Optimization Method of Credential Tweaking Attack Based on User Identity Information

Password leakage incidents often involve the leakage of user passwords and identity information. Because users are accustomed to reusing passwords across multiple network services, attackers can tweak leaked passwords to accurately attack user accounts. This is called a credential tweaking attack. By analyzing large-scale leaked passwords and the corresponding user identity information, this study finds that user strategies for creating passwords are often associated with user identity information. However, current research on credential tweaking attacks relies only on leaked password structures and ignores leaked user identity information when predicting password tweaking strategies. To improve the accuracy of credential tweaking attacks, this study designs a credential tweaking attack optimization method based on user identity information. In the preprocessing phase, username and regional information is extracted from the user identity information and the probability of users' different password creation strategies in different regions is statistically calculated. In the training phase, regional information is combined to learn users' character-level editing operations on leaked passwords. In the password generation phase, a password generation method that integrates character-level editing operations, structure-level editing operations, and username information is designed. The experimental results show that in an attack with 10³ guesses, the cracking rate of this method has a maximum improvement of 41.8% compared to the existing best method (PassBERT), highlighting the threat posed by credential tweaking attacks based on user identity information to password security.