Similarities: The Key Factors Influencing Cross-Site Password Guessing Performance

Password guessing is a crucial research direction in password security, considering vulnerabilities like password reuse and data breaches. While research has extensively explored intra-site password guessing, the complexities of cross-site attacks, where attackers use leaked data from one site to target another, remain less understood. This study investigates the impact of dataset feature similarity on cross-site password guessing performance, revealing that dataset differences significantly influence guessing success more than model variations. By analyzing eight password datasets and four guessing methods, we identified eight key features affecting guessing success, including general data features like length distribution and specific semantic features like PCFG grammar. Our research reveals that syntactic and statistical patterns in passwords, particularly PCFG features, are most effective for cross-site password guessing due to their strong generalization across datasets. The Spearman correlation coefficient of 0.754 between PCFG feature similarity and guessing success rate indicates a significant positive correlation, unlike the minimal impact of length distribution features (0.284). These findings highlight the importance of focusing on robust semantic features like PCFG for improving password guessing techniques and security strategies. Additionally, the study underscores the importance of dataset selection for attackers and suggests that defenders can enhance security by mitigating feature similarity with commonly leaked data.