• Corpus ID: 2320797

Fast, Lean, and Accurate: Modeling Password Guessability Using Neural Networks

@inproceedings{Melicher2016FastLA,
  title={Fast, Lean, and Accurate: Modeling Password Guessability Using Neural Networks},
  author={William Melicher and Blase Ur and Saranga Komanduri and Lujo Bauer and Nicolas Christin and Lorrie Faith Cranor},
  booktitle={USENIX Annual Technical Conference},
  year={2016}
}
Human-chosen text passwords, today's dominant form of authentication, are vulnerable to guessing attacks. [...] Key Method We show that neural networks can often guess passwords more effectively than state-of-the-art approaches, such as probabilistic context-free grammars and Markov models. We also show that our neural networks can be highly compressed-to as little as hundreds of kilobytes-without substantially worsening guessing effectiveness. Building on these results, we implement in JavaScript the first…Expand
PassGAN: A Deep Learning Approach for Password Guessing
TLDR
PassGAN is a novel approach that replaces human-generated password rules with theory-grounded machine learning algorithms and uses a Generative Adversarial Network to autonomously learn the distribution of real passwords from actual password leaks, and to generate high-quality password guesses.
GENPass: A Multi-Source Deep Learning Model for Password Guessing
TLDR
This paper proposes GENPass, a multi-source deep learning model for generating “general” password, and is the first to combine a neural network with PCFG, and demonstrates that the matching rate of GENPass is 20% higher than by simply mixing datasets in the cross-site test.
Better Passwords through Science (and Neural Networks)
TLDR
The measurements of the effectiveness of neural networks at guessing passwords are reported, demonstrating that they outperform other popular methods of modeling adversarial password guessing.
GENPass: A General Deep Learning Model for Password Guessing with PCFG Rules and Adversarial Generation
Password has become today's dominant method of authentication in social network. While the brute-force attack methods, such as HashCat and John the Ripper, are unpractical, the research then switches
Beyond Credential Stuffing: Password Similarity Models Using Neural Networks
TLDR
This work recast one of the core technical challenges underlying targeted attacks as the task of modeling similarity of human-chosen passwords, and proposes the first-ever defense against such targeted attacks, by way of personalized password strength meters (PPSMs).
Chunk-Level Password Guessing: Towards Modeling Refined Password Composition Representations
TLDR
A password-specific segmentation method that can automatically split passwords into several chunks is proposed, and three chunk-level guessing models, adopted from Markov, Probabilistic Context-free Grammar (PCFG) and neural-network-based models are built.
Password Guessing via Neural Language Modeling
TLDR
The neural network, approximating target probability distribution through iteratively training its parameters, was used to model passwords by some researches, but since the network architectures they used are simple and straightforward, there are many ways to improve it.
Modeling Password Guessing with Neural Networks
Passwords still dominate the authentication space, but they are vulnerable to many different attacks; in recent years, guessing attacks in particular have notably caused a few high-profile
TransPCFG: Transferring the Grammars From Short Passwords to Guess Long Passwords Effectively
TLDR
It is found that long password-composition policies requiring more segments are more resistant to guessing attacks, and it is recommended to create long passwords with four or more segments instead of the widely recommended more character classes for security.
Modeling Password Guessability via Variational Auto-Encoder
  • Jinwei Wang, Yong Li, Xi Chen, Yongbin Zhou
  • Computer Science
    2021 IEEE 24th International Conference on Computer Supported Cooperative Work in Design (CSCWD)
  • 2021
TLDR
PGVAE, a password guessing model based on variational autoencoder that can learn highly structured and continuous latent representations of passwords and then generate highquality candidate guesses, is proposed.
...
1
2
3
4
5
...

References

SHOWING 1-10 OF 115 REFERENCES
Measuring Real-World Accuracies and Biases in Modeling Password Guessability
TLDR
It is found that semi-automated cracking by professionals outperforms popular fully automated approaches, but can be approximated by combining multiple such approaches, and constitutes the first scientific evidence that automated guessing can often approximate guessing by professionals.
Password Strength: An Empirical Analysis
TLDR
It is found that a "diminishing returns" principle applies: in the absence of an enforced password strength policy, weak passwords are common; on the other hand, as the attack goes on, the probability that a guess will succeed decreases by orders of magnitude.
Monte Carlo Strength Evaluation: Fast and Reliable Password Checking
TLDR
A novel method to estimate the number of guesses needed to find a password using modern attacks is proposed, which requires little resources, applies to a wide set of probabilistic models, and is characterised by highly desirable convergence properties.
Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms
TLDR
An efficient distributed method is developed for calculating how effectively several heuristic password-guessing algorithms guess passwords, and the relationship between guess ability, as measured with password-cracking algorithms, and entropy estimates is investigated.
Fast dictionary attacks on passwords using time-space tradeoff
TLDR
It is demonstrated that as long as passwords remain human-memorable, they are vulnerable to "smart-dictionary" attacks even when the space of potential passwords is large, calling into question viability of human- Memorable character-sequence passwords as an authentication mechanism.
The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords
  • Joseph Bonneau
  • Computer Science
    2012 IEEE Symposium on Security and Privacy
  • 2012
TLDR
It is estimated that passwords provide fewer than 10 bits of security against an online, trawling attack, and only about 20 bits ofSecurity against an optimal offline dictionary attack, when compared with a uniform distribution which would provide equivalent security against different forms of guessing attack.
Measuring password guessability for an entire university
TLDR
This work studies the single-sign-on passwords used by over 25,000 faculty, staff, and students at a research university with a complex password policy to find significant correlations between a number of demographic and behavioral factors and password strength.
A Study of Probabilistic Password Models
TLDR
This paper finds that Markov models, when done correctly, perform significantly better than the Probabilistic Context-Free Grammar model proposed in Weir et al., which has been used as the state-of-the-art password model in recent research.
Neural Network Techniques for Proactive Password Checking
TLDR
This paper is the first time that neural network technology has been fully and successfully applied to designing proactive password checkers and shows that these checkers have very good performance: error rates are comparable to those of the best existing checkers, implemented on different principles and by using other methodologies.
The Tangled Web of Password Reuse
TLDR
This paper investigates for the first time how an attacker can leverage a known password from one site to more easily guess that user's password at other sites and develops the first cross-site password-guessing algorithm, able to guess 30% of transformed passwords within 100 attempts.
...
1
2
3
4
5
...