Deep Learning vs. Traditional Probabilistic Models: Case Study on Short Inputs for Password Guessing

Abstract

The paper focuses on the comparative analysis of deep learning algorithms and traditional probabilistic models on strings of short lengths (typically, passwords). The password is one of the dominant methods used in user authentication. Compared to the traditional brute-force attack and dictionary attack, password guessing models use the leaked password datasets to generate password guesses, expecting to cover as many accounts as possible while minimizing the number of guesses. In this paper, we analyze the password pattern of leaked datasets and further present a comparative study on two dominant probabilistic models (i.e., Markov-based model and Probabilistic Context-Free Grammars (PCFG) based model) and the PassGAN model (which is a representative deep-learning-based method). We use Laplace smoothing for the Markov model and introduce particular semantic patterns to the PCFG model. Our output shows that the Markov-based models can cover the vast majority of the passwords in the test set and PassGAN demonstrates surprisingly the worst effect. Nevertheless, considering the threat that an attacker may adjust the training set, the PCFG model is better than the Markov model. Using Passcode with high-frequency passwords can increase the coverage while reducing the number of guesses. Brute-force attack can also work better when used in conjunction with probabilistic models. For the same billion guesses, brute-force attack can be used to crack pure digital passwords of 4 to 8 lengths, and original-PCFG and modified-PCFG could increase by 11.16% and 8.69%, respectively.