Explore the vast range of titles available.

Recently, many password guessing algorithms have been proposed, seriously threatening cyber security. In this paper, we systematically review over thirty methods for password guessing published between 2016 and 2023. First, we introduce a taxonomy for classifying the existing methods into trawling guessing and targeted guessing. Second, we present an extensive benchmark dataset that can assist researchers and practitioners in successive works. Third, we conduct a bibliometric analysis to present trends in this field and cross-citation between reviewed papers. Further, we discuss the open challenges of password guessing in terms of diverse application scenarios, guessing efficiency, and the combination of traditional and deep learning methods. Finally, this review presents future research directions to guide successive research and development of password guessing.

The frequent incidents of password leakage have increased people’s attention and research on password security. Password guessing is an essential part of password cracking and password security research. The progression of deep learning technology provides a promising way to improve the efficiency of password guessing. However, the mainstream models proposed for password guessing, such as RNN (or other variants, such as LSTM, GRU), GAN and VAE still face some problems, such as the low efficiency and high repetition rate of the generated passwords. In this paper, we propose a password-guessing model based on the temporal convolutional neural network (PassTCN). To further improve the performance of the generated passwords, we propose a novel password probability label-learning method, which reconstructs labels based on the password probability distribution of the training set and deduplicates the training set when training. Experiments on the RockYou dataset showed that, when generating 108 passwords, the coverage rate of PassTCN with password probability label learning (PassTCN-PPLL) reached 12.6%, which is 87.2%, 72.6% and 42.9% higher than PassGAN (a password-guessing model based on GAN), VAEPass (a password-guessing model based on VAE) and FLA (a password-guessing model based on LSTM), respectively. The repetition rate of our model is 25.9%, which is 45.1%, 31.7% and 17.4% lower than that of PassGAN, VAEPass and FLA, respectively. The results confirm that our approach not only improves the coverage rate but also reduces the repetition rate.

At present, users can utilize an authenticated key agreement protocol in a Wireless Sensor Network (WSN) to securely obtain desired information, and numerous studies have investigated authentication techniques to construct efficient, robust WSNs. Chang et al. recently presented an authenticated key agreement mechanism for WSNs and claimed that their authentication mechanism can both prevent various types of attacks, as well as preserve security properties. However, we have discovered that Chang et al’s method possesses some security weaknesses. First, their mechanism cannot guarantee protection against a password guessing attack, user impersonation attack or session key compromise. Second, the mechanism results in a high load on the gateway node because the gateway node should always maintain the verifier tables. Third, there is no session key verification process in the authentication phase. To this end, we describe how the previously-stated weaknesses occur and propose a security-enhanced version for WSNs. We present a detailed analysis of the security and performance of our authenticated key agreement mechanism, which not only enhances security compared to that of related schemes, but also takes efficiency into consideration.

As a crucial component of account protection system evaluation and intrusion detection, the advancement of password guessing technology encounters challenges due to its reliance on password data. In password guessing research, there is a conflict between the traditional models’ need for large training samples and the limitations on accessing password data imposed by privacy protection regulations. Consequently, security researchers often struggle with the issue of having a very limited password set from which to guess. This paper introduces a small-sample password guessing technique that enhances cross-domain features. It analyzes the password set using probabilistic context-free grammar (PCFG) to create a list of password structure probabilities and a dictionary of password fragment probabilities, which are then used to generate a password set structure vector. The method calculates the cosine similarity between the small-sample password set B from the target area and publicly leaked password sets Ai using the structure vector, identifying the set Amax with the highest similarity. This set is then utilized as a training set, where the features of the small-sample password set are enhanced by modifying the structure vectors of the training set. The enhanced training set is subsequently employed for PCFG password generation. The paper uses hit rate as the evaluation metric, and Experiment I reveals that the similarity between B and Ai can be reliably measured when the size of B exceeds 150. Experiment II confirms the hypothesis that a higher similarity between Ai and B leads to a greater hit rate of Ai on the test set of B, with potential improvements of up to 32% compared to training with B alone. Experiment III demonstrates that after enhancing the features of Amax, the hit rate for the small-sample password set can increase by as much as 10.52% compared to previous results. This method offers a viable solution for small-sample password guessing without requiring prior knowledge.

TarGuess-I is a leading model utilizing Personally Identifiable Information for online targeted password guessing. Due to its remarkable guessing performance, the model has drawn considerable attention in password security research. However, through an analysis of the vulnerable behavior of users when constructing passwords by combining popular passwords with their Personally Identifiable Information, we identified that the model fails to consider popular passwords and frequent substrings, and it uses overly broad personal information categories, with extensive duplicate statistics. To address these issues, we propose an improved password guessing model, TGI-FPR, which incorporates three semantic methods: (1) identification of popular passwords by generating top 300 lists from similar websites, (2) use of frequent substrings as new grammatical labels to capture finer-grained password structures, and (3) further subdivision of the six major categories of personal information. To evaluate the performance of the proposed model, we conducted experiments on six large-scale real-world password leak datasets and compared its accuracy within the first 100 guesses to that of TarGuess-I. The results indicate a 2.65% improvement in guessing accuracy.

Text-based passwords serve as a primary means of authentication and play a crucial role in securing information systems. However, easy-to-remember passwords are often vulnerable to targeted password guessing attacks. Research on targeted password guessing not only deepens our understanding of password security but also contributes to enhancing the security of information systems. Although the use of Personally Identifiable Information (PII) and old passwords has been shown to significantly improve the accuracy of targeted password guessing, there has been little research on the combined use of both PII and old passwords for guessing. In an era where PII and old passwords are increasingly accessible, assessing the threat posed by attackers using both PII and old passwords in targeted password guessing is an urgent security issue. To address this gap, we first analyze leaked password and personal information datasets, demonstrating that PII and old passwords critically influence users’ password creation behavior. Then, to simulate the security risks posed by attackers who know both PII and old passwords, we propose the PassGLM model, a model fine-tuned on a targeted password guessing task dataset based on glm-4-9b. PassGLM is capable of generating highly targeted guesses by leveraging both PII and old passwords. Experiments show that PassGLM significantly outperforms leading models that use only PII or only old passwords in terms of guess success rates. Our research demonstrates that combining PII and old passwords can substantially improve the accuracy of password guessing, and that using large language models as tools is an effective way to achieve this improvement.

The new fifth-generation (5G) cellular networks dramatically improve the speed of message transmissions. Most existing authentication schemes that secure 5G communication rely heavily on the vehicle’s tamper-proof device (TPD) and roadside units (RSUs) to store the system’s master key. However, it only takes a single compromised TPD to render the whole system insecure. We propose a password-guessing attack-aware authentication scheme based on the Chinese Remainder Theorem (CRT) to secure inter-vehicle communication on 5G-enabled vehicular networks to address this issue. The trusted authorities (TAs) in the proposed scheme generate and broadcast new group keys to the vehicles assisted by CRT. Moreover, since the system’s master key does not need to be preloaded, the proposed scheme only requires realistic TPDs. The proposed scheme overcomes password-guessing attacks and guarantees top-level security for entire 5G-enabled vehicular networks. The security analysis indicates that the proposed scheme is secure against adaptive chosen-message attacks under the random oracle model and meets the security requirements of a 5G-enabled vehicular network. Since cryptographic operations based on elliptic curve cryptography are employed, the performance evaluation shows that the proposed scheme outperforms the eight existing schemes in terms of computation and communication costs.

High-throughput computing (HTC) is a computing paradigm that aims to accomplish jobs by easily breaking them into smaller, independent components. However, it requires a large amount of computing power for a long time. Most existing HTC frameworks are job-oriented without support for coscheduling with hardware architecture and task-level execution. Also, most of the frameworks reach a limited scale, and their usability needs further improvement. Herein, we present HTDcr, a job execution framework for the HTC on supercomputers. This study aims to improve the throughput, task dispatching, and usability of the framework. In detail, the throughput optimizations include a sophisticated designed task management system, a hierarchical scheduler, and the co-optimization of the task-scheduling strategy with the application and hardware characteristics. The optimizations for usability include a programable execution workflow, mechanisms for more robust and reliable service qualities, and a fine-grained resource allocation system for the colocation of multiple jobs. According to our evaluations, HTDcr can achieve outstanding scalability and high throughput on large-scale clusters for the HTC workload. We evaluate HTDcr with several microbenchmarks and real-world applications on Tianhe-2 and Sunway TaihuLight to demonstrate its effects on existing design mechanisms. For instance, the task scheduling for two real-world applications integrated with the application and hardware characteristics achieves 1.7× and 1.9× speedups over the basic task-scheduling strategy.

Password guessing is a crucial research direction in password security, considering vulnerabilities like password reuse and data breaches. While research has extensively explored intra-site password guessing, the complexities of cross-site attacks, where attackers use leaked data from one site to target another, remain less understood. This study investigates the impact of dataset feature similarity on cross-site password guessing performance, revealing that dataset differences significantly influence guessing success more than model variations. By analyzing eight password datasets and four guessing methods, we identified eight key features affecting guessing success, including general data features like length distribution and specific semantic features like PCFG grammar. Our research reveals that syntactic and statistical patterns in passwords, particularly PCFG features, are most effective for cross-site password guessing due to their strong generalization across datasets. The Spearman correlation coefficient of 0.754 between PCFG feature similarity and guessing success rate indicates a significant positive correlation, unlike the minimal impact of length distribution features (0.284). These findings highlight the importance of focusing on robust semantic features like PCFG for improving password guessing techniques and security strategies. Additionally, the study underscores the importance of dataset selection for attackers and suggests that defenders can enhance security by mitigating feature similarity with commonly leaked data.

The telecare medical information system (TMIS) offers remote healthcare services to the patients at their doorstep. Including this serenity, it is compulsory to preserve privacy and to give guaranty to the patients for secured TMIS communication. Authentication protocols are usually exploited to ensure privacy and protect communication between patients and remote assistance. Currently, we observe the inaccuracy of an authentication protocol for TMIS. The scheme is recently proposed by Qiu et al. to realize healthcare services. We find that their protocol is vulnerable to offline password guessing, replay, and anonymity violation attacks. To avoid these weaknesses, we have developed an improved biometric-based protocol. Our proposed protocol is capable to prevent the said attacks. We validate the security of our proposed protocol using Burrows–Abadi–Needham logic. We compare the performance of the proposed protocol with the preceding protocols and conclude that the proposed protocol is more secure and efficient as compared to its former counterparts.