TY - GEN
T1 - Universal Neural-Cracking-Machines
T2 - 45th IEEE Symposium on Security and Privacy, SP 2024
AU - Pasquini, Dario
AU - Ateniese, Giuseppe
AU - Troncoso, Carmela
N1 - Publisher Copyright:
© 2024 IEEE.
PY - 2024
Y1 - 2024
N2 - We introduce the concept of "universal"password model - a password model that, once pre-trained, can automatically adapt its guessing strategy based on the target system. To achieve this, the model does not need to access any plaintext passwords from the target credentials. Instead, it exploits users' auxiliary information, such as email addresses, as a proxy signal to predict the underlying password distribution.Specifically, the model uses deep learning to capture the correlation between the auxiliary data of a group of users (e.g., users of a web application) and their passwords. It then exploits those patterns to create a tailored password model for the target system at inference time. No further training steps, targeted data collection, or prior knowledge of the community's password distribution is required.Besides improving over current password strength estimation techniques, the model enables any end-user (e.g., system administrators) to autonomously generate tailored password models for their systems without the often unworkable requirements of collecting suitable training data and fitting the underlying machine learning model. Ultimately, our framework enables the democratization of well-calibrated password models to the community, addressing a major challenge in the deployment of password security solutions at scale.
AB - We introduce the concept of "universal"password model - a password model that, once pre-trained, can automatically adapt its guessing strategy based on the target system. To achieve this, the model does not need to access any plaintext passwords from the target credentials. Instead, it exploits users' auxiliary information, such as email addresses, as a proxy signal to predict the underlying password distribution.Specifically, the model uses deep learning to capture the correlation between the auxiliary data of a group of users (e.g., users of a web application) and their passwords. It then exploits those patterns to create a tailored password model for the target system at inference time. No further training steps, targeted data collection, or prior knowledge of the community's password distribution is required.Besides improving over current password strength estimation techniques, the model enables any end-user (e.g., system administrators) to autonomously generate tailored password models for their systems without the often unworkable requirements of collecting suitable training data and fitting the underlying machine learning model. Ultimately, our framework enables the democratization of well-calibrated password models to the community, addressing a major challenge in the deployment of password security solutions at scale.
KW - deep learning
KW - differential privacy
KW - password guessing
UR - https://www.scopus.com/pages/publications/85204053224
UR - https://www.scopus.com/inward/citedby.url?scp=85204053224&partnerID=8YFLogxK
U2 - 10.1109/SP54263.2024.00032
DO - 10.1109/SP54263.2024.00032
M3 - Conference contribution
AN - SCOPUS:85204053224
T3 - Proceedings - IEEE Symposium on Security and Privacy
SP - 1365
EP - 1384
BT - Proceedings - 45th IEEE Symposium on Security and Privacy, SP 2024
Y2 - 20 May 2024 through 23 May 2024
ER -