Password Guessing Based on Semantic Analysis and Neural Networks

  • Yong Fang
  • Kai Liu
  • Fan Jing
  • Zheng ZuoEmail author
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 960)


Passwords remain the dominant method in data encryption and identity authentication, but they are vulnerable to guessing attack. Most users incline to choose meaningful words to make up passwords. Lots of these words are human-memorable. In this paper, we propose a hierarchical semantic model that combines LSTM with semantic analysis to implement password guessing. With our model, the potential probability relationship between words can be mined. After training the model with 4.5 million passwords from leaked Chinese passwords, we generate lots of passwords guesses ordered by probability. 0.5 million passwords are reserved for model testing. In addition, we also pick up CSDN passwords, the Rockyou passwords, and Facebook passwords as model-testing sets. Each dataset contains 0.5 million passwords. LSTM-based model, PCFG, and Markov-based model are selected for comparison. Experiments show that our model has a higher coverage rate than the other models of the reserved dataset and CSDN dataset. Besides, our model can hit more passwords for the Rockyou dataset and Facebook dataset than PCFG.


Password guessing Semantic LSTM HSM 



This work was supported in part by the National Key R&D Program of China (Grant No. 2017YFB0802900).


  1. 1.
    Herley, C., Van Oorschot, P.: A research agenda acknowledging the persistence of passwords. IEEE Secur. Priv. Mag. 10(1), 28–36 (2012)CrossRefGoogle Scholar
  2. 2.
    Kelley, P., et al.: Guess again (and again and again): measuring password strength by simulating password-cracking algorithms. In: 2012 IEEE Symposium on Security and Privacy (2012)Google Scholar
  3. 3.
    Hochreiter, S., Schmidhuber, J.: Long short-term memory. Neural Comput. 9(8), 1735–1780 (1997)CrossRefGoogle Scholar
  4. 4.
  5. 5.
    Weir, M., Aggarwal, S., Medeiros, B., Glodek, B.: Password cracking using probabilistic context-free grammars. In: 2009 30th IEEE Symposium on Security and Privacy (2009)Google Scholar
  6. 6.
    Houshmand, S., Aggarwal, S., Flood, R.: Next gen PCFG password cracking. IEEE Trans. Inf. Forensics Secur. 10, 1776–1791 (2015)CrossRefGoogle Scholar
  7. 7.
    Wheeler, DL.: zxcvbn: low-budget password strength estimation. In: USENIX Security Symposium, pp. 157–173 (2016)Google Scholar
  8. 8.
    Narayanan, A., Shmatikov, V.: Fast dictionary attacks on passwords using time-space tradeoff. In: Proceedings of the 12th ACM Conference on Computer and Communications Security - CCS 2005 (2005)Google Scholar
  9. 9.
    Castelluccia, C., Dürmuth, M., Perito D.: Adaptive password-strength meters from Markov models. In: NDSS 2012 (2012)Google Scholar
  10. 10.
    Dürmuth, M., Angelstorf, F., Castelluccia, C., Perito, D., Chaabane, A.: OMEN: faster password guessing using an ordered Markov enumerator. In: Piessens, F., Caballero, J., Bielova, N. (eds.) ESSoS 2015. LNCS, vol. 8978, pp. 119–132. Springer, Cham (2015). Scholar
  11. 11.
    John the Ripper password cracker.
  12. 12.
  13. 13.
    Jozefowicz, R., Zaremba, W., Sutskever I.: An empirical exploration of recurrent network architectures. In: International Conference on Machine Learning, pp. 2342–2350 (2015)Google Scholar
  14. 14.
    Melicher, W., et al.: Fast, lean, and accurate: modeling password guessability using neural networks. In: USENIX Security Symposium, pp. 175–191 (2016)Google Scholar
  15. 15.
  16. 16.
    Hitaj, B., Gasti, P., Ateniese, G., Perez-Cruz, F.: PassGAN: a deep learning approach for password guessing. arXiv preprint arXiv:1709.00440 (2017)
  17. 17.
    Goodfellow, I., et al.: Generative adversarial nets. In: Advances in Neural Information Processing Systems, pp. 2672–2680 (2014)Google Scholar
  18. 18.
    Schweitzer, D., Boleng, J., Hughes, C., Murphy, L.: Visualizing keyboard pattern passwords. In: 2009 6th International Workshop on Visualization for Cyber Security (2009)Google Scholar
  19. 19.
  20. 20.
    Xu, L., et al.: Password guessing based on LSTM recurrent neural networks. In: 2017 IEEE International Conference on Computational Science and Engineering (CSE) and IEEE International Conference on Embedded and Ubiquitous Computing (EUC) (2017)Google Scholar
  21. 21.
    de Castro, L., Hunter, L., Stephanie, L., Cristina, M.: Modeling password guessing with neural networksGoogle Scholar
  22. 22.

Copyright information

© Springer Nature Singapore Pte Ltd. 2019

Authors and Affiliations

  1. 1.College of CybersecuritySichuan UniversityChengduChina
  2. 2.College of Electronic and Information EngineeringSichuan UniversityChengduChina
  3. 3.International Liaison Office, People’s Government of ChongqingChongqingChina

Personalised recommendations