{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2023,9,7]],"date-time":"2023-09-07T21:08:15Z","timestamp":1694120895160},"reference-count":27,"publisher":"Springer Science and Business Media LLC","issue":"7-8","license":[{"start":{"date-parts":[[2023,7,11]],"date-time":"2023-07-11T00:00:00Z","timestamp":1689033600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2023,7,11]],"date-time":"2023-07-11T00:00:00Z","timestamp":1689033600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Ann. Telecommun."],"published-print":{"date-parts":[[2023,8]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>Human chosen passwords are often predictable. Research has shown that users of similar demographics or choosing passwords for the same website will often choose similar passwords. This knowledge is leveraged by human password guessers who use it to tailor their attacks. In this paper, we demonstrate that a learning algorithm can actively learn these same characteristics of the passwords as it is guessing and that it can leverage this information to adaptively improve its guessing. Furthermore, we show that if we split our candidate wordlists based on these characteristics, then a multi-armed bandit style guessing algorithm can adaptively choose to guess from the wordlist which will maximise successes.<\/jats:p>","DOI":"10.1007\/s12243-023-00969-4","type":"journal-article","created":{"date-parts":[[2023,7,11]],"date-time":"2023-07-11T06:02:07Z","timestamp":1689055327000},"page":"385-400","update-policy":"http:\/\/dx.doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["Adaptive password guessing: learning language, nationality and dataset source"],"prefix":"10.1007","volume":"78","author":[{"given":"Hazel","family":"Murray","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"David","family":"Malone","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2023,7,11]]},"reference":[{"issue":"4","key":"969_CR1","doi-asserted-by":"publisher","first-page":"378","DOI":"10.3390\/e22040378","volume":"22","author":"H Murray","year":"2020","unstructured":"Murray H, Malone D (2020) Convergence of password guessing to optimal success rates. Entropy 22(4):378","journal-title":"Entropy"},{"key":"969_CR2","unstructured":"KoreLogic: Crack Me If You Can (CMIYC)"},{"key":"969_CR3","unstructured":"Openwall: JtR. https:\/\/www.openwall.com\/john"},{"key":"969_CR4","unstructured":"Steube, J., Gristina, G.: HashCat. https:\/\/hashcat.net"},{"key":"969_CR5","doi-asserted-by":"crossref","unstructured":"Narayanan, A., Shmatikov, V.: Fast dictionary attacks on passwords using time-space tradeoff. In: Proceedings of the 12th ACM Conference on Computer and Communications Security, pp. 364\u2013372 (2005). ACM","DOI":"10.1145\/1102120.1102168"},{"key":"969_CR6","doi-asserted-by":"crossref","unstructured":"Weir, M., Aggarwal, S., De\u00a0Medeiros, B., Glodek, B.: Password cracking using probabilistic context-free grammars. In: Security and Privacy, 2009 30th IEEE Symposium On, pp. 391\u2013405 (2009). IEEE","DOI":"10.1109\/SP.2009.8"},{"key":"969_CR7","doi-asserted-by":"crossref","unstructured":"Wang, D., Zhang, Z., Wang, P., Yan, J., Huang, X.: Targeted online password guessing: an underestimated threat. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 1242\u20131254 (2016)","DOI":"10.1145\/2976749.2978339"},{"key":"969_CR8","doi-asserted-by":"crossref","unstructured":"Li, Y., Wang, H., Sun, K.: A study of personal information in human-chosen passwords and its security implications. In: IEEE INFOCOM 2016-The 35th Annual IEEE International Conference on Computer Communications, pp. 1\u20139 (2016). IEEE","DOI":"10.1109\/INFOCOM.2016.7524583"},{"key":"969_CR9","unstructured":"Melicher, W., Ur, B., Segreti, S.M., Komanduri, S., Bauer, L., Christin, N., Cranor, L.F.: Fast, lean, and accurate: modeling password guessability using neural networks. In: 25th USENIX Security Symposium (USENIX Security 16), pp. 175\u2013191 (2016)"},{"key":"969_CR10","doi-asserted-by":"crossref","unstructured":"Hitaj, B., Gasti, P., Ateniese, G., Perez-Cruz, F.: Passgan: a deep learning approach for password guessing. In: International Conference on Applied Cryptography and Network Security, pp. 217\u2013237 (2019). Springer","DOI":"10.1007\/978-3-030-21568-2_11"},{"key":"969_CR11","unstructured":"Pasquini, D., Gangwal, A., Ateniese, G., Bernaschi, M., Conti, M.: Improving password guessing via representation learning. arXiv preprint arXiv:1910.04232 (2019)"},{"key":"969_CR12","unstructured":"Pasquini, D., Cianfriglia, M., Ateniese, G., Bernaschi, M.: Reducing bias in modeling real-world password strength via deep learning and dynamic dictionaries. arXiv preprint arXiv:2010.12269 (2020)"},{"key":"969_CR13","doi-asserted-by":"crossref","unstructured":"Malone, D., Maher, K.: Investigating the distribution of password choices. In: Proceedings of the 21st International Conference on World Wide Web, pp. 301\u2013310 (2012). ACM","DOI":"10.1145\/2187836.2187878"},{"key":"969_CR14","unstructured":"Wei, M., Golla, M., Ur, B.: The password doesn\u2019t fall far: how service influences password choice. Who Are You?! Adventures in Authentication Workshop (2018)"},{"key":"969_CR15","unstructured":"Sishi, S.: An investigation of the security of passwords derived from African languages. Masters Thesis (2019)"},{"key":"969_CR16","unstructured":"Li, Z., Han, W., Xu, W.: A large-scale empirical analysis of Chinese web passwords. In: 23rd USENIX Security Symposium (USENIX Security 14), pp. 559\u2013574 (2014)"},{"key":"969_CR17","doi-asserted-by":"crossref","unstructured":"Dell\u2019Amico, M., Michiardi, P., Roudier, Y.: Password strength: an empirical analysis. In: INFOCOM, 2010 Proceedings IEEE, pp. 1\u20139 (2010). IEEE","DOI":"10.1109\/INFCOM.2010.5461951"},{"key":"969_CR18","unstructured":"Murray, H., Malone, D.: Multi-armed bandit approach to password guessing. In: Who Are You?! Adventures in Authentication Workshop. WAY\u00a0\u201920, pp. 1\u20136, Virtual Conference (2020)"},{"key":"969_CR19","doi-asserted-by":"publisher","DOI":"10.1515\/9781400873173","volume-title":"Convex analysis","author":"RT Rockafellar","year":"1970","unstructured":"Rockafellar RT (1970) Convex analysis. Princeton University Press, New Jersey, United States"},{"key":"969_CR20","unstructured":"Murray, H.: MAB repository (2019). https:\/\/github.com\/HazelMurray\/multi-armed-bandit-guessing"},{"key":"969_CR21","unstructured":"Beaumont, C.: Microsoft Hotmail leak blamed on phishing attack. The Telegraph. https:\/\/www.telegraph.co.uk\/technology\/microsoft\/6264539\/Microsoft-Hotmail-leak-blamed-on-phishing-attack.html, Accessed on: 2020-03-22 (2009)"},{"key":"969_CR22","unstructured":"R\u00fctten, V.C.: Passwortdaten von Flirtlife.de kompromittiert. https:\/\/www.heise.de\/security\/meldung\/Passwortdaten-von-Flirtlife-de-kompromittiert-126608.html, Accessed on: 2019-12-04 (2006)"},{"key":"969_CR23","doi-asserted-by":"crossref","unstructured":"Golla, M., D\u00fcrmuth, M.: On the accuracy of password strength meters. In: CCS \u201918, pp. 1567\u20131582 (2018)","DOI":"10.1145\/3243734.3243769"},{"key":"969_CR24","volume-title":"Intelligent search strategies on human chosen passwords","author":"L Bensmann","year":"2009","unstructured":"Bensmann L (2009) Intelligent search strategies on human chosen passwords. Technishe Universtat Fakultat F\u00fcr Informatik, Dortmond"},{"key":"969_CR25","doi-asserted-by":"publisher","first-page":"427","DOI":"10.1016\/j.cose.2018.03.014","volume":"77","author":"M AlSabah","year":"2018","unstructured":"AlSabah M, Oligeri G, Riley R (2018) Your culture is in your password: an analysis of a demographically-diverse password dataset. Computers & security 77:427\u2013441","journal-title":"Computers & security"},{"issue":"2","key":"969_CR26","doi-asserted-by":"publisher","first-page":"258","DOI":"10.1109\/TIFS.2015.2490620","volume":"11","author":"W Han","year":"2015","unstructured":"Han W, Li Z, Yuan L, Xu W (2015) Regional patterns and vulnerability analysis of Chinese web passwords. IEEE Transactions on Information Forensics and Security 11(2):258\u2013272","journal-title":"IEEE Transactions on Information Forensics and Security"},{"key":"969_CR27","unstructured":"Hunt, T.: Collection #1. Accessed on: Sept 09, 2020 (2019). https:\/\/www.troyhunt.com\/the-773-million-record-collection-1-data-reach"}],"container-title":["Annals of Telecommunications"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s12243-023-00969-4.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s12243-023-00969-4\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s12243-023-00969-4.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2023,9,5]],"date-time":"2023-09-05T02:05:39Z","timestamp":1693879539000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s12243-023-00969-4"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,7,11]]},"references-count":27,"journal-issue":{"issue":"7-8","published-print":{"date-parts":[[2023,8]]}},"alternative-id":["969"],"URL":"https:\/\/doi.org\/10.1007\/s12243-023-00969-4","relation":{},"ISSN":["0003-4347","1958-9395"],"issn-type":[{"value":"0003-4347","type":"print"},{"value":"1958-9395","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,7,11]]},"assertion":[{"value":"10 August 2022","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"18 May 2023","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"11 July 2023","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare no competing interests.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Conflict of interest"}}]}}