LLM-Based Few-Shot Credential Tweaking Attack

doi:10.19678/j.issn.1000-3428.0253511

Abstract

Abstract: Passwords remain the most critical factor in identity verification and are widely used in various security scenarios. Enhancing password security relies heavily on the simulation and study of password guessing. In practice, data-driven credential tweaking attacks are highly constrained by the quantity and quality of training samples. Existing few-shot password guessing frameworks are not suitable for credential tweaking attacks. To address these issues, this paper proposes a few-shot credential tweaking attack method based on large language model and data augmentation technology. This method aims to automatically generate pseudo-aligned password data using a minimal number of high-quality samples, thereby reducing the high dependence on data quantity and quality in credential tweaking attacks. The contributions of this paper are as follows: 1) Based on reinforcement learning technology, a credential tweaking attack framework named PasswordRL is proposed. 2) Based on augmentation techniques, this paper proposes the few-shot credential tweaking attack framework PasswordRL-FS. Using four mainstream guessing methods as the baseline, this paper conducts comparative experiments on the aforementioned two frameworks on two real leaked password datasets. Experiments show that in real-world few-shot scenarios (number of training samples = 1000), with guess budgets of 5, 10, and 100, the hit rates of the proposed attack framework outperform the second-best baseline by 39.54%, 23.72%, and 42.40%, and the guess hit rates reach 83.72%, 81.85%, and 93.68% in data-rich scenarios (number of training samples > 107). These experiments demonstrate the effectiveness of the method proposed in this paper.

摘要： 口令仍是当前最为重要的身份认证因子，口令安全的提升离不开对口令猜测的模拟与研究。凭证调整攻击是一类广受关注的口令猜测方法。现实场景中，数据驱动的凭证调整攻击，其命中率受到训练样本数量与样本质量的高度制约。现有的少样本口令猜测框架不适用于凭证调整攻击任务。针对上述问题，提出基于大语言模型的少样本凭证调整攻击方法，利用尽可能少的高质量样本，自动化地合成伪对齐口令数据，有效地降低了数据驱动的凭证调整攻击对训练样本数量与训练样本质量的高度依赖。贡献主要包括：1）基于强化学习技术，提出了一套凭证调整攻击框架，称为PasswordRL。该框架使用混合强化学习与最大似然估计的损失函数，相较传统方法进一步提升猜测命中率；2）基于大语言模型与数据增强技术，提出少样本场景下的凭证调整攻击框架PasswordRL-FS。使用四种主流猜测方法作为基线，在两个真实泄露的口令数据集上，分别对上述提出的两个框架进行了比较实验。实验结果表明，在模拟真实环境的少样本场景（训练样本数=1000）中，猜测预算为5，10，100时，提出的猜测框架的命中率较次优模型分别（相对）提升了39.54%，23.72%，42.40%，并且，猜测命中率达到了多样本场景（训练样本数>107）的83.72%，81.85%，93.68%，上述实验结果证明了方法的有效性。

ZHANG Shenghao, HAN Weili. LLM-Based Few-Shot Credential Tweaking Attack[J]. Computer Engineering, doi: 10.19678/j.issn.1000-3428.0253511.

张晟豪, 韩伟力. 基于大语言模型的少样本凭证调整攻击方法[J]. 计算机工程, doi: 10.19678/j.issn.1000-3428.0253511.

/ Recommend / Download Citations

URL: https://www.ecice06.com/EN/10.19678/j.issn.1000-3428.0253511

References

[1] 王平, 汪定, 黄欣沂. 口令安全研究进展[J]. 计算机研究与发展, 2016, 53(10):2172-2187. WANG P, WANG D, HUANG X. Advances in password security [J]. Journal of Computer Research and Development, 2016, 53(10):2172-2187. (in Chinese)
[2] HAN W, XU M, ZHANG J, et al. TransPCFG: Transferring the grammars from short passwords to guess long passwords effectively[J]. IEEE Trans. Inf. Forensics Secur., 2021(16): 451-465.
[3]韩伟力, 张俊杰, 徐铭, 等. 参数化混合口令猜测方法[J]. 计算机研究与发展, 2022, 59(12): 2708-2722. HAN W, ZHANG J, XU M, et al. Parameterized hybrid password guessing method[J]. Journal of Computer Research and Development, 2022, 59(12): 2708-2722. (in Chinese)
[4] PASQUINI D, CIANFRIGLIA M, ATENIESE G, et al. Reducing bias in modeling real-world password strength via deep learning and dynamic dictionaries[C]// BAILEY M, GREENSTADT R. 30th USENIX Security Symposium, USENIX Security 2021. Vancouver, B.C., Canada: USENIX Association, 2021: 821-838.
[5] DAS A, BONNEAU J, CAESAR M, et al. The tangled web of password reuse[C]//21st Annual Network and Distributed System Security Symposium. San Diego, California, USA: The Internet Society, 2014.
[6] WANG D, ZHANG Z, WANG P, et al. Targeted online password guessing: An underestimated threat[C]// Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. Vienna, Austria: ACM, 2016:1242-1254.
[7] PAL B, DANIEL T, CHATTERJEE R, et al. Beyond credential stuffing: Password similarity models using neural networks[C]//2019 IEEE Symposium on Security and Privacy. San Francisco, CA, USA: IEEE, 2019: 417-434.
[8] XU M, YU J, ZHANG X, et al. Improving real-world password guessing attacks via bi-directional transformers[C]//32nd USENIX Security Symposium, USENIX Security 2023. Anaheim, CA, USA: USENIX Association, 2023: 1001-1018.
[9] SU X, ZHU X, LI Y, et al. PagPassGPT: Pattern guided password guessing via generative pretrained Transformer[C]//54th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), Australia: IEEE, 2024: 429-442.
[10] ZOU Y, AN M, WANG D. Password guessing using large language models[C]//34th USENIX Security Symposium, USENIX Security 2025. Seattle, WA, USA: USENIX Security 25, 2025: 7799-7818.
[11] DUAN M, XU M, ZHANG S, et al. MoPE: A mixture of password experts for improving password guessing[J]. arXiv preprint arXiv:2509.16558, 2025.
[12] HAN W, LI Z, YUAN L, et al. Regional patterns and vulnerability analysis of Chinese web passwords[J]. IEEE Transactions on Information Forensics and Security, 2016, 11(2): 258-272.
[13] UR B, SEGRETI S M, BAUER L, et al. Measuring real-world accuracies and biases in modeling password guess ability[C]//24th USENIX Security Symposium, USENIX Security 15. Washington, D.C., USA: USENIX Association, 2015: 463-481.
[14] HAN W, LI Z, NI M, et al. Shadow attacks based on password reuses: A quantitative empirical analysis[J]. IEEE Trans. Dependable Secur. Comput., 2018, 15(2): 309-320.
[15] WANG D, ZOU Y, XIAO Y, et al. Pass2edit: A multi-step generative model for guessing edited passwords[C]//32nd USENIX Security Symposium, USENIX Security 2023. Anaheim, CA, USA: USENIX Association, 2023: 983-1000.
[16] WANG D, WANG P, HE D, et al. Birthday, name and bifacial-security: Understanding passwords of Chinese web users[C]//28th USENIX Security Symposium, USENIX Security 2019. Santa Clara, CA, USA: USENIX Association, 2019: 1537-1555.
[17] WU L, TIAN F, QIN T, et al. A study of reinforcement learning for neural machine translation[C]//Proceedings of the 2018 Conference on Empirical Methods in Natural Language Processing. Brussels, Belgium: Association for Computational Linguistics, 2018: 3612-3621.
[18] WU L, ZHAO L, QIN T, et al. Sequence prediction with unlabeled data by reward function learning[C]// Proceedings of the Twenty-Sixth International Joint Conference on Artificial Intelligence, IJCAI 2017. Melbourne, Australia: ijcai.org, 2017: 3098-3104.
[19] LIU Y, GU J, GOYAL N, et al. Multilingual denoising pre-training for neural machine translation[J]. Trans. Assoc. Comput. Linguistics, 2020(8): 726-742.
[20] CHOWDHERY A, NARANG S, DEVLIN J, et al. PaLM: Scaling language modeling with pathways[J]. J. Mach. Learn. Res., 2023(24): 1-113.
[21] TAYLOR R, KARDAS M, CUCURULL G, et al. Galactica: A large language model for science[J]. CoRR, 2022, abs/2211.09085.
[22] TOUVRON H, LAVRIL T, IZACARD G, et al. LLaMA: Open and efficient foundation language models[J]. CoRR, 2023, abs/2302.13971.
[23] GOU J, YU B, MAYBANK S J, et al. Knowledge distillation: A survey[J]. International Journal of Computer Vision, 2020(129): 1789-1819.
[24] SINGHAL A. Modern information retrieval: A brief overview[J]. IEEE Data Eng. Bull., 2001(24): 35-43.
[25] JOHNSON M, SCHUSTER M, LE QV, et al. Google’s neural machine translation system: Enabling zero-shot translation[J]. Trans. Assoc. Comput. Linguist., 2017, 5:339–351.
[26] HOUSHMAND S, AGGARWAL S, FLOOD R. Next gen PCFG password cracking[J]. IEEE Trans. Inf. Forensics Secur., 2015,10(8): 1776-1791.
[27] CASAL J. 1.4 billion clear text credentials discovered in a single database[EB/OL]. (2017-12-05)[2026-03-17]. https://medium.com/4iqdelvedeep/1-4-billion-clear-text-credentials-discovered-in-a-single-database-3131d0a1ae14.
[28] HUNT T. The 773 million record "Collection #1" data breach[EB/OL]. (2019-01-17)[2026-03-17]. https://www.troyhunt.com/the-773-million-record-collection-1-data-breach/.
[29] 俞继涛, 程路维, 韩伟力. 基于用户身份信息的凭证调整攻击优化方法[J]. 计算机工程, 2025,51(11):22-34. YU J, CHENG L, HAN W. Optimization method of credential tweaking attack based on user identity information[J]. Computer Engineering, 2025,51(11):22-34. (in Chinese)
[30] 常庚, 赵岚, 陈文. MLSTM: 一种基于多序列长度 LSTM 的口令猜测方法[J]. 计算机科学, 2022,49(04): 354-361. CHANG Y, ZHAO L, CHEN W. MLSTM: A password guessing method based on multiple sequence length LSTM[J]. Computer Science, 2022,49(04): 354-361. (in Chinese)
[31] XU M, ZHANG S, ZHANG K, et al. Using parallel techniques to accelerate PCFG-based password cracking attacks[J]. IEEE Transactions on Dependable and Secure Computing, 2025: 1-14.

Please choose a citation manager

Content to export