Password Guessing via Neural Language Modeling

Abstract

Passwords are the major part of authentication in current social networks. The state-of-the-art password guessing approaches, such as Markov model and probabilistic context-free grammars (PCFG) model, assign a probability value to each password by a statistic approach without any parameters. These methods require large datasets to accurately estimate probability due to the law of large number. The neural network, approximating target probability distribution through iteratively training its parameters, was used to model passwords by some researches. However, since the network architectures they used are simple and straightforward, there are many ways to improve it. In this paper, we view password guessing as a language modeling task and introduce a deeper, more robust, and faster-converged model with several useful techniques to model passwords. This model shows great ability in modeling passwords while significantly outperforms state-of-the-art approaches. Inspired by the most advanced sequential model named Transformer, we use it to model passwords with bidirectional masked language model which is powerful but unlikely to provide normalized probability estimation. Then we distill Transformer model’s knowledge into our proposed model to further boost its performance. Comparing with the PCFG, Markov and previous neural network models, our models show remarkable improvement in both one-site tests and cross-site tests. Moreover, our models are robust to the password policy by controlling the entropy of output distribution.