Chenyang Wang (National University of Defense Technology), Fan Shi (National University of Defense Technology), Min Zhang (National University of Defense Technology), Chengxi Xu (National University of Defense Technology), Miao Hu (National University of Defense Technology), Pengfei Xue (National University of Defense Technology), Shasha Guo (National University of Defense Technology), jinghua zheng (National University of Defense Technology)
Password is still the primary authentication method, and the security community researches password guessing to improve password security. Dynamic password guessing continuously collects target's information and dynamically fits the distribution during the guessing process, thus expanding the threat. Existing methods are mainly of two types: dynamic adjustment of password policies and dynamic generation based on generative models. However, these methods fit the target distribution from a single perspective, ignoring the complementary effects of information between different dimensions. Dynamic password guessing performance will be greatly improved if information from multiple dimensions is well utilized, but how to effectively fuse multidimensional information is a challenge.
Motivated by this, we propose CoT-DPG, a new dynamic password guessing framework that allows multiple guessing models to learn collaboratively and complement each other's knowledge. This is the first application of the co-training approach in multi-view learning to password guessing. Firstly, at the feature level, we dynamically update the neural network parameters and fit the target distribution based on incremental training. Secondly, at the character level, we design a policy distribution optimization approach to alleviate the blindness of policy selection. Thirdly, we use the co-training approach for complementary learning, iterative training, and password generation in multiple dimensions. Finally, the experiments demonstrate the effectiveness of the proposed framework, with the absolute improvement in cracking rate of 6.4% to 26.7% over the state-of-the-art method on eight real-world password datasets.