Personalized Password Guessing via Modeling Multiple Leaked Credentials of the Same User
摘要
As password breaches increase, users frequently face multiple password leaks. Because of memory limitations, users often reuse or slightly modify their passwords across different accounts. This behavior makes targeted password-guessing attacks, which leverage leaked passwords, a serious security threat. While previous studies have primarily focused on single-leak scenarios, where the attacker possesses only one leaked password, multi-leak scenarios remain insufficiently explored. In this work, we propose Pass2Pass-T, a model designed to capture similarities across multiple passwords from the same user. Pass2Pass-T leverages Transformers to predict a target password from multiple leaked passwords of the same user. Additionally, we are the first to empirically evaluate the multi-leak attacks on real-world password datasets. In multi-leak scenarios, Pass2Pass-T enhances the Transformer with input compression and segmented positional encoding, tailored to the distinct characteristics of password sequences unlike natural language texts. It also utilizes transfer learning to effectively model patterns across multiple passwords. With five leaked passwords, our model compromises 4.87% of user accounts on the first guess, achieving a 7.27 \(\times \) improvement over state-of-the-art strategies that process each leaked password individually. In single-leak scenarios, Pass2Pass-T matches existing models at 1,000 guesses and achieves a 4.46% improvement at \(10^{7}\) guesses.