🤖 AI Summary
This work addresses the security vulnerability arising from users’ tendency to create predictable variants of their old passwords when changing them. To mitigate this issue, the study proposes the first use of large language models (LLMs) for semantic understanding of passwords, generating new password components that are semantically related yet syntactically distinct from the original. By integrating password semantic analysis with user behavior modeling, the approach preserves memorability while substantially enhancing resistance to guessing attacks. Empirical evaluation demonstrates that the generated passwords are significantly harder to guess through online attacks compared to those produced by conventional substitution strategies, while maintaining comparable login success rates one week after creation—thus achieving a practical balance between security and usability.
📝 Abstract
We report on the design and evaluation of MindReader, a tool that helps a user replace her password when she is required to do so. Left to their own devices, users tend to replace their previous passwords with predictable variations of the original ones. MindReader leverages LLMs to suggest password variations that are chosen to be easy for the user to remember but harder for an attacker to predict. To do this, MindReader infers the meaning behind original password components and then suggests semantically related (yet syntactically unrelated) components for the new password. In a user study, passwords created using MindReader were more secure than both replacement passwords created without using MindReader and original passwords. In particular, MindReader replacement passwords were harder to guess in an online attack than alternative replacement passwords even by an attacker with knowledge of the original password and full knowledge of the tool implementation. Passwords created with MindReader were also comparably memorable to alternative replacement passwords and original passwords, as measured by the ability of users to successfully log in a week after creating their password.