TY - GEN
T1 - Learning Password Modification Patterns with Recurrent Neural Networks
AU - Nosenko, Alex
AU - Cheng, Yuan
AU - Chen, Haiquan
N1 - Publisher Copyright:
© 2022, Springer Nature Switzerland AG.
PY - 2022
Y1 - 2022
N2 - The majority of online services continue their reliance on text-based passwords as the primary means of user authentication. With a growing number of these services and the limited creativity and memory to come up with new memorable passwords, users tend to reuse their passwords across multiple platforms. These factors, combined with the increasing amount of leaked passwords, make passwords vulnerable to cross-site guessing attacks. Over the years, several popular methods have been proposed to predict subsequently used passwords, such as dictionary attacks, rule-based approaches, neural networks, and combinations of the above. In this paper, we work with a dataset of 28.8 million users and their 61.5 million passwords, where there is at least one pair of passwords available for each user. We exploit the correlation between the similarity and predictability of these subsequent passwords. We build on the idea of a rule-based approach but delegate rule derivation, classification, and prediction to a Recurrent Neural Network (RNN). We limit the number of guessing attempts to ten yet get an astonishingly high prediction accuracy of up to 83% in under five attempts in several categories, which is twice as much as any other known models or algorithms. It makes our model an effective solution for real-time password guessing against online services without getting spotted or locked out. To the best of our knowledge, this study is the first attempt of its kind using RNN.
AB - The majority of online services continue their reliance on text-based passwords as the primary means of user authentication. With a growing number of these services and the limited creativity and memory to come up with new memorable passwords, users tend to reuse their passwords across multiple platforms. These factors, combined with the increasing amount of leaked passwords, make passwords vulnerable to cross-site guessing attacks. Over the years, several popular methods have been proposed to predict subsequently used passwords, such as dictionary attacks, rule-based approaches, neural networks, and combinations of the above. In this paper, we work with a dataset of 28.8 million users and their 61.5 million passwords, where there is at least one pair of passwords available for each user. We exploit the correlation between the similarity and predictability of these subsequent passwords. We build on the idea of a rule-based approach but delegate rule derivation, classification, and prediction to a Recurrent Neural Network (RNN). We limit the number of guessing attempts to ten yet get an astonishingly high prediction accuracy of up to 83% in under five attempts in several categories, which is twice as much as any other known models or algorithms. It makes our model an effective solution for real-time password guessing against online services without getting spotted or locked out. To the best of our knowledge, this study is the first attempt of its kind using RNN.
KW - Authentication
KW - Passwords
KW - Recurrent neural networks
UR - http://www.scopus.com/inward/record.url?scp=85126257201&partnerID=8YFLogxK
U2 - 10.1007/978-3-030-97532-6_7
DO - 10.1007/978-3-030-97532-6_7
M3 - Conference contribution
AN - SCOPUS:85126257201
SN - 9783030975319
T3 - Communications in Computer and Information Science
SP - 110
EP - 129
BT - Secure Knowledge Management In The Artificial Intelligence Era - 9th International Conference, SKM 2021, Proceedings
A2 - Krishnan, Ram
A2 - Rao, H. Raghav
A2 - Sahay, Sanjay K.
A2 - Samtani, Sagar
A2 - Zhao, Ziming
PB - Springer Science and Business Media Deutschland GmbH
T2 - 9th International Conference On Secure Knowledge Management In Artificial Intelligence Era, SKM 2021
Y2 - 8 October 2021 through 9 October 2021
ER -