Evaluation And Improvement Of Password Guessing Algorithm

Nowadays,people's daily lives are inseparable from the Internet.Identity authentication is the foundation to ensure Internet security.Password authentication,as the most widely used method in identity authentication,is naturally highly regarded.In recent years,password guessing algorithms have received more and more attention in the field of password security.On the one hand,password strength meters(PSM)based on password guessing algorithms can help users choose strong passwords.However,the diversification of password types makes it impossible to evaluate password strength objectively using a password strength meter that only uses one algorithm.This requires us to explore which types of passwords are easier to guess by each password guessing algorithm,to comprehensively analyze and evaluate the characteristics of various password guessing algorithms.On the other hand,an attacker who is aware of the diversity of password types is likely to use more than one algorithm to attack.However,unfortunately,the existing work does not even pay attention to this problem,nor does it comprehensively and deeply describe the capabilities of the attacker in this situation.In response to the above two problems,this paper has done the following two parts of work,In the first part,to study the characteristics of different password guessing algorithms,this paper first analyzes various existing typical password guessing algorithms in terms of assumptions,recognized information,and theoretical models to help people understand the inherent characteristics of password guessing algorithms.Then this paper compares the features of the passwords guessed by five representative password guessing algorithms in the two cases of limited storage password space and inadequate password cracking time.Through the analysis of the experimental results,it is found that the distributions of passwords guessed by different algorithms in terms of relevance to personal information and password strength are different,that is,various types of passwords can be cracked by diverse algorithms.When the guess number is the same,the two algorithms guess more passwords than one algorithm.The time required for different algorithms to generate passwords is affected by the identified information and theoretical models.The storage space needed to store the produced password set is influenced by the use of personal information.In the second part,in response to the puzzle of what kind of ability an attacker can obtain employing multiple algorithms in combination,this paper proposes a hybrid password guessing algorithm-Pa MLGuess(PCFG and Mapped LSTM Guess).Pa MLGuess uses probabilistic context-free grammar(PCFG)to identify the composition of the password and the personal information in the password,applies long short-term memory(LSTM)neural network to model password segments to generate password segments that do not appear in the training set,and utilizes probability mapping to solve the problem that cannot combine them due to the password segment probabilities given by them differ by several orders of magnitude.The experiment result shows that,when the guess number is not greater than 1000,the performance of this algorithm is almost the same as Tar Guess-I.When the guess number is 2million,the algorithm guesses more than 5.48% of the test set passwords than Tar Guess-I.This paper aims to help people understand the characteristics of existing password guessing algorithms,clarify the ability that an attacker can obtain using a single algorithm or a combination of multiple algorithms,and further help system administrators more accurately estimate password strength and enhance the security of systems or services which are based on password authentication.