{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,18]],"date-time":"2026-05-18T10:20:28Z","timestamp":1779099628348,"version":"3.51.4"},"reference-count":31,"publisher":"MDPI AG","issue":"8","license":[{"start":{"date-parts":[[2025,7,31]],"date-time":"2025-07-31T00:00:00Z","timestamp":1753920000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"Ministry of Science and Higher Education of the Republic of Kazakhstan","award":["BR24993232"],"award-info":[{"award-number":["BR24993232"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Information"],"abstract":"<jats:p>According to the latest Verizon DBIR report, credential abuse, including password reuse and human factors in password creation, remains the leading attack vector. It was revealed that most users change their passwords only when they forget them, and 35% of respondents find mandatory password rotation policies inconvenient. These findings highlight the importance of combining technical solutions with user-focused education to strengthen password security. In this research, the \u201chuman factor in the creation of usernames and passwords\u201d is considered a vulnerability, as identifying the patterns or rules used by users in password generation can significantly reduce the number of possible combinations that attackers need to try in order to gain access to personal data. The proposed method based on an LSTM model operates at a character level, detecting recurrent structures and generating generalized masks that reflect the most common components in password creation. Open datasets of 31,000 compromised passwords from real-world leaks were used to train the model and it achieved over 90% test accuracy without signs of overfitting. A new method of evaluating the individual password creation habits of users and automatically fetching context-rich keywords from a user\u2019s public web and social media footprint via a keyword-extraction algorithm is developed, and this approach is incorporated into a web application that allows clients to locally fine-tune an LSTM model locally, run it through ONNX, and carry out all inference on-device, ensuring complete data confidentiality and adherence to privacy regulations.<\/jats:p>","DOI":"10.3390\/info16080655","type":"journal-article","created":{"date-parts":[[2025,8,5]],"date-time":"2025-08-05T08:46:55Z","timestamp":1754383615000},"page":"655","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":2,"title":["Development of a Method for Determining Password Formation Rules Using Neural Networks"],"prefix":"10.3390","volume":"16","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-3382-4685","authenticated-orcid":false,"given":"Leila","family":"Rzayeva","sequence":"first","affiliation":[{"name":"Research and Innovation Center \u201cCyberTech\u201d, Astana IT University, Astana 010000, Kazakhstan"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0006-3781-1773","authenticated-orcid":false,"given":"Alissa","family":"Ryzhova","sequence":"additional","affiliation":[{"name":"Research and Innovation Center \u201cCyberTech\u201d, Astana IT University, Astana 010000, Kazakhstan"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0002-7177-7805","authenticated-orcid":false,"given":"Merei","family":"Zhaparkhanova","sequence":"additional","affiliation":[{"name":"Research and Innovation Center \u201cCyberTech\u201d, Astana IT University, Astana 010000, Kazakhstan"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5339-2437","authenticated-orcid":false,"given":"Ali","family":"Myrzatay","sequence":"additional","affiliation":[{"name":"Research and Innovation Center \u201cCyberTech\u201d, Astana IT University, Astana 010000, Kazakhstan"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0002-9156-4858","authenticated-orcid":false,"given":"Olzhas","family":"Konakbayev","sequence":"additional","affiliation":[{"name":"Research and Innovation Center \u201cCyberTech\u201d, Astana IT University, Astana 010000, Kazakhstan"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0005-6144-2392","authenticated-orcid":false,"given":"Abilkair","family":"Imanberdi","sequence":"additional","affiliation":[{"name":"Research and Innovation Center \u201cCyberTech\u201d, Astana IT University, Astana 010000, Kazakhstan"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4079-9243","authenticated-orcid":false,"given":"Yussuf","family":"Ahmed","sequence":"additional","affiliation":[{"name":"Department of Computing, Birmingham City University, Birmingham B4 7BD, UK"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0002-5449-3317","authenticated-orcid":false,"given":"Zhaksylyk","family":"Kozhakhmet","sequence":"additional","affiliation":[{"name":"Research and Innovation Center \u201cCyberTech\u201d, Astana IT University, Astana 010000, Kazakhstan"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1968","published-online":{"date-parts":[[2025,7,31]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","first-page":"100110","DOI":"10.1016\/j.jeconc.2024.100110","article-title":"Secret sharing in online communities: A comparative analysis of offender and non-offender password creation strategies","volume":"6","author":"Bergeron","year":"2024","journal-title":"J. Econ. Criminol."},{"key":"ref_2","doi-asserted-by":"crossref","first-page":"100278","DOI":"10.1016\/j.osnem.2024.100278","article-title":"Evaluating password strength based on information spread on social networks: A combined approach relying on data reconstruction and generative models","volume":"42","author":"Atzori","year":"2024","journal-title":"Online Soc. Netw. Media"},{"key":"ref_3","doi-asserted-by":"crossref","first-page":"284","DOI":"10.1109\/MNET.101.2000762","article-title":"How does social behavior affect your password?","volume":"35","author":"He","year":"2021","journal-title":"IEEE Netw."},{"key":"ref_4","unstructured":"Buckman, B. (2025, July 27). 36 Must-Know Password Statistics for 2025|Huntress. Available online: https:\/\/www.huntress.com\/blog\/password-statistics?."},{"key":"ref_5","unstructured":"(2025, July 27). Data Breach Statistics in 2024\u2014Surfshark. (9 December 2020). Surfshark. Available online: https:\/\/surfshark.com\/research\/study\/data-breach-recap-2024."},{"key":"ref_6","unstructured":"Urrico, R. (2025, July 27). Reports Show Rising Ransomware Attacks and Bad Password Habits Threaten Financial Accounts, Among Others. Finopotamus. Available online: https:\/\/www.finopotamus.com\/post\/reports-show-rising-ransomware-attacks-and-bad-password-habits-threaten-financial-accounts-among-ot."},{"key":"ref_7","unstructured":"Flor\u00eancio, D., and Herley, C. A large-scale study of web password habits. Proceedings of the 16th International Conference on World Wide Web."},{"key":"ref_8","doi-asserted-by":"crossref","first-page":"453","DOI":"10.1108\/ICS-06-2018-0077","article-title":"Understanding passwords: A taxonomy of password creation strategies","volume":"27","author":"Eriksson","year":"2019","journal-title":"Inf. Comput. Secur."},{"key":"ref_9","doi-asserted-by":"crossref","unstructured":"Bonneau, J., Herley, C., van Oorschot, P.C., and Stajano, F. (2012, January 20\u201323). The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. Proceedings of the 2012 IEEE Symposium on Security and Privacy, San Francisco, CA, USA.","DOI":"10.1109\/SP.2012.44"},{"key":"ref_10","doi-asserted-by":"crossref","unstructured":"Komanduri, S., Shay, R., Kelley, P.G., Mazurek, M.L., Bauer, L., Christin, N., Cranor, L.F., and Egelman, S. (2011, January 7\u201312). Of passwords and people: Measuring the effect of password-composition policies. Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, Vancouver, BC, Canada.","DOI":"10.1145\/1978942.1979321"},{"key":"ref_11","unstructured":"National Institute of Standards and Technology (2024). Digital Identity Guidelines: Authentication and Lifecycle Management (NIST SP 800-63B, Rev. 4)."},{"key":"ref_12","doi-asserted-by":"crossref","unstructured":"Houshmand, S., and Aggarwal, S. (2012, January 3\u20137). Building better passwords using probabilistic techniques. Proceedings of the 28th Annual Computer Security Applications Conference, Orlando, FL, USA.","DOI":"10.1145\/2420950.2420966"},{"key":"ref_13","unstructured":"Melicher, W., Ur, B., Segreti, S.M., Komanduri, S., Shay, R., Bauer, L., Christin, N., and Cranor, L.F. (2016, January 10\u201312). Fast, lean, and accurate: Modeling password guessability using neural networks. Proceedings of the 25th USENIX Security Symposium, Austin, TX, USA. Available online: https:\/\/www.usenix.org\/conference\/usenixsecurity16\/technical-sessions\/presentation\/melicher."},{"key":"ref_14","first-page":"1","article-title":"PassGAN: A deep learning approach for password guessing","volume":"Volume 79","author":"Biggio","year":"2019","journal-title":"Advances in Information Security"},{"key":"ref_15","doi-asserted-by":"crossref","unstructured":"Wang, D., Wang, P., Wang, J., and Liu, J. (2016, January 24\u201328). Targeted online password guessing: An underestimated threat. Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria.","DOI":"10.1145\/2976749.2978339"},{"key":"ref_16","doi-asserted-by":"crossref","unstructured":"Golla, M., and D\u00fcrmuth, M. (2018, January 15\u201319). On the accuracy of password strength meters. Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, Toronto, ON, Canada.","DOI":"10.1145\/3243734.3243769"},{"key":"ref_17","unstructured":"Xu, M., Feng, Y., Ji, S., and Deng, R.H. (2025). On the account security risks posed by password strength meters. arXiv."},{"key":"ref_18","unstructured":"Tippe, P., and Berner, M. (2025). Evaluating Argon2 adoption and effectiveness in real-world software [White paper]. arXiv."},{"key":"ref_19","unstructured":"Dropbox (2025, July 27). zxcvbn: Low-Budget Password Strength Estimation [Software]. GitHub. Available online: https:\/\/github.com\/dropbox\/zxcvbn."},{"key":"ref_20","doi-asserted-by":"crossref","unstructured":"Pearman, S., Thomas, J., Emami-Naeini, P., Habib, H., Bauer, L., Christin, N., Cranor, L.F., Egelman, S., and Forget, A. (November, January 30). Let\u2019s Go in for a Closer Look: Observing Passwords in Their Natural Habitat. Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (CCS \u201917), Dallas, TX, USA. Available online: https:\/\/dl.acm.org\/doi\/10.1145\/3133956.3133973.","DOI":"10.1145\/3133956.3133973"},{"key":"ref_21","unstructured":"Markert, C., Golla, M., D\u00fcrmuth, M., and Holz, T. (2020, January 18\u201321). On the security of modern smartphone unlock PINs. Proceedings of the 2020 IEEE Symposium on Security and Privacy, San Francisco, CA, USA."},{"key":"ref_22","unstructured":"Morag, Y., Gutman, P., Shir, E., and Kirchner, H. (2022, January 6\u201310). DPAR: Data-driven password advice and recommendations. Proceedings of the 2022 IEEE European Symposium on Security and Privacy, Genoa, Italy."},{"key":"ref_23","unstructured":"Glavin, L. (2025, July 27). Case Study: Microsoft. FIDO Alliance. Available online: https:\/\/fidoalliance.org\/case-study-microsoft\/."},{"key":"ref_24","unstructured":"Microsoft (2025, July 27). Microsoft Digital Defense Report 2023. Available online: https:\/\/www.microsoft.com\/en-us\/security\/security-insider\/threat-landscape\/microsoft-digital-defense-report-2023."},{"key":"ref_25","unstructured":"FIDO Alliance (2025, July 27). The State of Passwordless: Progress Report. Available online: https:\/\/fidoalliance.org\/resource-library\/."},{"key":"ref_26","unstructured":"Password Dataset (2025, July 27). Kaggle. Available online: https:\/\/www.kaggle.com\/datasets\/soylevbeytullah\/password-datas."},{"key":"ref_27","unstructured":"Kkrypt0nn (2025, July 27). Wordlists\/Wordlists\/Passwords at Main\u00b7Kkrypt0nn\/Wordlists. GitHub. Available online: https:\/\/github.com\/kkrypt0nn\/wordlists\/tree\/main\/wordlists\/passwords."},{"key":"ref_28","unstructured":"All About Cookies (2025, July 27). 84% of People Use Unsafe Passwords: Password Behavior Survey. Available online: https:\/\/allaboutcookies.org\/password-users-behavior-survey."},{"key":"ref_29","unstructured":"PasswordMonster (2025, July 27). Password Strength Meter. Available online: https:\/\/www.passwordmonster.com\/."},{"key":"ref_30","unstructured":"Kaspersky Lab (2025, July 27). Password Checker & Secure Random Password Generator. Available online: https:\/\/password.kaspersky.com\/."},{"key":"ref_31","unstructured":"Security.org (2025, July 27). How Secure Is My Password?|Password Strength Checker. Available online: https:\/\/www.security.org\/how-secure-is-my-password\/."}],"container-title":["Information"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2078-2489\/16\/8\/655\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,9]],"date-time":"2025-10-09T18:20:00Z","timestamp":1760034000000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2078-2489\/16\/8\/655"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,7,31]]},"references-count":31,"journal-issue":{"issue":"8","published-online":{"date-parts":[[2025,8]]}},"alternative-id":["info16080655"],"URL":"https:\/\/doi.org\/10.3390\/info16080655","relation":{},"ISSN":["2078-2489"],"issn-type":[{"value":"2078-2489","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,7,31]]}}}