Weili Han,Ming Xu,Junjie Zhang,Chuanwang Wang,Kai Zhang,X. Sean Wang

DOI: https://doi.org/10.1109/tifs.2020.3003696

IF: 7.231

2021-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Long passwords are gaining popularity in password policy recommendations; however, data-driven guessing studies are woefully inadequate in adapting to long passwords, lacking in both guessing efficiency and their composition guidelines. For state-of-the-art data-driven password guessing methods such as PCFGs (Probabilistic Context-free Grammars), their guessing efficiency is limited by the presence of a large scale training data, or the lack thereof. Given that long passwords leaked in the real world are typically scarce, coupled with the fact that the data-driven methods' performance depends on training data, obtaining good performance on long passwords has become a key challenge. To overcome the dataset limitation, we propose a framework TransPCFG, that transfers the knowledge, (i.e., grammars in PCFGs), from short passwords to facilitate long password guessing. We further perform an empirical evaluation based on three real-world datasets and the results demonstrate superior performance over the state-of-the-art data-driven guessing methods under ${10}^{14}$ offline guesses. For passwords with 16 characters, TransPCFG can compromise an average of 23.30% of the passwords, outperforming PCFG_v4.1 by 56.10%. Additionally,for better password-composition guidelines, we find that long password-composition policies requiring more segments are more resistant to guessing attacks. For the segment, the password 12zxcvbnword1997 has four segments since it follows the template ${Digit}_{2}{Keyboard}_{6}{Letter}_{4}{Year}_{4}$ . We thus recommend users to create long passwords with four or more segments instead of the widely recommended more character classes for security.

computer science, theory & methods,engineering, electrical & electronic

Shunbin Li,Zhiyu Wang,Ruyun Zhang,Chunming Wu,Hanguang Luo

DOI: https://doi.org/10.1109/tdsc.2022.3217002

2023-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Rule-based password generation is one of the most effective and often employed techniques in the highly compute-intensive password recovery process. However, it is challenging to design and maintain a practical password mangling ruleset, which is a time-consuming task requiring specialized expertise. This paper therefore introduced MDBSCAN (Modified Density-Based Spatial Clustering of Applications with Noise), a novel density-based cluster approach in machine learning, to build an automatic password mangling rule generator. To evaluate the proposed method, cross-checks across 4 different real-world password datasets leaked from popular Internet services and applications are adopted. The results indicate that the proposed generator could produce high-quality mangling rules with a better hit rate and enhance current mangling rules by identifying hidden or omitted rules. The proposed approach also shows strong interpretability and computational efficiency. When examining the RockYou password dataset with the top 77 rules, the hit rate may rise by 11% to 104% proportionally to other well-known solutions. Furthermore, by combining the top 77 rules generated by MDBSCAN with those from other rulesets, 3–12.67% more real-world passwords can be retrieved.

Ming Xu,Chuanwang Wang,Jitao Yu,Junjie Zhang,Kai Zhang,Weili Han

DOI: https://doi.org/10.1145/3460120.3484743

2021-01-01

Abstract:ABSTRACTTextual password security hinges on the guessing models adopted by attackers, in which a suitable password composition representation is an influential factor. Unfortunately, the conventional models roughly regard a password as a sequence of characters, or natural-language-based words, which are password-irrelevant. Experience shows that passwords exhibit internal and refined patterns, e.g., "4ever, ing or 2015", varying significantly among periods and regions. However, the refined representations and their security impacts could not be automatically understood by state-of-the-art guessing models (e.g., Markov). In this paper, we regard a password as a composition of several chunks, where a chunk is a sequence of related characters that appear together frequently, to model passwords. Based on the concept, we propose a password-specific segmentation method that can automatically split passwords into several chunks, and then build three chunk-level guessing models, adopted from Markov, Probabilistic Context-free Grammar (PCFG) and neural-network-based models. Based on the extensive evaluation with over 250 million passwords, these chunk-level models can improve their guessing efficiency by an average of 5.7%, 51.2% and 41.9%, respectively, in an offline guessing scenario, showcasing the power of a suitable password representation during attacks. By analysing these efficient attacks, we find that the presence of common chunks in a password is a stronger indicator for password vulnerability than the character class complexity. To protect users against such attacks, we develop a client-side and real-time password strength meter to estimate the passwords' resistance based on chunk-level guessing models.

Wenting Li,Jiahong Yang,Haibo Cheng,Ping Wang,Kaitai Liang

DOI: https://doi.org/10.1109/icassp49357.2023.10096535

2023-01-01

Abstract:Modeling password distributions is a fundamental problem in password security, benefiting the research and applications on password guessing, password strength meters, honey password vaults, etc. As one of the best segment-based password models, WordPCFG has been proposed to capture individual semantic segments (called words) in passwords. However, we find WordPCFG does not address well the ambiguity of password segmentation by maximum matching, leading to the unreasonable segmentation of many password and further the inaccuracy of modeling password distributions. To address the ambiguity, we improve WordPCFG by maximum probability segmentation with A*-like pruning algorithm. The experimental results show that the improved WordPCFG cracks 99.26%–99.95% passwords, with nearly 5.67%–18.01% improvement.

Xiaochun Gan,Meng Chen,Dong Li,Zongyan Wu,Weili Han,Hu Chen

DOI: https://doi.org/10.1109/icece54449.2021.9674437

2021-01-01

Abstract:Password guessing plays an important role in studying the vulnerability of passwords to improve security. In modern password guessing methods, the patterns of passwords from users in specific regions are discovered from a large number of leaked passwords. Most traditional methods, such as PCFG, Markov process, and other deep learning methods rely only on the training set. Different from other application areas of machine learning, the training set of password guessing comes from leaked real password sets, such as Rockyou, CSDN, and VK. Traditional approaches of password guessing are effective for large-scale training sets. However, the size of leaked password sets leaked by users of small languages or users of specific organizations is very small, which makes it difficult for current password guessing methods which relying only on training sets to discover enough words in passwords. In order to solve this problem, this paper proposed a corpus-based password guessing method. First, we analyzed the common words and their categories in the leaked password sets from users in three different countries. On this basis, we proposed an organization method for multiple language corpora, and constructed corpora of more than 3 million words. Secondly, we improved the traditional PCFG password segmentation method and described password structure based on corpora. Third, we evaluated the probability of words in the corpora which are not appearing in the training set based on the Lapalace smoothing. Actual tests show that our method can produce a finer structure than the PCFG. When the size of the training set decreases, the cracking rate of the PCFG decreases significantly, while the impact of our method is not significant, and the cracking rate is significantly higher than that of the PCFG.

Chen Su,Yuesheng Zhu

DOI: https://doi.org/10.1109/ICC.2017.7997248

2017-01-01

Abstract:In order to remember easily, human beings may use personal information as part of their passwords. In recent years, incidents of Internet information leakage emerge incessantly, which provides more materials for password guessing, such as password database and personal information database. If we have known part of the users' personal information, how to use these data to guess passwords, the research related is still rare. In this paper, on the basis of more than 200 million leaked password accounts and 20 million personal information records in China, we analyze these data statistically and find out that at least 37.20% of these passwords contain personal information. Based on the latest Probabilistic Context-Free Grammars (PCFG) model, we propose a novel method to import personal information and generate passwords containing personal information. In offline attacks, experiments show that the efficiency of password guessing increases by 12.41% compared to PCFG 3.1 and 8.56% to order-4 Markov model after importing personal information in batches. In online attacks, the cracking probability is also improved significantly after importing personal information one by one.

Haibo Cheng,Wenting Li,Ping Wang,Kaitai Liang

DOI: https://doi.org/10.1109/icassp39728.2021.9414886

2021-01-01

Abstract:Probabilistic context-free grammars (PCFGs) have been pro-posed to capture password distributions, and further been used in password guessing attacks and password strength meters. However, current PCFGs suffer from the limitation of inaccurate segmentation of password, which leads to misestimation of password probability and thus seriously affects their performance. In this paper, we propose a word extraction approach for passwords, and further present an improved PCFG model, called WordPCFG. The WordPCFG using word extraction method can precisely extract semantic segments (called word) from passwords based on cohesion and freedom of words. We evaluate our WordPCFG on six large-scale datasets, showing that WordPCFG cracks 83.04%–95.47% passwords and obtains 12.96%–71.84% improvement over the state-of-the-art PCFGs.

Zhijie Xie,Min Zhang,Yuqi Guo,Zhenhan Li,Hongjun Wang

DOI: https://doi.org/10.1155/2020/8837210

2020-01-01

Wireless Communications and Mobile Computing

Abstract:TarGuess − I is a leading online targeted password guessing model using users’ personally identifiable information (PII) proposed at ACM CCS 2016 by Wang et al. It has attracted widespread attention in password security owing to its superior guessing performance. Yet, after analyzing the users’ vulnerable behaviors of using popular passwords and constructing passwords with users’ PII, we find that this model does not take into account popular passwords, keyboard patterns, and the special strings. The special strings are the strings related to users but do not appear in the users’ demographic information. Thus, we propose TarGuess − I + K P X , a modified password guessing model with three semantic methods, including (1) identifying popular passwords by generating top-300 lists from similar websites, (2) recognizing keyboard patterns by relative position, and (3) catching the special strings by extracting continuous characters from user-generated PII. We conduct a series of evaluations on six large-scale real-world leaked password datasets. The experimental results show that our modified model outperforms TarGuess − I by 2.62% within 100 guesses.

Ding Wang,Zijian Zhang,Ping Wang,Jeff Yan,Xinyi Huang

DOI: https://doi.org/10.1145/2976749.2978339

2016-01-01

Abstract:While trawling online/offline password guessing has been intensively studied, only a few studies have examined targeted online guessing, where an attacker guesses a specific victim's password for a service, by exploiting the victim's personal information such as one sister password leaked from her another account and some personally identifiable information (PII). A key challenge for targeted online guessing is to choose the most effective password candidates, while the number of guess attempts allowed by a server's lockout or throttling mechanisms is typically very small. We propose TarGuess, a framework that systematically characterizes typical targeted guessing scenarios with seven sound mathematical models, each of which is based on varied kinds of data available to an attacker. These models allow us to design novel and efficient guessing algorithms. Extensive experiments on 10 large real-world password datasets show the effectiveness of TarGuess. Particularly, TarGuess I~IV capture the four most representative scenarios and within 100 guesses: (1) TarGuess-I outperforms its foremost counterpart by 142% against security-savvy users and by 46% against normal users; (2) TarGuess-II outperforms its foremost counterpart by 169% on security-savvy users and by 72% against normal users; and (3) Both TarGuess-III and IV gain success rates over 73% against normal users and over 32% against security-savvy users. TarGuess-III and IV, for the first time, address the issue of cross-site online guessing when given the victim's one sister password and some PII.

Zhijie Xie,Min Zhang,Anqi Yin,Zhenhan Li

DOI: https://doi.org/10.1007/978-3-030-55304-3_18

2020-01-01

Abstract:TarGuess-I is a leading targeted password guessing model using users’ personally identifiable information (PII) proposed at ACM CCS 2016 by Wang et al. Owing to its superior guessing performance, TarGuess-I has attracted widespread attention in password security. Yet, TarGuess-I fails to capture popular passwords and special strings in passwords correctly. Thus we propose TarGuess-I: an improved password guessing model, which is capable of identifying popular passwords by generating top-300 most popular passwords from similar websites and grasping special strings by extracting continuous characters from user-generated PII. We conduct a series of experiments on 6 real-world leaked datasets and the results show that our improved model outperforms TarGuess-I by 9.07% on average with 1000 guesses, which proves the effectiveness of our improvements.

Yangde Wang,Weidong Qiu,Weicheng Zhang,Hao Tian,Shujun Li

DOI: https://doi.org/10.48550/arXiv.2306.06824

2023-06-12

Cryptography and Security

Abstract:Much research has been done on user-generated textual passwords. Surprisingly, semantic information in such passwords remain underinvestigated, with passwords created by English- and/or Chinese-speaking users being more studied with limited semantics. This paper fills this gap by proposing a general framework based on semantically enhanced PCFG (probabilistic context-free grammars) named SE#PCFG. It allowed us to consider 43 types of semantic information, the richest set considered so far, for semantic password analysis. Applying SE#PCFG to 17 large leaked password databases of user speaking four languages (English, Chinese, German and French), we demonstrate its usefulness and report a wide range of new insights about password semantics at different levels such as cross-website password correlations. Furthermore, based on SE#PCFG and a new systematic smoothing method, we proposed the Semantically Enhanced Password Cracking Architecture (SEPCA). To compare the performance of SEPCA against three state-of-the-art (SOTA) benchmarks in terms of the password coverage rate: two other PCFG variants and FLA. Our experimental results showed that SEPCA outperformed all the three benchmarks consistently and significantly across 52 test cases, by up to 21.53%, 52.55% and 7.86%, respectively, at the user level (with duplicate passwords). At the level of unique passwords, SEPCA also beats the three benchmarks by up to 33.32%, 86.19% and 10.46%, respectively. The results demonstrated the power of SEPCA as a new password cracking framework.

Shuo Zhang,Jianping Zeng,Zewen Zhang

DOI: https://doi.org/10.1109/icasid.2017.8285733

2017-01-01

Abstract:Currently the password security is serious, but there is not an appropriate metric for measuring passwords. Thus, the main purpose of this paper is to provide a security time period for the user's password in an online system, allowing the user to modify the password before the security period arrives to prevent the attacker from guessing correctly. We use the guessing chain to calculate the expected time that the attacker need to guess the target password correctly based on the guessing entropy. We assume that the attacker uses a dictionary attack, which is also a probability sequence, and the dictionary is non-ordered or ordered. At the same time, we analyze the large-scale password dataset Rockyou, which contains nearly 32 million passwords. And we assume that the ordered dictionary is organized in descending frequency, in which the probability of the occurrence of the password obeys a long-tailed distribution. We explore the form of the distribution function. And we first find that the simple Zipf distribution can better fit with the empirical distribution of ordered dictionary.

Daojing He,Zhiyong Liu,Shanshan Zhu,Sammy Chan,Mohsen Guizani

DOI: https://doi.org/10.1109/jiot.2024.3367323

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:Continuously preventing weak password attacks is one of the most important initiatives to secure IoT and smart contract platforms. Despite their significance as crucial components of passwords, special character segments have been overlooked. This study systematically studies the basic characteristics and semantic patterns of special character segments. We assess the efficacy of special character segment characteristics in cracking trials through assimilation into the latest Probabilistic Context-Free Grammar (PCFGv4) method for password cracking by updating the pre-terminal structure or performing special character segment transformation. Experimental findings demonstrate that a mere 6% transformation rate improves the cracking rate by 3.72% under the optimal assimilation combination. Our investigation reveals that the current password creation policies of mainstream IoT platforms and smart contract wallets overestimate the strength of passwords with special characters. To enhance their passwords, users can employ low-frequency special character semantic strings. For IoT platforms or smart contract wallets, the use of blacklist constructed from special character segment characteristics can effectively mitigate the risk of overestimating the strength of passwords with special characters.

computer science, information systems,telecommunications,engineering, electrical & electronic

Ding Wang,Haibo Cheng,Ping Wang,Xinyi Huang,Chao-Hsien Chu

2016-01-01

Abstract:While the computer security world has changed a lot over the last two decades, textual passwords remain the dominant authentication mechanism over the Internet and are likely to persist in the foreseeable future. Much attention (e.g., user surveys and empirical analysis) has been paid to passwords chosen by English users, yet relatively little is known about how nonEnglish users select passwords. In this work, we conduct so far the first user survey on the password behaviors of Chinese users, revealing a number of users’ basic coping strategies for managing passwords when they are confronted with the demanding tasks of keeping track of many accounts and passwords. We further perform an empirical analysis of 100 million Chinese web passwords in a comparison with 30 million English ones, a corpus among the largest ones ever studied. We identify a number of interesting structural and semantic characteristics in Chinese passwords, and also examine their security by employing two state-of-the-art password cracking techniques (i.e., probabilistic context-free grammars (PCFG) and Markov models). Particularly, our cracking results reveal a “reversal principle”: when the guess number allowed is small, Chinese passwords are much weaker than their English counterparts, yet this relationship will be reversed when the guess number is large. This well reconciles two conflicting claims about the strength of Chinese web passwords made by Bonneau in 2012 and Li et al. in 2014, respectively. At 10 guesses, the success rate of our improved PCFG-based attack against the Chinese datasets is from 33.2% to 49.8%, indicating that our attack can crack 92% to 188% more passwords than the best record reported by Li et al. in 2014. We also discuss the implications of our findings. This work is expected to help facilitate both security administrators and users to gain a better understanding of the vulnerability of Chinese passwords, as well as to shed light on future password research.

Zach Parish,Connor Cushing,Shourya Aggarwal,Amirali Salehi-Abari,Julie Thorpe

DOI: https://doi.org/10.1007/s10207-021-00560-9

2021-08-23

International Journal of Information Security

Abstract:Password guessers are instrumental for assessing the strength of passwords. Despite their diversity and abundance, comparisons between password guessers are limited to simple success rates. Thus, little is known on how password guessers can best be combined with or complement each other. To extend analyses beyond success rates, we devise an analytical framework to compare the types of passwords that guessers generate. Using our framework, we show that different guessers often produce dissimilar passwords, even when trained on the same data. We leverage this result to show that combinations of computationally cheap guessers are as effective in guessing passwords as computationally intensive guessers, but more efficient. Our framework can be used to identify combinations of guessers that will best complement each other. To improve the success rate of any guesser, we also show how an effective training dataset can be identified for a given target password dataset, even when the target dataset is hashed. Our insights allow us to provide a concrete set of practical recommendations for password checking to effectively and efficiently measure password strength.

computer science, information systems, theory & methods, software engineering

Xizhe Zhang,Xiong Zhang,Jiahao Hu,Yuesheng Zhu

DOI: https://doi.org/10.1109/CSCWD57460.2023.10152712

2023-01-01

Abstract:Password authentication is a widely used identity authentication method for computer supported cooperative systems. However, the frequent occurrence of password leakage incidents has become a universal problem, and the leaked passwords seriously threaten the security of users’ unleaked passwords. In order to gain a deeper understanding of the relationship between users’ old passwords and new passwords and help users choose a securer new password when their old passwords are leaked, we propose a new targeted online guessing algorithm, Targuess-II <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">+</sup> , based on old password in this article. As a new probabilistic algorithm, Targuess-II <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">+</sup> not only supports the application of strong transformation rules at any positions in a password, but also shows the transformation process from one password to another. Our analysis and experimental results have demonstrated that Targuess-II <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">+</sup> obtains better performance in terms of crack rate and efficiency compared with other existing algorithms.

Haodong Zhang,Chuanwang Wang,Wenqiang Ruan,Junjie Zhang,Ming Xu,Weili Han

DOI: https://doi.org/10.1145/3485832.3488025

2021-01-01

Abstract:Users usually create their passwords with meaningful digits, i.e. digit semantics, which can be partially exploited by probabilistic password guessing models with a data-driven methodology for better efficiency. However, these semantics are largely ignored by current practical password cracking tools, like John the Ripper (JtR) and Hashcat. In this paper, we are motivated to study the digit semantics in passwords and exploit them to improve the guessing efficiency of practical password cracking tools. We first design a practical extraction tool of digit semantics in passwords. Then we conduct a comprehensive empirical analysis of the digit semantics in four large-scale password sets leaked from the real world. Based on the analysis results, we further propose two new operations (the basic unit to construct mangling rules), then generate 1,974 digit semantics rules constructed from them. Moreover, in order to enforce semantics rules in JtR and Hashcat, we optimize their rule engines and running logic with the compatibility of the original built-in operations. The evaluation on the real password sets shows the significant advantage of digit semantics rules to extend current typical rule sets when we crack both Chinese and English (two of the largest user groups) passwords with digit strings.

Yubing Bao,Jianping Zeng,Jirui Yang,Ruining Yang,Zhihui Lu

DOI: https://doi.org/10.1145/3703350

IF: 2.717

2024-01-01

ACM Transactions on Privacy and Security

Abstract:The predominant authentication method still relies on usernames and passwords. To enhance memorability, domain terms may have been opted to include as part of passwords. However, there is little analysis of the extent to which such practice affects password security, so there is a lack of guidance on how users use domain terms on websites with different domain characteristics. To address the problem, we propose a novel approach to analyze the security effect of using domain terms in passwords. The methodology primarily consists of three stages. Firstly, we utilize Web crawlers to harvest domain vocabularies, subsequently leveraging the TextRank algorithm to rank their importance. Afterward, we propose an algorithm for constructing a simulated domain-specific password dataset by replacing password elements with domain terms. Finally, password guessing experiments are done on the dataset using PCFG and Markov model to evaluate the impact of domain terms on password security. The experimental results indicate that, for systems without clear domain, 20% domain terms replacement in the test set can reduce the cracking rate by up to 5.45%. In contrast, for domain-specific systems, 20% domain terms replacement in the training set can increase the cracking rate by 6.45%. These findings provide practical guidance on the application of domain knowledge in password creation for different types of systems. In summary, this study offers a novel perspective for exploring the security implications of passwords influenced by specific domains.

Wei-Li HAN,Lang YUAN,Si-Si LI,Xiao-Yang WANG

DOI: https://doi.org/10.11897/SP.J.1016.2017.01151

2017-01-01

Chinese Journal of Computers

Abstract:Large-scale real user password sets are well regarded important in the field of system security research,due to their usages in evaluating the efficacy of the algorithms that guess passwords,and detecting defects of existing password protection mechanisms,etc.At present,some ways of capturing real passwords are available for researchers,such as accidental or malicious passwords disclosure,voluntary user contributions,or sharing by voluntary websites for research purposes.However,there are some serious limitations involved in collecting user password sets in the above ways.For example,password sets that are captured from passwords disclosure may have been tampered,and therefore their quality cannot be guaranteed.What's more,types of these password sets are limited.As a result,it is still difficult for researches to have access to the large-scale clear-text user passwords in a systematic manner.Motivated to resolve the above issue,this paper presents a sample perturbation based password generation algorithm(SPPG for short).The algorithm is to use a given small-scale real user password sample as a training set to generate a probability model that can then be used to provide large-scale password sets.The small-scale sample is relatively easier to obtain.With the purpose of improving the authenticity of the simulation password sets,the SPPG algorithm is designed based on the idea of sample perturbation.On the one hand,the algorithm takes advantage of the Probabilistic Context-Free Grammar to parse the sample,and then generates passwords that have the same structures with passwords in the sample.On the other hand,it also utilizes rules that are frequently used for users to deform their passwords,and then generates passwords that are similar to passwords in the sample.To evaluate the efficacy of the SPPG algorithm,this paper presents a set of criteria to evaluate the quality of the simulation password sets.These criteria include the coverage rate of the real passwords,the goodness of fit to the Zipf distribution,the similarity of password structure distributions and the proportion of special patterns.In the end,this paper compares the efficacy of the SPPG algorithm with the popular probability models of password guessing,including the Probabilistic Context-Free Grammar and several variants of the Markov models.In the experiment,small-scale samples are randomly selected from real user password sets,and then are used by different models to generate the simulation password sets.The experiment results show that the SPPG algorithm has better performances.On average,the coverage of the real passwords is improved by 9.58％ and 72.79％ respectively compared with the Probabilistic Context-Free Grammar and the 4-order Markov model.And the coverage of the real passwords is 10.34 times more than the 3-order Markov model and 13.41 times more than the 1-order Markov model.Besides,the goodness of fit to the Zipf distribution remains at a high level that is no less than 0.9.As for the password structure distribution and the proportion of special patterns,simulation password sets generated by the SPPG algorithm are also shown to be more similar to the real password sets compared with simulation password sets generated by the other models.

Ming Xu,Jitao Yu,Xinyi Zhang,Chuanwang Wang,Shenghao Zhang,Haoqi Wu,Weili Han

2023-01-01

Abstract:Password guessing attacks, prevalent issues in the real world, can be conceptualized as efforts to approximate the probability distribution of text tokens. Techniques in the natural language processing (NLP) field naturally lend themselves to password guessing. Among them, bi-directional transformers stand out with their ability to utilize bi-directional contexts to capture the nuances in texts. To further improve password guessing attacks, we propose a bi-directional-transformer-based guessing framework, referred to as PassBERT, which applies the pre-training / finetuning paradigm to password guessing attacks. We first prepare a pre-trained password model, which contains the knowledge of the general password distribution. Then, we design three attack-specific fine-tuning approaches to tailor the pretrained password model to the following real-world attack scenarios: (1) conditional password guessing, which recovers the complete password given a partial password; (2) targeted password guessing, which compromises the password(s) of a specific user using their personal information; (3) adaptive rule-based password guessing, which selects adaptive mangling rules for a word (i.e., base password) to generate rule-transformed password candidates. The experimental results show that our fine-tuned models can outperform the state-of-the-art models by 14.53%, 21.82% and 4.86% in the three attacks, respectively, demonstrating the effectiveness of bi-directional transformers on downstream guessing attacks. Finally, we propose a hybrid password strength meter to mitigate the risks from the three attacks.