A Neural Attack Model for Cracking Passwords in Adversarial Environments

In many scenarios, one has to enter her text or graphical password in a public area, such as unlocking the smartphone on the street, and entering the password when she pays with a debit card in a shopping mall. However, the environment where the password is entered may be adversarial as it is almost impossible to prevent adversaries from premeditated installation of surveillance and/or eavesdropping equipment in public areas. In this work, we investigate password security in such extreme adversarial environments in which every single interaction between humans (provers) and input terminals (verifiers) is transparent to the attacker. We first present a neural network-based attack model, which consists of a feature extraction model and a prediction model. Experimental results show that the neural model attains an accuracy of more than 80% in password prediction in three real-world authentication systems. We also propose a risk alert system based on the attack model. It can issue a timely warning notice when the password in use is at high security risk.

[1]  Murtuza Jadliwala,et al.  Preventing shoulder surfing using randomized augmented reality keyboards , 2017, 2017 IEEE International Conference on Pervasive Computing and Communications Workshops (PerCom Workshops).

[2]  Toru Fujiwara,et al.  Revisiting Authentication with Shoulder-Surfing Resistance for Smartphones , 2015, 2015 Third International Symposium on Computing and Networking (CANDAR).

[3]  Geoffrey E. Hinton,et al.  ImageNet classification with deep convolutional neural networks , 2012, Commun. ACM.

[4]  Feng Cheng,et al.  Visual speaker authentication with random prompt texts by a dual-task CNN framework , 2018, Pattern Recognit..

[5]  Jürgen Schmidhuber,et al.  Long Short-Term Memory , 1997, Neural Computation.

[6]  Luca Antiga,et al.  Automatic differentiation in PyTorch , 2017 .

[7]  Richard M. Shiffrin,et al.  UvA-DARE ( Digital Academic Repository ) Models for recall and recognition , 2006 .

[8]  Kurt Hornik,et al.  Approximation capabilities of multilayer feedforward networks , 1991, Neural Networks.

[9]  Hao Jiang,et al.  Authentication by Encrypted Negative Password , 2019, IEEE Transactions on Information Forensics and Security.

[10]  Ming-Hour Yang,et al.  A mobile authentication system resists to shoulder-surfing attacks , 2016, Multimedia Tools and Applications.

[11]  Bing Zhou,et al.  EchoPrint: Two-factor Authentication using Acoustics and Vision on Smartphones , 2018, MobiCom.

[12]  A. Ant Ozok,et al.  A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords , 2006, SOUPS '06.

[13]  Blase Ur,et al.  A Spoonful of Sugar?: The Impact of Guidance and Feedback on Password-Creation Behavior , 2015, CHI.

[14]  Junjie Yan,et al.  FOTS: Fast Oriented Text Spotting with a Unified Network , 2018, 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition.

[15]  Xiang Bai,et al.  An End-to-End Trainable Neural Network for Image-Based Sequence Recognition and Its Application to Scene Text Recognition , 2015, IEEE Transactions on Pattern Analysis and Machine Intelligence.

[16]  Ankush Gupta,et al.  Synthetic Data for Text Localisation in Natural Images , 2016, 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR).

[17]  Ning Zhang,et al.  AugAuth: Shoulder-surfing resistant authentication for augmented reality , 2017, 2017 IEEE International Conference on Communications (ICC).

[18]  Sadie Creese,et al.  Individual Differences in Cyber Security Behaviors: An Examination of Who Is Sharing Passwords , 2015, Cyberpsychology Behav. Soc. Netw..

[19]  Fernando Pérez-Cruz,et al.  PassGAN: A Deep Learning Approach for Password Guessing , 2017, ACNS.

[20]  Blase Ur,et al.  Fast, Lean, and Accurate: Modeling Password Guessability Using Neural Networks , 2016, USENIX Annual Technical Conference.

[21]  Lingyang Song,et al.  Joint Trajectory and Power Optimization for UAV Relay Networks , 2018, IEEE Communications Letters.

[22]  Robert Biddle,et al.  Graphical passwords: Learning from the first twelve years , 2012, CSUR.

[23]  Karen Renaud,et al.  Guidelines for designing graphical authentication mechanism interfaces , 2009, Int. J. Inf. Comput. Secur..

[24]  Jie Yang,et al.  Snooping Keystrokes with mm-level Audio Ranging on a Single Phone , 2015, MobiCom.

[25]  M. Angela Sasse,et al.  Evaluating the usability and security of a graphical one-time PIN system , 2010, BCS HCI.

[26]  Kaigui Bian,et al.  MAC-Layer Misbehaviors in Multi-Hop Cognitive Radio Networks , 2022 .

[27]  Manuel Blum,et al.  Human Computable Passwords , 2014, ArXiv.

[28]  Kaigui Bian,et al.  Group Signatures with Probabilistic Revocation: A Computationally-Scalable Approach for Providing Privacy-Preserving Authentication , 2015, CCS.

[29]  Antonella De Angeli,et al.  Is a picture really worth a thousand words? Exploring the feasibility of graphical authentication systems , 2005, Int. J. Hum. Comput. Stud..

[30]  Lip Yee Por,et al.  Graphical password: prevent shoulder-surfing attack using digraph substitution rules , 2016, Frontiers of Computer Science.

[31]  Syed Abdul Haq,et al.  PERSUASIVE CUED CLICK-POINTS : DESIGN , IMPLEMENTATION , AND EVALUATION OF A KNOWLEDGE-BASED AUTHENTICATION MECHANISM , 2014 .

[32]  Yoshua Bengio,et al.  Generative Adversarial Networks , 2014, ArXiv.