Targeted Password Guessing Using k-Nearest Neighbors
Zhen Li
Network and Distributed System Security (NDSS) Symposium 2026 · Day 3 · Usable Security
This research introduces **KPG (k-Nearest Neighbor Password Guessing)**, a novel non-parametric approach to targeted password guessing that addresses a previously overlooked password reuse behavior: **semantically similar password creation** (Type 3). While prior work focused on structural modifications (Type 1: "shark0301" to "shark03") and popular password selection (Type 2: "shark0301" to "loveyouforever"), KPG captures cases where users create passwords based on partial semantic patterns (Type 3: "shark0301" to "bear1" -- where "bear" derives semantically from "shark").
AI review
An incremental improvement to targeted password guessing that adds semantic reuse capture via k-nearest neighbors. The Type 3 reuse pattern (semantic similarity between passwords) is an interesting observation, but the improvement of 8.52-27.66% is modest, the evaluation relies entirely on leaked datasets without real-world credential stuffing validation, and the Q&A revealed the speaker couldn't engage with basic security implications of the work.