Stolen passwords integrated into the ultimate dictionary attack

Targeted password guessing turns out to be significantly easier than it should be, thanks to the online availability of personal information, leaked passwords associated with other accounts, and our tendency to incorporate personal data into our security codes.

In a paper [PDF] presented at the ACM Conference of Communication and Systems Security (CCS) in late October, security researchers from China and the UK describe a system for targeted password guessing that finds that a sizable fraction of people’s online passwords are vulnerable to attack.