度模型。使用我们训练有素的密码相似度模型，我们展示了迄今为止最具破坏性的目标攻击。模拟表明，我们的攻击在不到一千次的猜测中泄露了超过16%的用户帐户，如果攻击者知道他们的其他密码之一，尽管使用了最先进的对策。我们通过一个涉及大型大学身份验证服务的案例研究表明，这种攻击在实践中也是有效的。我们继续提出有史以来第一次通过个性化密码强度计(PPSMs)来防御此类针对性攻击。这些是密码强度计，可以在用户选择易受攻击的密码时发出警告，包括利用用户先前泄露的密码的目标密码。我们设计并构建了一个可以压缩到小于3 MB的PPSM，使其易于部署，以便准确估计密码对抗所有已知猜测攻击的强度。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2019 IEEE Symposium on Security and Privacy (SP)

自引率

0.00%

发文量