Multi-armed bandit approach to password guessing
This addresses password security vulnerabilities for attackers or security testers, but it is incremental as it adapts an existing method to a new context.
The paper tackles the problem of efficiently guessing passwords by applying a multi-armed bandit framework to select the best dictionaries or data sources, demonstrating its effectiveness through examples.
The multi-armed bandit is a mathematical interpretation of the problem a gambler faces when confronted with a number of different machines (bandits). The gambler wants to explore different machines to discover which machine offers the best rewards, but simultaneously wants to exploit the most profitable machine. A password guesser is faced with a similar dilemma. They have lists of leaked password sets, dictionaries of words, and demographic information about the users, but they don't know which dictionary will reap the best rewards. In this paper we provide a framework for using the multi-armed bandit problem in the context of the password guesser and use some examples to show that it can be effective.