{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,3,27]],"date-time":"2025-03-27T11:43:15Z","timestamp":1743075795519,"version":"3.40.3"},"publisher-location":"Cham","reference-count":29,"publisher":"Springer International Publishing","isbn-type":[{"type":"print","value":"9783031081460"},{"type":"electronic","value":"9783031081477"}],"license":[{"start":{"date-parts":[[2022,1,1]],"date-time":"2022-01-01T00:00:00Z","timestamp":1640995200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2022,6,15]],"date-time":"2022-06-15T00:00:00Z","timestamp":1655251200000},"content-version":"vor","delay-in-days":165,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2022]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>A password guesser often uses wordlists (e.g. lists of previously leaked passwords, dictionaries of words in different languages, and lists of the most common passwords) to guess unknown passwords. The attacker needs to make a decision about what guesses to make and in what order. In an online guessing environment this is particularly important as they may be locked out after a certain number of wrong guesses. In this paper, we employ a multi-armed bandit model to show that an adaptive strategy can actively learn characteristics of the passwords it is guessing, and can leverage this information to dynamically weight the most appropriate wordlist. We also show that this can be used to identify the nationality of the users in a password set, and that guessing can be improved by guessing using passwords chosen by other users of the same nationality.<\/jats:p>","DOI":"10.1007\/978-3-031-08147-7_27","type":"book-chapter","created":{"date-parts":[[2022,6,14]],"date-time":"2022-06-14T16:43:08Z","timestamp":1655224988000},"page":"393-413","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["Choosing Wordlists for\u00a0Password Guessing: An Adaptive Multi-armed Bandit Approach"],"prefix":"10.1007","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-5349-4011","authenticated-orcid":false,"given":"Hazel","family":"Murray","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6947-586X","authenticated-orcid":false,"given":"David","family":"Malone","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2022,6,15]]},"reference":[{"key":"27_CR1","doi-asserted-by":"publisher","first-page":"427","DOI":"10.1016\/j.cose.2018.03.014","volume":"77","author":"M AlSabah","year":"2018","unstructured":"AlSabah, M., Oligeri, G., Riley, R.: Your culture is in your password: an analysis of a demographically-diverse password dataset. Comput. Secur. 77, 427\u2013441 (2018)","journal-title":"Comput. Secur."},{"key":"27_CR2","unstructured":"Castelluccia, C., Chaabane, A., D\u00fcrmuth, M., Perito, D.: When privacy meets security: leveraging personal information for password cracking. arXiv preprint arXiv:1304.6584 (2013)"},{"key":"27_CR3","doi-asserted-by":"crossref","unstructured":"Dell\u2019Amico, M., Michiardi, P., Roudier, Y.: Password strength: an empirical analysis. In: INFOCOM, 2010 Proceedings IEEE, pp. 1\u20139. IEEE (2010)","DOI":"10.1109\/INFCOM.2010.5461951"},{"key":"27_CR4","doi-asserted-by":"publisher","unstructured":"D\u00fcrmuth, M., Angelstorf, F., Castelluccia, C., Perito, D., Chaabane, A.: OMEN: faster password guessing using an ordered Markov enumerator. In: Piessens, F., Caballero, J., Bielova, N. (eds.) ESSoS 2015. LNCS, vol. 8978, pp. 119\u2013132. Springer, Cham (2015). https:\/\/doi.org\/10.1007\/978-3-319-15618-7_10","DOI":"10.1007\/978-3-319-15618-7_10"},{"key":"27_CR5","doi-asserted-by":"crossref","unstructured":"Golla, M., D\u00fcrmuth, M.: On the accuracy of password strength meters. In: CCS 2018, pp. 1567\u20131582 (2018)","DOI":"10.1145\/3243734.3243769"},{"issue":"2","key":"27_CR6","doi-asserted-by":"publisher","first-page":"258","DOI":"10.1109\/TIFS.2015.2490620","volume":"11","author":"W Han","year":"2015","unstructured":"Han, W., Li, Z., Yuan, L., Xu, W.: Regional patterns and vulnerability analysis of Chinese web passwords. IEEE Trans. Inf. Forensics Secur. 11(2), 258\u2013272 (2015)","journal-title":"IEEE Trans. Inf. Forensics Secur."},{"key":"27_CR7","doi-asserted-by":"publisher","unstructured":"Hitaj, B., Gasti, P., Ateniese, G., Perez-Cruz, F.: PassGAN: a deep learning approach for password guessing. In: Deng, R.H., Gauthier-Uma\u00f1a, V., Ochoa, M., Yung, M. (eds.) ACNS 2019. LNCS, vol. 11464, pp. 217\u2013237. Springer, Cham (2019). https:\/\/doi.org\/10.1007\/978-3-030-21568-2_11","DOI":"10.1007\/978-3-030-21568-2_11"},{"key":"27_CR8","doi-asserted-by":"publisher","unstructured":"Houshmand, S., Aggarwal, S.: using personal information in targeted grammar-based probabilistic password attacks. In: DigitalForensics 2017. IAICT, vol. 511, pp. 285\u2013303. Springer, Cham (2017). https:\/\/doi.org\/10.1007\/978-3-319-67208-3_16","DOI":"10.1007\/978-3-319-67208-3_16"},{"key":"27_CR9","unstructured":"Hunt, T.: Pwned websites. https:\/\/haveibeenpwned.com\/PwnedWebsites"},{"key":"27_CR10","unstructured":"Hunt, T.: Collection #1 (2019). https:\/\/www.troyhunt.com\/the-773-million-record-collection-1-data-reach. Accessed 09 Sept 2020"},{"key":"27_CR11","doi-asserted-by":"crossref","unstructured":"Li, Y., Wang, H., Sun, K.: A study of personal information in human-chosen passwords and its security implications. In: IEEE INFOCOM 2016-The 35th Annual IEEE International Conference on Computer Communications, pp. 1\u20139. IEEE (2016)","DOI":"10.1109\/INFOCOM.2016.7524583"},{"key":"27_CR12","unstructured":"Li, Z., Han, W., Xu, W.: A large-scale empirical analysis of Chinese web passwords. In: 23rd USENIX Security Symposium (USENIX Security 14), pp. 559\u2013574 (2014)"},{"key":"27_CR13","doi-asserted-by":"crossref","unstructured":"Malone, D., Maher, K.: Investigating the distribution of password choices. In: Proceedings of the 21st International Conference on World Wide Web, pp. 301\u2013310. ACM (2012)","DOI":"10.1145\/2187836.2187878"},{"key":"27_CR14","unstructured":"Melicher, W., et al.: Fast, lean, and accurate: modeling password guessability using neural networks. In: 25th USENIX Security Symposium (USENIX Security 16), pp. 175\u2013191 (2016)"},{"issue":"11","key":"27_CR15","doi-asserted-by":"publisher","first-page":"594","DOI":"10.1145\/359168.359172","volume":"22","author":"R Morris","year":"1979","unstructured":"Morris, R., Thompson, K.: Password security: a case history. Commun. ACM 22(11), 594\u2013597 (1979)","journal-title":"Commun. ACM"},{"key":"27_CR16","unstructured":"Murray, H.: MAB repository (2019). https:\/\/github.com\/HazelMurray\/multi-armed-bandit-guessing"},{"issue":"4","key":"27_CR17","doi-asserted-by":"publisher","first-page":"378","DOI":"10.3390\/e22040378","volume":"22","author":"H Murray","year":"2020","unstructured":"Murray, H., Malone, D.: Convergence of password guessing to optimal success rates. Entropy 22(4), 378 (2020)","journal-title":"Entropy"},{"key":"27_CR18","doi-asserted-by":"crossref","unstructured":"Narayanan, A., Shmatikov, V.: Fast dictionary attacks on passwords using time-space tradeoff. In: Proceedings of the 12th ACM Conference on Computer and Communications Security, pp. 364\u2013372. ACM (2005)","DOI":"10.1145\/1102120.1102168"},{"key":"27_CR19","unstructured":"Openwall: JtR. https:\/\/www.openwall.com\/john"},{"key":"27_CR20","doi-asserted-by":"crossref","unstructured":"Pal, B., Daniel, T., Chatterjee, R., Ristenpart, T.: Beyond credential stuffing: password similarity models using neural networks. In: 2019 IEEE Symposium on Security and Privacy (SP), pp. 417\u2013434. IEEE (2019)","DOI":"10.1109\/SP.2019.00056"},{"key":"27_CR21","unstructured":"Pasquini, D., Cianfriglia, M., Ateniese, G., Bernaschi, M.: Reducing bias in modeling real-world password strength via deep learning and dynamic dictionaries. arXiv preprint arXiv:2010.12269 (2020)"},{"key":"27_CR22","unstructured":"Pasquini, D., Gangwal, A., Ateniese, G., Bernaschi, M., Conti, M.: Improving password guessing via representation learning. arXiv preprint arXiv:1910.04232 (2019)"},{"key":"27_CR23","doi-asserted-by":"crossref","unstructured":"Rockafellar, R.T.: Convex Analysis. Princeton University Press (1970)","DOI":"10.1515\/9781400873173"},{"key":"27_CR24","unstructured":"Sishi, S.: An investigation of the security of passwords derived from African languages. Masters Thesis (2019)"},{"key":"27_CR25","unstructured":"Steube, J., Gristina, G.: Hashcat. https:\/\/hashcat.net"},{"key":"27_CR26","doi-asserted-by":"crossref","unstructured":"Wang, D., Zhang, Z., Wang, P., Yan, J., Huang, X.: Targeted online password guessing: an underestimated threat. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 1242\u20131254 (2016)","DOI":"10.1145\/2976749.2978339"},{"key":"27_CR27","unstructured":"Wei, M., Golla, M., Ur, B.: The password doesn\u2019t fall far: how service influences password choice. Who Are You?! Adventures in Authentication Workshop (2018)"},{"key":"27_CR28","doi-asserted-by":"crossref","unstructured":"Weir, M., Aggarwal, S., De Medeiros, B., Glodek, B.: Password cracking using probabilistic context-free grammars. In: 2009 30th IEEE Symposium on Security and Privacy, pp. 391\u2013405. IEEE (2009)","DOI":"10.1109\/SP.2009.8"},{"issue":"5","key":"27_CR29","doi-asserted-by":"publisher","first-page":"1323","DOI":"10.1109\/TMM.2019.2940877","volume":"22","author":"Z Xia","year":"2019","unstructured":"Xia, Z., Yi, P., Liu, Y., Jiang, B., Wang, W., Zhu, T.: GENPass: a multi-source deep learning model for password guessing. IEEE Trans. Multimedia 22(5), 1323\u20131332 (2019)","journal-title":"IEEE Trans. Multimedia"}],"container-title":["Lecture Notes in Computer Science","Foundations and Practice of Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-031-08147-7_27","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,6,14]],"date-time":"2022-06-14T16:46:24Z","timestamp":1655225184000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-031-08147-7_27"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022]]},"ISBN":["9783031081460","9783031081477"],"references-count":29,"URL":"https:\/\/doi.org\/10.1007\/978-3-031-08147-7_27","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"type":"print","value":"0302-9743"},{"type":"electronic","value":"1611-3349"}],"subject":[],"published":{"date-parts":[[2022]]},"assertion":[{"value":"15 June 2022","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"FPS","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Symposium on Foundations and Practice of Security","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Paris","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"France","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2021","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"7 December 2021","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"10 December 2021","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"14","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"fps2021","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/www.fps-2021.com\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Single-blind","order":1,"name":"type","label":"Type","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"EasyChair","order":2,"name":"conference_management_system","label":"Conference Management System","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"62","order":3,"name":"number_of_submissions_sent_for_review","label":"Number of Submissions Sent for Review","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"18","order":4,"name":"number_of_full_papers_accepted","label":"Number of Full Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"0","order":5,"name":"number_of_short_papers_accepted","label":"Number of Short Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"29% - The value is computed by the equation \"Number of Full Papers Accepted \/ Number of Submissions Sent for Review * 100\" and then rounded to a whole number.","order":6,"name":"acceptance_rate_of_full_papers","label":"Acceptance Rate of Full Papers","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"3","order":7,"name":"average_number_of_reviews_per_paper","label":"Average Number of Reviews per Paper","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"3","order":8,"name":"average_number_of_papers_per_reviewer","label":"Average Number of Papers per Reviewer","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"Yes","order":9,"name":"external_reviewers_involved","label":"External Reviewers Involved","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}}]}}