<p>Text-based passwords serve as a primary means of authentication and play a crucial role in securing information systems. However, easy-to-remember passwords are often vulnerable to targeted password guessing attacks. Research on targeted password guessing not only deepens our understanding of password security but also contributes to enhancing the security of information systems. Although the use of Personally Identifiable Information (PII) and old passwords has been shown to significantly improve the accuracy of targeted password guessing, there has been little research on the combined use of both PII and old passwords for guessing. In an era where PII and old passwords are increasingly accessible, assessing the threat posed by attackers using both PII and old passwords in targeted password guessing is an urgent security issue. To address this gap, we first analyze leaked password and personal information datasets, demonstrating that PII and old passwords critically influence users’ password creation behavior. Then, to simulate the security risks posed by attackers who know both PII and old passwords, we propose the PassGLM model, a model fine-tuned on a targeted password guessing task dataset based on glm-4-9b. PassGLM is capable of generating highly targeted guesses by leveraging both PII and old passwords. Experiments show that PassGLM significantly outperforms leading models that use only PII or only old passwords in terms of guess success rates. Our research demonstrates that combining PII and old passwords can substantially improve the accuracy of password guessing, and that using large language models as tools is an effective way to achieve this improvement.</p>

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Improving targeted password guessing attacks by using personally identifiable information and old password

  • Wei Ou,
  • Chengliang Sun,
  • Mengxue Pang,
  • Qiuling Yue,
  • Yanshuo Zhang,
  • Wenbao Han

摘要

Text-based passwords serve as a primary means of authentication and play a crucial role in securing information systems. However, easy-to-remember passwords are often vulnerable to targeted password guessing attacks. Research on targeted password guessing not only deepens our understanding of password security but also contributes to enhancing the security of information systems. Although the use of Personally Identifiable Information (PII) and old passwords has been shown to significantly improve the accuracy of targeted password guessing, there has been little research on the combined use of both PII and old passwords for guessing. In an era where PII and old passwords are increasingly accessible, assessing the threat posed by attackers using both PII and old passwords in targeted password guessing is an urgent security issue. To address this gap, we first analyze leaked password and personal information datasets, demonstrating that PII and old passwords critically influence users’ password creation behavior. Then, to simulate the security risks posed by attackers who know both PII and old passwords, we propose the PassGLM model, a model fine-tuned on a targeted password guessing task dataset based on glm-4-9b. PassGLM is capable of generating highly targeted guesses by leveraging both PII and old passwords. Experiments show that PassGLM significantly outperforms leading models that use only PII or only old passwords in terms of guess success rates. Our research demonstrates that combining PII and old passwords can substantially improve the accuracy of password guessing, and that using large language models as tools is an effective way to achieve this improvement.