KAPG: Adaptive Password Guessing via Knowledge-Augmented Generation

TL;DR

KAPG introduces an adaptive password guessing framework that combines internal password pattern learning with external real-world knowledge, significantly improving guessing accuracy across multiple datasets.

Contribution

The paper presents KAPG, a novel framework that integrates external lexical knowledge into password guessing, enhancing adaptability and effectiveness over existing models.

Findings

Achieves 36.5% and 74.7% improvements over state-of-the-art models in intra-site and cross-site scenarios.

Demonstrates robustness and computational efficiency in password guessing tasks.

Develops KAPSM, a trend-aware password strength meter outperforming existing tools.

Abstract

As the primary mechanism of digital authentication, user-created passwords exhibit common patterns and regularities that can be learned from leaked datasets. Password choices are profoundly shaped by external factors, including social contexts, cultural trends, and popular vocabulary. Prevailing password guessing models primarily emphasize patterns derived from leaked passwords, while neglecting these external influences -- a limitation that hampers their adaptability to emerging password trends and erodes their effectiveness over time. To address these challenges, we propose KAPG, a knowledge-augmented password guessing framework that adaptively integrates external lexical knowledge into the guessing process. KAPG couples internal statistical knowledge learned from leaked passwords with external information that reflects real-world trends. By using password prefixes as anchors for knowledge lookup, it dynamically injects relevant external cues during generation while preserving the structural regularities of authentic passwords. Experiments on twelve leaked datasets show that KnowGuess achieves average improvements of 36.5\% and 74.7\% over state-of-the-art models in intra-site and cross-site scenarios, respectively. Further analyses of password overlap and model efficiency highlight its robustness and computational efficiency. To counter these attacks, we further develop KAPSM, a trend-aware and site-specific password strength meter. Experiments demonstrate that KAPSM significantly outperforms existing tools in accuracy across diverse evaluation settings.