A Survey on Password Guessing

Text password has served as the most popular method for user authentication so far, and is not likely to be totally replaced in foreseeable future. Password authentication offers several desirable properties (e.g., low-cost, highly available, easy-to-implement, reusable). However, it suffers from a critical security issue mainly caused by the inability to memorize complicated strings of human. Users tend to choose easy-to-remember passwords which are not uniformly distributed in the key space, and are susceptible to guessing attack. In order to encourage and support users to use strong passwords, it is necessary to simulate automate password guessing methods to determine the passwords' strength and identify weak passwords. A large number of password guessing models have been proposed in the literature. However, little attention was paid on the task of providing a systematic survey which is necessary to review the state-of-the-art approaches, identify gaps, and avoid duplicate study. Motivated from that, we conduct a comprehensive survey on all password guessing studies presented in the literature from 1979 to 2022. We propose a generic methodology map of existing models to present an overview of this field, then, subsequently explain each approach in detail. The experimental procedures and available datasets used for evaluating password guessing models are summarized, along with the reported performances of representative studies. Finally, the current limitations and the open problems as future research directions are discussed. We believe that this survey is helpful to both the experts and newcomers who are interested in password security.