口令猜测研究进展

Advances on Password Guessing Attack

口令是人类可记忆的短密钥,在身份认证、加密、签名等领域有广泛的应用.口令虽然被指出存在一系列安全性和可用性问题,但因其使用简单、成本低廉、容易更改,在可预见的未来仍无可替代.口令猜测是口令面临的最严重的安全威胁,是口令安全性研究的核心方向之一,引起了学术界的持续关注.本文首先采用数据驱动的研究方法,挖掘可被猜测攻击者利用的用户脆弱口令行为,分析用户口令构造规律,包括流行特性、语言依赖性、长度分布、口令重用、结构和语义特征等方面.接着,总结了近30年来学术界提出的28种主要口令猜测算法,并根据技术原理的不同对其进行分类.随后,回顾了目前广泛使用的口令猜测算法评估指标,探究了不同实验设置对评估算法攻破率和计算效率的影响,并根据实验结果讨论了不同猜测算法的技术特点和适用场景.最后,总结口令猜测领域的研究进展,并展望口令猜测算法的应用领域和未来的研究方向.

Passwords are usually short,memorable keys used in various applications such as identity authentication,encryption,and digital signature.While some security and usability issues of passwords have been identified,the simplicity,cost-effectiveness,and ease of change make passwords irreplaceable in the foreseeable future.Password guessing poses the most serious security threat to passwords,serving as a central focus in password security research and garnering sustained attention from the academic community.This paper employs a data-driven approach to unearth user behaviors that can be exploited by potential attackers in guessing passwords.It analyzes patterns in password creation,encompassing aspects like popularity trends,language dependencies,length distributions,password reuse,structural and semantic features.Subsequently,this paper summarizes 28 mainstream password guessing algorithms proposed over the past three decades,classifies them based on their technical principles.Following that,this paper reviews the widely used evaluation metrics for password guessing algorithms,explores the impact of different experimental setups on algorithm performance,and discusses the technical characteristics and application scenarios of various guessing algorithms based on experimental results.Finally,this paper presents a comprehensive overview of the research advancements in password guessing and offers insights into practical applications and future research directions in the field.