Chunk-Level Password Guessing: Towards Modeling Refined Password Composition Representations

“…Moreover, the pre-trained language models [85][86][87][88] have been in full swing in the field of natural language processing in recent years. However, only one work [61] has discussed the paradigm of pre-training/finetuning regarding password guessing. Therefore, it might also be a good idea to combine the powerful general language modeling capabilities of pre-trained language models with the existing password guessing efforts.…”

“…As research progressed, related techniques gradually flowed from NLP to other fields, such as computer vision (CV), speech, biology, chemistry, etc. Similarly, there are some Transformer-based approaches in the research related to trawling password guessing [60,61].…”

“…The work introduces message weights to data preprocessing and uses an improved beam search algorithm in the model to quickly search for the top-ranked password guesses. Differently, in [61], the authors proposed a bi-directional-Transformer-based guessing framework called PassBERT, which applied the paradigm of pre-training/fine-tuning to the password cracking for the first time. Specifically, first, the authors designed generalized password pre-training models that contain the knowledge of general password distributions.…”

“…[ 24 ] extracted the semantic segments in the password based on word cohesion and freedom degree and improved the PCFG algorithm based on the semantic segments. Differently, in work [ 25 ], the authors regarded the password as a composition of several chunks, where a chunk is a sequence of related characters that appear together frequently to model passwords. This chunk segmentation method, called PwdSegment, extends the Byte-Pair Encoding (BPE) [ 26 ] algorithm by using the configurable parameter of an average length of chunk vocabularies to replace the number of the merge operations.…”

A Systematic Review on Password Guessing Tasks

“…Moreover, the pre-trained language models [85][86][87][88] have been in full swing in the field of natural language processing in recent years. However, only one work [61] has discussed the paradigm of pre-training/finetuning regarding password guessing. Therefore, it might also be a good idea to combine the powerful general language modeling capabilities of pre-trained language models with the existing password guessing efforts.…”

“…As research progressed, related techniques gradually flowed from NLP to other fields, such as computer vision (CV), speech, biology, chemistry, etc. Similarly, there are some Transformer-based approaches in the research related to trawling password guessing [60,61].…”

“…The work introduces message weights to data preprocessing and uses an improved beam search algorithm in the model to quickly search for the top-ranked password guesses. Differently, in [61], the authors proposed a bi-directional-Transformer-based guessing framework called PassBERT, which applied the paradigm of pre-training/fine-tuning to the password cracking for the first time. Specifically, first, the authors designed generalized password pre-training models that contain the knowledge of general password distributions.…”

“…[ 24 ] extracted the semantic segments in the password based on word cohesion and freedom degree and improved the PCFG algorithm based on the semantic segments. Differently, in work [ 25 ], the authors regarded the password as a composition of several chunks, where a chunk is a sequence of related characters that appear together frequently to model passwords. This chunk segmentation method, called PwdSegment, extends the Byte-Pair Encoding (BPE) [ 26 ] algorithm by using the configurable parameter of an average length of chunk vocabularies to replace the number of the merge operations.…”

A Systematic Review on Password Guessing Tasks

“…To show this benefit with these distributions, we allow the brat to attack using TG-I (the most user information), but the defending site to blocklist passwords guessable in 10 6 guesses using TG-I ′′ , TG-I ′′′ , or PCFG (i.e., less user information), preventing the user from setting such a password. We select a per-user blocklist of size 10 6 in accordance with blocklist size recommendations (e.g., [34]) and since passwords guessable in 10 6 guesses are typically categorized as weak by password strength meters (e.g., [22], [43]). To estimate the effects of this blocklisting, we formulate P ( ≤ r) using two line segments, one for r ≤ 10 6 in which P ( ≤ r) is suppressed by the blocklist, and one for r > 10 6 in which the ground lost when r ≤ 10 6 is recovered.…”

Bernoulli Honeywords

Improving Deep Learning Based Password Guessing Models Using Pre-processing