Text password has served as the most popular method for user authentication
so far, and is not likely to be totally replaced in foreseeable future.
Password authentication offers several desirable properties (e.g., low-cost,
highly available, easy-to-implement, reusable). However, it suffers from a
critical security issue mainly caused by the inability to memorize complicated
strings of humans. Users tend to choose easy-to-remember passwords which are
not uniformly distributed in the key space. Thus, user-selected passwords are
susceptible to guessing attacks. In order to encourage and support users to use
strong passwords, it is necessary to simulate automated password guessing
methods to determine the passwords' strength and identify weak passwords. A
large number of password guessing models have been proposed in the literature.
However, little attention was paid to the task of providing a systematic survey
which is necessary to review the state-of-the-art approaches, identify gaps,
and avoid duplicate studies. Motivated by that, we conduct a comprehensive
survey on all password guessing studies presented in the literature from 1979
to 2022. We propose a generic methodology map to present an overview of
existing methods. Then, we explain each representative approach in detail. The
experimental procedures and available datasets used to evaluate password
guessing models are summarized, and the reported performances of representative
studies are compared. Finally, the current limitations and the open problems as
future research directions are discussed. We believe that this survey is
helpful to both experts and newcomers who are interested in password securityComment: 35 pages, 5 figures, 5 table