计算机工程2025,Vol.51Issue(11):22-34,13.DOI:10.19678/j.issn.1000-3428.0069794
基于用户身份信息的凭证调整攻击优化方法
Optimization Method of Credential Tweaking Attack Based on User Identity Information
摘要
Abstract
Password leakage incidents often involve the leakage of user passwords and identity information.Because users are accustomed to reusing passwords across multiple network services,attackers can tweak leaked passwords to accurately attack user accounts.This is called a credential tweaking attack.By analyzing large-scale leaked passwords and the corresponding user identity information,this study finds that user strategies for creating passwords are often associated with user identity information.However,current research on credential tweaking attacks relies only on leaked password structures and ignores leaked user identity information when predicting password tweaking strategies.To improve the accuracy of credential tweaking attacks,this study designs a credential tweaking attack optimization method based on user identity information.In the preprocessing phase,username and regional information is extracted from the user identity information and the probability of users' different password creation strategies in different regions is statistically calculated.In the training phase,regional information is combined to learn users' character-level editing operations on leaked passwords.In the password generation phase,a password generation method that integrates character-level editing operations,structure-level editing operations,and username information is designed.The experimental results show that in an attack with 103 guesses,the cracking rate of this method has a maximum improvement of 41.8%compared to the existing best method(PassBERT),highlighting the threat posed by credential tweaking attacks based on user identity information to password security.关键词
口令安全/凭证调整攻击/定向口令猜测/用户身份信息/口令重用Key words
password security/credential tweaking attack/targeted password guessing/user identity information/password reusing分类
信息技术与安全科学引用本文复制引用
俞继涛,程路维,韩伟力..基于用户身份信息的凭证调整攻击优化方法[J].计算机工程,2025,51(11):22-34,13.基金项目
国家自然科学基金(62172100). (62172100)
