Titolo della tesi: Enabling secure passwords via deep learning: Towards a new generation of attacks and defenses
In the present thesis, we aim at alleviating the inherent limitations affecting current solutions in password security. First and foremost, this process requires to devise adversary models that accurately describe real-world guessing attacks. Then, it necessitates the implementation of techniques that are capable of guiding users to choose secure and usable passwords at composition time.
Unfortunately, despite more than three decades of active research dedicated to define and improve these methodologies, existing approaches still present two major drawbacks: (1) current adversary models rely on simplistic adversarial behaviors that only imperfectly describe the guessing strategies adopted by real-world attackers; (2) existing proactive techniques such as password strength meters, by construction, are unable to fully support users during the password composition process.
Here, we show how Deep Learning techniques allow us to define novel approaches, that were either unfeasible or unpractical before and that move towards addressing those issues:
(1) We introduce dynamic adversary models in password guessing. Similarly to real-world adversaries, dynamic models automatically adjust their guessing strategy for the current attacked-set of passwords by exploiting information collected during the running attack.
(2) We introduce new guessing techniques that make dictionary attacks consistently more resilient to inadequate configurations. This novel framework allows dictionary attacks to self-heal and move towards optimal attacks’ performance, requiring no supervision.
(3) We introduce Interpretable Probabilistic Password Strength Meters. This novel class of meters exhibits a natural and general feedback mechanism capable of describing to the users the latent relation between password strength and password structure. Unlike existing heuristic constructions, this method is free from any human bias, and, more importantly, its feedback has a clear probabilistic interpretation.
Eventually, these general techniques allow us to increase the rigorousness and reliability of password security analysis and proactive methodologies that stem on top of them.