RankGuess: Password Guessing Using Adversarial Ranking

The understanding of password security highly relates to our knowledge of how adversaries guess passwords, and this makes the modeling of guessing attacks a pivotal task. To maximize guessing effectiveness, the adversary generally attempts to guess in descending order of likelihood, akin to the way generative retrieval learning-to-rank works in a recommendation system, which prioritizes information to targeted users based on predicted relevance. In this paper, we propose a password guessing framework based on adversarial ranking, named RankGuess. We regard the password creation process as sequential decision trajectories. In this context, the adversary is assumed to train an agent where the current state is represented by the password sequence generated up to that point. The action taken is to generate the next token, and the evaluation score assigned by the ranker serves as the reward signal received. Consequently, we frame the problem of password guessing as a Markov Decision Process and tackle it using adversarial ranking techniques. Due to the generality of our framework, RankGuess can be applicable to various guessing scenarios (i.e., trawling guessing, targeted password guessing based on personally identifiable information (PII), and conditional password guessing). By employing 12 large-scale password datasets and six PII datasets, we demonstrate that our models are effective: (1) RankGuess surpasses all current state-of-the-art models and outperforms GAN-based methods by 26.29% 43.69% (avg. 34.80%); (2) When the victim's PII at site $A$ (namely PIIA) is known, RankGuess-PII for targeted password guessing based on PIIA, which guesses 58.21% 91.95% of common users within 1012 guesses, outperforms its foremost counterparts by 6.32% 17.09%; (3) Within 107 guesses, our RankGuess-Mask based on victims' partial passwords (e.g., d**102), improves the password cracking success rates by 7.70% 14.85% (avg. 8.21%) compared to its state-of-the-art counterparts. The paper provides a new technical approach to a well-known challenge in the password-guessing field.