Using Personal Information for Targeted Attacks in Grammar based Probabilistic Password Cracking

Passwords continue to be the primary means of authentication and security for online accounts and use in encrypting files and disks. The goal of this paper is to show how knowledge of personal information about a user can systematically be added to improve a password cracking task. In this paper we focus on the dictionary-based probabilistic context-free grammar (PCFG) approach to password cracking that trains on revealed password sets and then uses the learned grammar to generate guesses in optimal probability order. We show that we can effectively incorporate personal information about a target into the PCFG password cracking system in a very straight forward manner to assist in a targeted attack. We first develop a mathematical model of merging multiple grammars that combines the characteristics of the component grammars. Then we show how various component grammars and dictionaries can be derived using personal information about the target. The component grammars model various types of personal information such as family names and dates, previous password information, and possible information about sequential passwords known. The resulting merged target grammar (also merged with a standard grammar) and various target dictionaries generates guesses that more quickly match the target’s password when personal information is used. Our results show that the password cracking is significantly improved using our approach. Furthermore, our software system is a separate module that can directly be used with the PCFG system since it does not modify the original code.