<i>TransPCFG</i> : Transferring the Grammars From Short Passwords to Guess Long Passwords Effectively
Weili Han, Ming Xu, Junjie Zhang, Chuanwang Wang, Peiyan Zhang, X. Sean Wang
Abstract
Long passwords are gaining popularity in password policy recommendations; however, data-driven guessing studies are woefully inadequate in adapting to long passwords, lacking in both guessing efficiency and their composition guidelines. For state-of-the-art data-driven password guessing methods such as PCFGs (Probabilistic Context-free Grammars), their guessing efficiency is limited by the presence of a large scale training data, or the lack thereof. Given that long passwords leaked in the real world are typically scarce, coupled with the fact that the data-driven methods’ performance depends on training data, obtaining good performance on long passwords has become a key challenge. To overcome the dataset limitation, we propose a framework <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">TransPCFG</i> , that transfers the knowledge, (i.e., grammars in PCFGs), from short passwords to facilitate long password guessing. We further perform an empirical evaluation based on three real-world datasets and the results demonstrate superior performance over the state-of-the-art data-driven guessing methods under <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">${10}^{14}$ </tex-math></inline-formula> offline guesses. For passwords with 16 characters, <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">TransPCFG</i> can compromise an average of 23.30% of the passwords, outperforming PCFG_v4.1 by 56.10%. Additionally,for better password-composition guidelines, we find that long password-composition policies requiring more segments are more resistant to guessing attacks. For the segment, the password <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">12zxcvbnword1997</i> has four segments since it follows the template <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">${Digit}_{2}{Keyboard}_{6}{Letter}_{4}{Year}_{4}$ </tex-math></inline-formula> . We thus recommend users to create long passwords with four or more segments instead of the widely recommended more character classes for security.