Optimization Method of Credential Tweaking Attack Based on User Identity Information

doi:10.19678/j.issn.1000-3428.0069794

Abstract

Abstract: Password leakage incidents often involve the leakage of user passwords and identity information. Because users are accustomed to reusing passwords across multiple network services, attackers can tweak leaked passwords to accurately attack user accounts. This is called a credential tweaking attack. By analyzing large-scale leaked passwords and the corresponding user identity information, this study finds that user strategies for creating passwords are often associated with user identity information. However, current research on credential tweaking attacks relies only on leaked password structures and ignores leaked user identity information when predicting password tweaking strategies. To improve the accuracy of credential tweaking attacks, this study designs a credential tweaking attack optimization method based on user identity information. In the preprocessing phase, username and regional information is extracted from the user identity information and the probability of users' different password creation strategies in different regions is statistically calculated. In the training phase, regional information is combined to learn users' character-level editing operations on leaked passwords. In the password generation phase, a password generation method that integrates character-level editing operations, structure-level editing operations, and username information is designed. The experimental results show that in an attack with 10³ guesses, the cracking rate of this method has a maximum improvement of 41.8% compared to the existing best method (PassBERT), highlighting the threat posed by credential tweaking attacks based on user identity information to password security.

Key words: password security, credential tweaking attack, targeted password guessing, user identity information, password reusing

摘要： 口令泄露事件常常涉及用户口令和用户身份信息的泄露。由于用户在多个网络服务中习惯于重用口令,这使得攻击者能够通过调整泄露的口令来针对性地攻击用户的账户,称为凭证调整攻击。通过分析大规模的泄露口令和相应的用户身份信息,发现用户创建口令的策略往往与用户身份信息相关联。然而,目前关于凭证调整攻击的研究在预测用户调整口令的策略时仅依据泄露口令的结构,而忽略了泄露的用户身份信息。为了提升凭证调整攻击的准确性,设计了一种基于用户身份信息的凭证调整攻击优化方法。在预处理阶段,从用户身份信息中提取用户名信息和地域信息,按照地域统计用户选择不同口令创建策略的概率。在训练阶段,结合地域信息学习用户在泄露口令上采取的字符级编辑操作。在口令生成阶段,设计了一种综合字符级编辑操作、结构级编辑操作和用户名信息的口令生成方法。实验结果表明,在猜测次数为10³的攻击中,该方法的命中率和现有最优的方法(PassBERT)相比最高提升了41.8%,说明利用用户身份信息能扩大凭证调整攻击对口令安全带来的威胁。

关键词: 口令安全, 凭证调整攻击, 定向口令猜测, 用户身份信息, 口令重用

CLC Number:

TP309

YU Jitao, CHENG Luwei, HAN Weili. Optimization Method of Credential Tweaking Attack Based on User Identity Information[J]. Computer Engineering, 2025, 51(11): 22-34.

俞继涛, 程路维, 韩伟力. 基于用户身份信息的凭证调整攻击优化方法[J]. 计算机工程, 2025, 51(11): 22-34.

/ Recommend / Download Citations

URL: https://www.ecice06.com/EN/10.19678/j.issn.1000-3428.0069794

https://www.ecice06.com/EN/Y2025/V51/I11/22

References

[1] 韩伟力, 张俊杰, 徐铭, 等. 参数化混合口令猜测方法[J]. 计算机研究与发展, 2022, 59(12): 2708-2722. HAN W L, ZHANG J J, XU M, et al. Parameterized hybrid password guessing method[J]. Journal of Computer Research and Development, 2022, 59(12): 2708-2722. (in Chinese)
[2] 韩伟力, 袁琅, 李思斯, 等. 一种基于样本的模拟口令集生成算法[J]. 计算机学报, 2017, 40(5): 1151-1167. HAN W L, YUAN L, LI S S, et al. An efficient algorithm to generate password sets based on samples[J]. Chinese Journal of Computers, 2017, 40(5): 1151-1167. (in Chinese)
[3] ZHANG H D, WANG C W, RUAN W Q, et al. Digit semantics based optimization for practical password cracking tools[C]//Proceedings of the Annual Computer Security Applications Conference. New York, USA: ACM Press, 2021: 513-527.
[4] XU M, WANG C W, YU J T, et al. Chunk-level password guessing: towards modeling refined password composition representations[C]//Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security. New York, USA: ACM Press, 2021: 5-20.
[5] WANG D, HE D B, CHENG H B, et al. fuzzyPSM: a new password strength meter using fuzzy probabilistic context-free grammars[C]//Proceedings of the 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). Toulouse, France: IEEE Press, 2016: 595-606.
[6] HAN W L, LI Z G, NI M Y, et al. Shadow attacks based on password reuses: a quantitative empirical analysis[J]. IEEE Transactions on Dependable and Secure Computing, 2018, 15(2): 309-320.
[7] PEARMAN S, THOMAS J, NAEINI P E, et al. Let’s go in for a closer look: observing passwords in their natural habitat[C]//Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. New York, USA: ACM Press, 2017: 295-310.
[8] DAS A, BONNEAU J, CAESAR M, et al. The tangled web of password reuse[C]//Proceedings of the 21st Annual Network and Distributed System Security Symposium. San Diego, USA: The Internet Society, 2014: 1-15.
[9] HUNT T. Have I been pwned?[EB/OL].[2024-04-23]. https://haveibeenpwned.com/Passwords/.
[10] PAL B, ISLAM M, SANUSI M, et al. Might I get pwned: a second generation compromised credential checking service[C]//Proceedings of the 31st USENIX Security Symposium. Boston, USA: USENIX Association, 2022: 1831-1848.
[11] THOMAS K, PULLMAN J, YEO K, et al. Protecting accounts from credential stuffing with password breach alerting[C]//Proceedings of the 28th USENIX Security Symposium. Santa Clara, USA: USENIX Association, 2019: 1556-1571.
[12] XU M, YU J, ZHANG X, et al. Improving real-world password guessing attacks via bi-directional transformers[C]//Proceedings of the 32nd USENIX Security Symposium. Anaheim, USA: USENIX Association, 2023: 1001-1018.
[13] PAL B, DANIEL T, CHATTERJEE R, et al. Beyond credential stuffing: password similarity models using neural networks[C]//Proceedings of the IEEE Symposium on Security and Privacy (SP). San Francisco, USA: IEEE Press, 2019: 417-434.
[14] WANG D, ZOU Y, XIAO Y, et al. Pass2Edit: a multi-step generative model for guessing edited passwords[C]//Proceedings of the 32nd USENIX Security Symposium. Anaheim, USA: USENIX Association, 2023: 983-1000.
[15] WANG D, ZHANG Z J, WANG P, et al. Targeted online password guessing: an underestimated threat[C]//Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. New York, USA: ACM Press, 2016: 1242-1254.
[16] WEIR M, AGGARWAL S, MEDEIROS B, et al. Password cracking using probabilistic context-free grammars[C]//Proceedings of the 30th IEEE Symposium on Security and Privacy. Oakland, USA: IEEE Press, 2009: 391-405.
[17] MELICHER W, UR B, KOMANDURI S, et al. Fast, lean, and accurate: modeling password guessability using neural networks[C]//Proceedings of the 2017 USENIX Annual Technical Conference. Santa Clara, USA: USENIX Association, 2016: 175-191.
[18] 周环, 刘奇旭, 崔翔, 等. 基于神经网络的定向口令猜测研究[J]. 信息安全学报, 2018, 3(5): 25-37. ZHOU H, LIU Q X, CUI X, et al. Research on targeted password guessing using neural networks[J]. Journal of Cyber Security, 2018, 3(5): 25-37. (in Chinese)
[19] LI Y, WANG H N, SUN K. Personal information in passwords and its security implications[J]. IEEE Transactions on Information Forensics and Security, 2017, 12(10): 2320-2333.
[20] PASQUINI D, ATENIESE G, TRONCOSO C. Universal neural-cracking-machines: self-configurable password models from auxiliary data[C]//Proceedings of the IEEE Symposium on Security and Privacy (SP). San Francisco, USA: IEEE Press, 2024: 32-32.
[21] 汪定, 邹云开, 陶义, 等. 基于循环神经网络和生成式对抗网络的口令猜测模型研究[J]. 计算机学报, 2021, 44(8): 1519-1534. WANG D, ZOU Y K, TAO Y, et al. Password guessing based on recurrent neural networks and generative adversarial networks[J]. Chinese Journal of Computers, 2021, 44(8): 1519-1534. (in Chinese)
[22] PASQUINI D, GANGWAL A, ATENIESE G, et al. Improving password guessing via representation learning[C]//Proceedings of IEEE Symposium on Security and Privacy. Washington D.C., USA: IEEE Press, 2021:1382-1399.
[23] HAN W L, XU M, ZHANG J J, et al. TransPCFG: transferring the grammars from short passwords to guess long passwords effectively[J]. IEEE Transactions on Information Forensics and Security, 2021, 16: 451-465.
[24] 章梦礼, 张启慧, 刘文芬, 等. 一种基于结构划分及字符串重组的口令攻击方法[J]. 计算机学报, 2019, 42(4): 913-928. ZHANG M L, ZHANG Q H, LIU W F, et al. A method of password attack based on structure partition and string reorganization[J]. Chinese Journal of Computers, 2019, 42(4): 913-928. (in Chinese)
[25] LEVENSHTEIN V I. Binary codes capable of correcting deletions, insertions, and reversals[J]. Soviet Physics Doklady, 1965, 10: 707-710.

Please choose a citation manager

Content to export