KAPG: Adaptive Password Guessing via Knowledge-Augmented Generation
Xudong Yang, Jincheng Li, Kaiwen Xing, Zhenjia Xiao, Mingjian Duan, Weili Han, Hu Xiong
TL;DR
The paper tackles the adaptability gap in password guessing by integrating external knowledge into generation. It introduces KAPG, a knowledge-augmented framework combining a 4th-order Markov internal generator with a Faiss-backed external knowledge retriever and a Fusionizer to dynamically fuse signals, achieving strong performance across intra-site and cross-site settings on 12 leaked datasets. It also presents KAPSM, a trend-aware password strength meter that adapts to site-specific distributions and demonstrates superior accuracy and adaptability in deployment simulations. The work highlights practical implications for both offensive cracking efficiency and defensive strength assessment, and discusses privacy and safety considerations, including dynamic updating and poisoning resilience.
Abstract
As the primary mechanism of digital authentication, user-created passwords exhibit common patterns and regularities that can be learned from leaked datasets. Password choices are profoundly shaped by external factors, including social contexts, cultural trends, and popular vocabulary. Prevailing password guessing models primarily emphasize patterns derived from leaked passwords, while neglecting these external influences -- a limitation that hampers their adaptability to emerging password trends and erodes their effectiveness over time. To address these challenges, we propose KAPG, a knowledge-augmented password guessing framework that adaptively integrates external lexical knowledge into the guessing process. KAPG couples internal statistical knowledge learned from leaked passwords with external information that reflects real-world trends. By using password prefixes as anchors for knowledge lookup, it dynamically injects relevant external cues during generation while preserving the structural regularities of authentic passwords. Experiments on twelve leaked datasets show that KnowGuess achieves average improvements of 36.5\% and 74.7\% over state-of-the-art models in intra-site and cross-site scenarios, respectively. Further analyses of password overlap and model efficiency highlight its robustness and computational efficiency. To counter these attacks, we further develop KAPSM, a trend-aware and site-specific password strength meter. Experiments demonstrate that KAPSM significantly outperforms existing tools in accuracy across diverse evaluation settings.
