Summary: | Password guessing is one of the most common methods an attacker will use for<br />compromising end users. We often hear that passwords belonging to website users have been<br />leaked and revealed to the public. These leaks compromise the users involved but also feed the<br />wealth of knowledge attackers have about users’ passwords. The more informed attackers are about<br />password creation, the better their password guessing becomes. In this paper, we demonstrate using<br />proofs of convergence and real-world password data that the vulnerability of users increases as a<br />result of password leaks. We show that a leak that reveals the passwords of just 1% of the users<br />provides an attacker with enough information to potentially have a success rate of over 84% when<br />trying to compromise other users of the same website. For researchers, it is often difficult to quantify<br />the effectiveness of guessing strategies, particularly when guessing different datasets. We construct a<br />model of password guessing that can be used to offer visual comparisons and formulate theorems<br />corresponding to guessing success.
|