Universal Neural-Cracking-Machines: Self-Configurable Password Models from Auxiliary Data

TL;DR

This paper presents a universal, self-configurable neural password model that leverages auxiliary user data to adapt and improve password guessing without needing target password access or additional training.

Contribution

It introduces a novel deep learning framework that automatically adapts password models using auxiliary data, eliminating the need for target password access or extensive retraining.

Findings

Outperforms existing password guessing techniques

Enables end-users to generate tailored password models

Improves password strength estimation accuracy

Abstract

We introduce the concept of "universal password model" -- a password model that, once pre-trained, can automatically adapt its guessing strategy based on the target system. To achieve this, the model does not need to access any plaintext passwords from the target credentials. Instead, it exploits users' auxiliary information, such as email addresses, as a proxy signal to predict the underlying password distribution. Specifically, the model uses deep learning to capture the correlation between the auxiliary data of a group of users (e.g., users of a web application) and their passwords. It then exploits those patterns to create a tailored password model for the target system at inference time. No further training steps, targeted data collection, or prior knowledge of the community's password distribution is required. Besides improving over current password strength estimation techniques and attacks, the model enables any end-user (e.g., system administrators) to autonomously generate tailored password models for their systems without the often unworkable requirements of collecting suitable training data and fitting the underlying machine learning model. Ultimately, our framework enables the democratization of well-calibrated password models to the community, addressing a major challenge in the deployment of password security solutions at scale.