Smarter Password Guessing Techniques Leveraging
Contextual Information and OSINT
Aikaterini Kanta∗† , Iwen Coisel† , Mark Scanlon∗
∗ Forensicsand Security Research Group, School of Computer Science, University College Dublin, Ireland
† European Commission, Joint Research Centre (DG JRC) - Via Enrico Fermi 2749, 21027 Ispra (VA), Italy
Email:
[email protected],
[email protected],
[email protected] Abstract—In recent decades, criminals have increasingly used account, this work is exploring ways this information about a
the web to research, assist and perpetrate criminal behaviour. suspect as an individual or a community can be leveraged in
arXiv:2012.01159v1 [cs.CR] 2 Dec 2020
One of the most important ways in which law enforcement order to better facilitate the recovery process.
can battle this growing trend is through accessing pertinent
information about suspects in a timely manner. A significant II. R ELATED W ORK
hindrance to this is the difficulty of accessing any system a
suspect uses that requires authentication via password. Password A. Password Metrics
guessing techniques generally consider common user behaviour There have been studies that analyse the composition of
while generating their passwords, as well as the password policy
passwords with focus on how people choose them, where
in place. Such techniques can offer a modest success rate
considering a large/average population. However, they tend to password re-use and reliance on dictionary words can be
fail when focusing on a single target – especially when the observed [4], [5], [7]. In addition, studies have considered the
latter is an educated user taking precautions as a savvy criminal demographics of participants and if they play an important
would be expected to do. Open Source Intelligence is being role in the selection process [8], [9]. Finally, it is observed
increasingly leveraged by Law Enforcement in order to gain
that users tend to use personal information when they create
useful information about a suspect, but very little is currently
being done to integrate this knowledge in an automated way a password, as it is more easily memorable to them [6], [10].
within password cracking. The purpose of this research is to delve
into the techniques that enable the gathering of the necessary
B. Open Source Intelligence
context about a suspect and find ways to leverage this information Steele [11] defines Open Source Intelligence (OSINT) as
within password guessing techniques. information that is publicly available and can be used to
Index Terms—Password Security, Password Guessing Tech- answer a specific question. To this end, there are many OSINT
niques, Context-based Password Cracking, Open Source Intel-
ligence (OSINT) tools available to the community that can aid in finding,
extracting and sorting though this information1 .
I. I NTRODUCTION C. Password Guessing Related Tools
Nowadays, criminal activity is increasingly conducted in Traditional password guessing techniques include brute
cyberspace. Criminals take advantage of the easy access to force, dictionary attacks and rainbow table approaches. Lately,
information and the global access to victims. This leads newer, smarter methods have been proposed with higher
to a scale of crime that cannot be easily achieved in the recovery numbers, e.g., password candidate generation tools
physical world. As a result, it is becoming increasingly urgent based on Markov Chains [12], probabilistic context-free gram-
for law enforcement to be able to act swiftly in a digital mars [13] and variations of thereof [10], and combinator attack
forensic investigation especially in the cases where ongoing or tools, e.g., PRINCE2 .
future criminal acts must be prevented. Very often, password III. M ETHODOLOGY
protected accounts or encrypted devices act as a barrier for
Digital forensic investigators frequently find themselves
police personnel to conduct their lawful investigations [1].
working on a case where a password connected to a crime
Passwords have been the go-to method of user authentica-
needs to be retrieved. Many times, it is not possible to retrieve
tion for decades – a fact that does not look like it is about to
the password of a suspect in a timely manner. This is where
change. The difference in the last few years is the fast increase
tying the suspect to their associated contextual information
of online login systems with password policies that require
can prove fruitful. Context in this instance refers to contextual
passwords of different patterns, lengths and makeup [2]. This
information about a suspect that can be harnessed for the sake
leads to users having the tendency to either reuse the same
of making better “educated” guesses about their password.
password across different systems or to create passwords that
This information can stem from their online/offline life
are easy to remember (i.e., weaker) to keep up with the
and can be the product of traditional means of investigation,
different password policies [3], [4]. A significant portion of
passwords are therefore based on dictionary words [5] or 1 https://osintframework.com/
contextual information related to the user [6]. Taking this into 2 https://github.com/hashcat/princeprocessor
� about cooking. Current work is focused on the contextual
analysis of a large corpus of passwords stemming from online
leaks. Future work will include the refinement of this dataset
and the expansion of the scope of this analysis to more
contextual information. In addition, the manner with which
OSINT can be exploited and processed towards producing
meaningful data will be explored. This will subsequently be a
starting point for creating a bespoke, personalised dictionary
list to feed into password cracking tools.
R EFERENCES
[1] A. Sayakkara, N.-A. Le-Khac, and M. Scanlon, “A Survey of Elec-
tromagnetic Side-channel Attacks and Discussion on Their Case-
Progressing Potential for Digital Forensics,” Digital Investigation,
vol. 29, pp. 43 – 54, 2019.
[2] B. Ur, P. G. Kelley, S. Komanduri, J. Lee, M. Maass, M. L. Mazurek,
Fig. 1. Password Generation Process
T. Passaro, R. Shay, T. Vidas, L. Bauer et al., “How does your password
measure up? The effect of strength meters on password creation,” in
Presented as part of the 21st USENIX Security Symposium USENIX
e.g., forensic investigation of the suspect’s residence and Security 12), 2012, pp. 65–80.
[3] S. Komanduri, R. Shay, P. G. Kelley, M. L. Mazurek, L. Bauer,
belongings or the digital investigation of the suspect (i.e., both N. Christin, L. F. Cranor, and S. Egelman, “Of Passwords and People:
their local devices and online presence). The latter type of Measuring the Effect of Password-Composition Policies,” in Proceedings
investigation can yield results including the suspect’s interests of the SIGCHI Conference on Human Factors in Computing Systems,
2011, pp. 2595–2604.
(e.g., sports, music, etc.), browsing history, other passwords, [4] N. Lord, “Uncovering Password Habits: Are
online interactions, family and pet names, etc. This is where Users’ Password Security Habits Improving?” Dec
OSINT can play a key role in an investigation. Already Social 2018. [Online]. Available: https://digitalguardian.com/blog/
uncovering-password-habits-are-users-password-security-habits-improving-infographic
Media Intelligence (SOCMINT) is used by law enforcement [5] J. Yan, A. Blackwell, R. Anderson, and A. Grant, “Password Memora-
in order to gain pertinent, case-progressing information [14]. bility and Security: Empirical Results,” IEEE Security & Privacy, vol. 2,
It can be applied to online groups of users to detect patterns in no. 5, pp. 25–31, 2004.
[6] D. Wang, Z. Zhang, P. Wang, J. Yan, and X. Huang, “Targeted Online
social behaviour as well as to individual suspects [15]. OSINT Password Guessing: An Underestimated Threat,” in Proceedings of the
tools can extract information regarding the online presence of 2016 ACM SIGSAC Conference on Computer and Communications
a user or group of users from networks of acquaintances on Security, 2016, pp. 1242–1254.
[7] S. Pearman, J. Thomas, P. E. Naeini, H. Habib, L. Bauer, N. Christin,
social media. The prevalence of users increasingly living their L. F. Cranor, S. Egelman, and A. Forget, “Let’s go in for a closer look:
lives online can also result in sourcing their email addresses, Observing passwords in their natural habitat,” in Proceedings of the 2017
usernames, phone numbers, and exercise or sleeping patterns. ACM SIGSAC Conference on Computer and Communications Security,
2017, pp. 295–310.
The information gathered can then be leveraged, filtered [8] J. Bonneau, “The Science of Guessing: Analyzing an Anonymized
and translated to meaningful contextual data about the sus- Corpus of 70 Million Passwords,” in 2012 IEEE Symposium on Security
pect. Information retrieval and machine learning techniques and Privacy. IEEE, 2012, pp. 538–552.
[9] M. AlSabah, G. Oligeri, and R. Riley, “Your Culture is in Your Pass-
should be beneficial at this stage, based on the volume of word: An Analysis of a Demographically-Diverse Password Dataset,”
available data and whether an individualised or community- Computers & Security, vol. 77, pp. 427–441, 2018.
based approach is chosen. For the individual-based approach, [10] Y. Li, H. Wang, and K. Sun, “A Study of Personal Information in
Human-Chosen Passwords and Its Security Implications,” in IEEE
information gathered online and offline will be compiled. An INFOCOM 2016-The 35th Annual IEEE International Conference on
analysis on the raw data and a classification into categories is Computer Communications. IEEE, 2016, pp. 1–9.
the next step, in order to extract meaningful keywords that will [11] R. D. Steele, “Open source intelligence,” Handbook of Intelligence
Studies, vol. 42, no. 5, pp. 129–147, 2007.
represent user/community interests. In turn, these keywords [12] M. Dürmuth, F. Angelstorf, C. Castelluccia, D. Perito, and A. Chaabane,
will help law enforcement officers assemble a more useful “OMEN: Faster Password Guessing Using an Ordered Markov Enumer-
list of password candidates to enrich and complement existing ator,” in International Symposium on Engineering Secure Software and
Systems. Springer, 2015, pp. 119–132.
password guessing tools. A flowchart of this process can be [13] M. Weir, S. Aggarwal, B. De Medeiros, and B. Glodek, “Password
seen in Figure 1. Cracking Using Probabilistic Context-Free Grammars,” in 2009 30th
IEEE Symposium on Security and Privacy. IEEE, 2009, pp. 391–405.
IV. C ONCLUSION AND F UTURE W ORK [14] R. C. Van der Hulst, “Introduction to Social Network Analysis (SNA)
as an Investigative Tool,” Trends in Organized Crime, vol. 12, no. 2, pp.
To validate the proposed hypothesis, i.e., prove that context 101–121, 2009.
[15] A. L. Ivan, C. A. Iov, R. C. Lutai, and M. N. Grad, “Social Media In-
does play a role in the selection of passwords, our future work telligence: Opportunities and Limitations,” CES Working Papers, vol. 7,
will firstly focus on a community-based approach. The reason no. 2A, p. 505, 2015.
for this, is the current lack of available data for individuals and [16] D. Fleurbaaij, M. Scanlon, and N.-A. Le-Khac, “Privileged Data within
Digital Evidence,” in Proceedings of the 16th IEEE International
the sensitivity of this data [16]. As one example, a community Conference On Trust, Security And Privacy In Computing And Com-
of users on an anime forum would be expected to have a higher munications (TrustCom-17). Sydney, Australia: IEEE, 08 2017, pp.
percentage of passwords related to anime than a community 737–744.
