DARIO PASQUINI

PhD Graduate

PhD program:: XXXIII

co-supervisor: Massimo Bernaschi

Thesis title: Enabling secure passwords via deep learning: Towards a new generation of attacks and defenses

In the present thesis, we aim at alleviating the inherent limitations affecting current solutions in password security. First and foremost, this process requires to devise adversary models that accurately describe real-world guessing attacks. Then, it necessitates the implementation of techniques that are capable of guiding users to choose secure and usable passwords at composition time. Unfortunately, despite more than three decades of active research dedicated to define and improve these methodologies, existing approaches still present two major drawbacks: (1) current adversary models rely on simplistic adversarial behaviors that only imperfectly describe the guessing strategies adopted by real-world attackers; (2) existing proactive techniques such as password strength meters, by construction, are unable to fully support users during the password composition process. Here, we show how Deep Learning techniques allow us to define novel approaches, that were either unfeasible or unpractical before and that move towards addressing those issues: (1) We introduce dynamic adversary models in password guessing. Similarly to real-world adversaries, dynamic models automatically adjust their guessing strategy for the current attacked-set of passwords by exploiting information collected during the running attack. (2) We introduce new guessing techniques that make dictionary attacks consistently more resilient to inadequate configurations. This novel framework allows dictionary attacks to self-heal and move towards optimal attacks’ performance, requiring no supervision. (3) We introduce Interpretable Probabilistic Password Strength Meters. This novel class of meters exhibits a natural and general feedback mechanism capable of describing to the users the latent relation between password strength and password structure. Unlike existing heuristic constructions, this method is free from any human bias, and, more importantly, its feedback has a clear probabilistic interpretation. Eventually, these general techniques allow us to increase the rigorousness and reliability of password security analysis and proactive methodologies that stem on top of them.

Research products

11573/1484883 - 2020 - AMG based on compatible weighted matching for GPUs

Bernaschi, Massimo; D’Ambra, Pasqua; Pasquini, Dario - 01a Articolo in rivista

paper: PARALLEL COMPUTING (Elsevier BV:PO Box 211, 1000 AE Amsterdam Netherlands:011 31 20 4853757, 011 31 20 4853642, 011 31 20 4853641, EMAIL: nlinfo-f@elsevier.nl, INTERNET: http://www.elsevier.nl, Fax: 011 31 20 4853598) pp. 102599- - issn: 0167-8191 - wos: WOS:000514019000002 (8) - scopus: 2-s2.0-85077181402 (12)

11573/1484881 - 2020 - Interpretable Probabilistic Password Strength Meters via Deep Learning

Pasquini, Dario; Ateniese, Giuseppe; Bernaschi, Massimo - 04b Atto di convegno in volume

conference: ESORICS20: European Symposium on Research in Computer Security 2020 (Virtual)

book: LNCS, volume 12308 - (978-3-030-58950-9; 978-3-030-58951-6)

11573/1308016 - 2019 - Adversarial out-domain examples for generative models

Pasquini, Dario; Mingione, Marco; Bernaschi, Massimo - 04b Atto di convegno in volume

conference: MaL2CSec 2019 : Workshop on Machine Learning for Cyber-Crime Investigation and Cybersecurity (Stockholm; Sweden)

book: Proceedings - 4th IEEE European Symposium on Security and Privacy Workshops, EUROS and PW 2019 - (978-1-7281-3026-2)