Sumith Yesudasan

DOI: https://doi.org/10.48550/arXiv.2110.01038

2021-10-03

Cryptography and Security

Abstract:Weak passwords and availability of supercomputers to password crackers make the financial institutions and businesses at stake. This calls for use of strong passwords and multi factor authentication for secure transactions. Remembering a long and complex password by humans is a daunting task and mnemonic has helped to mitigate this situation to an extent. This paper discusses creating and using long random password and storing them securely using a hybrid strategy of hash-encryption method. The hash function uses a mnemonic password based on the hotel names and other characteristics like room number, floor number and breakfast meal preferences to generate the encryption key. The random strong password can be then encrypted using the key and stored safely. A computer program named Hector is developed which demonstrates these steps and can be used to generate and store the passwords.

Shunbin Li,Zhiyu Wang,Ruyun Zhang,Chunming Wu,Hanguang Luo

DOI: https://doi.org/10.1109/tdsc.2022.3217002

2023-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Rule-based password generation is one of the most effective and often employed techniques in the highly compute-intensive password recovery process. However, it is challenging to design and maintain a practical password mangling ruleset, which is a time-consuming task requiring specialized expertise. This paper therefore introduced MDBSCAN (Modified Density-Based Spatial Clustering of Applications with Noise), a novel density-based cluster approach in machine learning, to build an automatic password mangling rule generator. To evaluate the proposed method, cross-checks across 4 different real-world password datasets leaked from popular Internet services and applications are adopted. The results indicate that the proposed generator could produce high-quality mangling rules with a better hit rate and enhance current mangling rules by identifying hidden or omitted rules. The proposed approach also shows strong interpretability and computational efficiency. When examining the RockYou password dataset with the top 77 rules, the hit rate may rise by 11% to 104% proportionally to other well-known solutions. Furthermore, by combining the top 77 rules generated by MDBSCAN with those from other rulesets, 3–12.67% more real-world passwords can be retrieved.

Yangde Wang,Haozhang Li,Weidong Qiu,Shujun Li,Peng Tang

DOI: https://doi.org/10.1007/978-981-97-5101-3_22

2024-07-19

Abstract:Textual passwords are still the most widely used user authentication mechanism. Due to the close connections between textual passwords and natural languages, advanced technologies in natural language processing (NLP) and machine learning (ML) could be used to model passwords for different purposes such as studying human password-creation behaviors and developing more advanced password cracking methods for informing better defence mechanisms. In this paper, we propose PassTSL (modeling human-created Passwords through Two-Stage Learning), inspired by the popular pretraining-finetuning framework in NLP and deep learning (DL). We report how different pretraining settings affected PassTSL and proved its effectiveness by applying it to six large leaked password databases. Experimental results showed that it outperforms five state-of-the-art (SOTA) password cracking methods on password guessing by a significant margin ranging from 4.11% to 64.69% at the maximum point. Based on PassTSL, we also implemented a password strength meter (PSM), and our experiments showed that it was able to estimate password strength more accurately, causing fewer unsafe errors (overestimating the password strength) than two other SOTA PSMs when they produce the same rate of safe errors (underestimating the password strength): a neural-network based method and zxcvbn. Furthermore, we explored multiple finetuning settings, and our evaluations showed that, even a small amount of additional training data, e.g., only 0.1% of the pretrained data, can lead to over 3% improvement in password guessing on average. We also proposed a heuristic approach to selecting finetuning passwords based on JS (Jensen-Shannon) divergence and experimental results validated its usefulness. In summary, our contributions demonstrate the potential and feasibility of applying advanced NLP and ML methods to password modeling and cracking.

Cryptography and Security,Artificial Intelligence,Computation and Language

Ming Xu,Chuanwang Wang,Jitao Yu,Junjie Zhang,Kai Zhang,Weili Han

DOI: https://doi.org/10.1145/3460120.3484743

2021-01-01

Abstract:ABSTRACTTextual password security hinges on the guessing models adopted by attackers, in which a suitable password composition representation is an influential factor. Unfortunately, the conventional models roughly regard a password as a sequence of characters, or natural-language-based words, which are password-irrelevant. Experience shows that passwords exhibit internal and refined patterns, e.g., "4ever, ing or 2015", varying significantly among periods and regions. However, the refined representations and their security impacts could not be automatically understood by state-of-the-art guessing models (e.g., Markov). In this paper, we regard a password as a composition of several chunks, where a chunk is a sequence of related characters that appear together frequently, to model passwords. Based on the concept, we propose a password-specific segmentation method that can automatically split passwords into several chunks, and then build three chunk-level guessing models, adopted from Markov, Probabilistic Context-free Grammar (PCFG) and neural-network-based models. Based on the extensive evaluation with over 250 million passwords, these chunk-level models can improve their guessing efficiency by an average of 5.7%, 51.2% and 41.9%, respectively, in an offline guessing scenario, showcasing the power of a suitable password representation during attacks. By analysing these efficient attacks, we find that the presence of common chunks in a password is a stronger indicator for password vulnerability than the character class complexity. To protect users against such attacks, we develop a client-side and real-time password strength meter to estimate the passwords' resistance based on chunk-level guessing models.

Renye Yan,Zhe Wu,Yuan Zhan,Pin Tao,Zongwei Wang,Yimao Cai,Junliang Xing

DOI: https://doi.org/10.1109/IJCNN54540.2023.10191424

2023-01-01

Abstract:Reinforcement learning for hard-exploration tasks remains challenging due to the long-term dependence and sparse-and-delay rewards in complex environments. In these challenging tasks, intrinsic motivation has become a dominant paradigm to enable the agent to explore the environment when no external reward feedback is available. In this work, inspired by studies from the human memory mechanism, we present a mnemonic dictionary learning (MDL) model for intrinsic motivation in reinforcement learning. The MDL model leverages sparse dictionary learning to incremental abstract the exploration histories into a compact memory-like dictionary, providing an excellent intrinsic motivation model. This mnemonic dictionary model not only drives the agent to explore novel stats in the environments indicated by the memory reconstruction error but also helps the agent to remember the key states and structure of the environments using its learned bases and reconstruction coefficients. The proposed MDL model can serve as a generative module for existing exploration methods. Extensive experimental results on typical sparse-reward tasks demonstrate its effectiveness and applicability over several competing algorithms. We will release the source code and trained models to facilitate further studies in this research direction.

Zhepeng Wang,Runxue Bao,Yawen Wu,Jackson Taylor,Cao Xiao,Feng Zheng,Weiwen Jiang,Shangqian Gao,Yanfu Zhang

2024-09-21

Abstract:Pretrained large language models (LLMs) have revolutionized natural language processing (NLP) tasks such as summarization, question answering, and translation. However, LLMs pose significant security risks due to their tendency to memorize training data, leading to potential privacy breaches and copyright infringement. Accurate measurement of this memorization is essential to evaluate and mitigate these potential risks. However, previous attempts to characterize memorization are constrained by either using prefixes only or by prepending a constant soft prompt to the prefixes, which cannot react to changes in input. To address this challenge, we propose a novel method for estimating LLM memorization using dynamic, prefix-dependent soft prompts. Our approach involves training a transformer-based generator to produce soft prompts that adapt to changes in input, thereby enabling more accurate extraction of memorized data. Our method not only addresses the limitations of previous methods but also demonstrates superior performance in diverse experimental settings compared to state-of-the-art techniques. In particular, our method can achieve the maximum relative improvement of 112.75% and 32.26% over the vanilla baseline in terms of discoverable memorization rate for the text generation task and code generation task respectively.

Computation and Language,Artificial Intelligence,Cryptography and Security,Machine Learning

Nishant Balepur,Matthew Shu,Alexander Hoyle,Alison Robey,Shi Feng,Seraphina Goldfarb-Tarrant,Jordan Boyd-Graber

2024-10-04

Abstract:Keyword mnemonics are memorable explanations that link new terms to simpler keywords. Prior work generates mnemonics for students, but they do not train models using mnemonics students prefer and aid learning. We build SMART, a mnemonic generator trained on feedback from real students learning new terms. To train SMART, we first fine-tune LLaMA-2 on a curated set of user-written mnemonics. We then use LLM alignment to enhance SMART: we deploy mnemonics generated by SMART in a flashcard app to find preferences on mnemonics students favor. We gather 2684 preferences from 45 students across two types: expressed (inferred from ratings) and observed (inferred from student learning), yielding three key findings. First, expressed and observed preferences disagree; what students think is helpful does not always capture what is truly helpful. Second, Bayesian models can synthesize complementary data from multiple preference types into a single effectiveness signal. SMART is tuned via Direct Preference Optimization on this signal, which resolves ties and missing labels in the typical method of pairwise comparisons, augmenting data for LLM output quality gains. Third, mnemonic experts assess SMART as matching GPT-4 at much lower deployment costs, showing the utility of capturing diverse student feedback to align LLMs in education.

Computation and Language

Haodong Zhang,Chuanwang Wang,Wenqiang Ruan,Junjie Zhang,Ming Xu,Weili Han

DOI: https://doi.org/10.1145/3485832.3488025

2021-01-01

Abstract:Users usually create their passwords with meaningful digits, i.e. digit semantics, which can be partially exploited by probabilistic password guessing models with a data-driven methodology for better efficiency. However, these semantics are largely ignored by current practical password cracking tools, like John the Ripper (JtR) and Hashcat. In this paper, we are motivated to study the digit semantics in passwords and exploit them to improve the guessing efficiency of practical password cracking tools. We first design a practical extraction tool of digit semantics in passwords. Then we conduct a comprehensive empirical analysis of the digit semantics in four large-scale password sets leaked from the real world. Based on the analysis results, we further propose two new operations (the basic unit to construct mangling rules), then generate 1,974 digit semantics rules constructed from them. Moreover, in order to enforce semantics rules in JtR and Hashcat, we optimize their rule engines and running logic with the compatibility of the original built-in operations. The evaluation on the real password sets shows the significant advantage of digit semantics rules to extend current typical rule sets when we crack both Chinese and English (two of the largest user groups) passwords with digit strings.

Zeng Jianping,Duan Jiangjiao,Wu Chengrong

DOI: https://doi.org/10.1016/j.cose.2018.10.004

IF: 5.105

2019-01-01

Computers & Security

Abstract:Passwords are especially ubiquitous in authentication systems. Although a lot of research has concentrated on the analysis of passwords, statistical characteristics are limited to explicit properties such as string length, the use of numeric characters in passwords. We explore the implicit properties of lexical sentiment in passwords by utilizing Natural Language Processing technology. Firstly, we construct several dictionaries, such as frequently used words, General Inquirer polarities, extended Ekman sentiment words. Then, an algorithm to split passwords into meaningful units is designed. Finally, statistical characteristics in lexical sentiment are discovered from three large-scale password sets leaked from the Internet websites. The results show that the occurrence probability of sentiment words is higher than that of several known patterns, such as [country], [number][female name]. With consideration of sentiment polarity, we find that people tend to use positive words in passwords. The percentage of positive sentiment is greater than that of negative words. Further research reveals that the joy type of sentiment is more popular in passwords than other kinds of sentiments, such as surprise and sadness. The discoveries suggest that the lexical sentiment, especially, positive and joy type can be utilized as a component in password patterns to measure password strength.

Jiahong Xie,Haibo Cheng,Rong Zhu,Ping Wang,Kaitai Liang

DOI: https://doi.org/10.1109/icassp43922.2022.9746203

2022-01-01

Abstract:To date there are few researches on the semantic information of passwords, which leaves a gap preventing us from fully understanding the passwords characteristic and security. We propose a new password probability model for semantic information based on Markov Chain with both generalization and accuracy, called WordMarkov, that can capture the semantic essence of password samples. Further, we evaluate our design via password guessing attacks, on six real-world datasets, and we show that WordMarkov obtains 24.29%–67.37% improvement over the state-of-the-art password probability models. Even more surprising is that WordMarkov achieves 75.35%–96.34% attack improvement on "long" passwords, indicating the importance of semantic parts in long passwords.

Liping Li,Qinglei Zhou,Bin Li,Xueming Si

DOI: https://doi.org/10.1109/CyberC.2018.00014

2018-01-01

Abstract:Identity authentication is the first line of defense to ensure the security of information systems, and passwords are the most widely used authentication method. Choosing a valid password structure is an effective way to prevent password attacks, such as password dictionary attack. This article talked 68386069 real plaintext passwords with statistical their various features, summarized several rules for generating highly utilized passwords in certain styles. Based on these statistical features and rules, it generated high-probability password structure gene banks. With them, it formulates a dictionary to generate the candidate passwords. Thereby, this can enhance the efficiency of password recovery. We conducted extensive experiments by the real password test data, and the experimental results, compared with the dictionary provided by major websites, show that the dictionary of high probability password structure hit rate increased by about 30%. At the same time, this dictionary can save about one-third of the running time.

Javier Rando,Fernando Perez-Cruz,Briland Hitaj

2023-06-15

Abstract:Large language models (LLMs) successfully model natural language from vast amounts of text without the need for explicit supervision. In this paper, we investigate the efficacy of LLMs in modeling passwords. We present PassGPT, a LLM trained on password leaks for password generation. PassGPT outperforms existing methods based on generative adversarial networks (GAN) by guessing twice as many previously unseen passwords. Furthermore, we introduce the concept of guided password generation, where we leverage PassGPT sampling procedure to generate passwords matching arbitrary constraints, a feat lacking in current GAN-based strategies. Lastly, we conduct an in-depth analysis of the entropy and probability distribution that PassGPT defines over passwords and discuss their use in enhancing existing password strength estimators.

Computation and Language,Artificial Intelligence,Cryptography and Security

Jaryn Shen,Timothy T. Yuen,Kim-Kwang Raymond Choo,Qingkai Zeng

DOI: https://doi.org/10.1007/978-3-030-21548-4_28

2019-01-01

Abstract:Passwords are widely used in online services, such as electronic and mobile banking services, and may be complemented by other authentication mechanism(s) for example in two-factor or three-factor authentication systems. There are, however, a number of known limitations and risks associated with the use of passwords, such as man-in-the-middle (MitM) and offline guessing attacks. In this paper, we present AMOGAP, a novel text password-based user authentication mechanism, to defend against MitM and offline guessing attacks. In our approach, users can select easy-to-remember passwords, and AMOGAP converts currently-used salted and hashed password files into user tokens, whose security relies on the Decisional Diffie-Hellman (DDH) assumption, at the server end. In other words, we use a difficult problem in number theory (i.e., DDH problem), rather than a one-way hash function, to ensure security against offline password guessing attackers and MitM attackers. AMOGAP does not require any change in existing authentication process and infrastructure or incur additional costs at the server.

Yushuo Guan,Yuanxing Zhang,Lin Chen,Kaigui Bian

DOI: https://doi.org/10.1109/ICCChina.2019.8855847

2019-01-01

Abstract:In many scenarios, one has to enter her text or graphical password in a public area, such as unlocking the smartphone on the street, and entering the password when she pays with a debit card in a shopping mall. However, the environment where the password is entered may be adversarial as it is almost impossible to prevent adversaries from premeditated installation of surveillance and/or eavesdropping equipment in public areas. In this work, we investigate password security in such extreme adversarial environments in which every single interaction between humans (provers) and input terminals (verifiers) is transparent to the attacker. We first present a neural network-based attack model, which consists of a feature extraction model and a prediction model. Experimental results show that the neural model attains an accuracy of more than 80% in password prediction in three real-world authentication systems. We also propose a risk alert system based on the attack model. It can issue a timely warning notice when the password in use is at high security risk.

Xingyu Su,Xiaojie Zhu,Yang Li,Yong Li,Chi Chen,Paulo Esteves-Veríssimo

2024-06-18

Abstract:Amidst the surge in deep learning-based password guessing models, challenges of generating high-quality passwords and reducing duplicate passwords persist. To address these challenges, we present PagPassGPT, a password guessing model constructed on Generative Pretrained Transformer (GPT). It can perform pattern guided guessing by incorporating pattern structure information as background knowledge, resulting in a significant increase in the hit rate. Furthermore, we propose D&C-GEN to reduce the repeat rate of generated passwords, which adopts the concept of a divide-and-conquer approach. The primary task of guessing passwords is recursively divided into non-overlapping subtasks. Each subtask inherits the knowledge from the parent task and predicts succeeding tokens. In comparison to the state-of-the-art model, our proposed scheme exhibits the capability to correctly guess 12% more passwords while producing 25% fewer duplicates.

Cryptography and Security,Artificial Intelligence

T.V. Laptyeva,S. Flach,K. Kladko

DOI: https://doi.org/10.1209/0295-5075/95/50007

2011-07-01

Abstract:Vulnerabilities related to weak passwords are a pressing global economic and security issue. We report a novel, simple, and effective approach to address the weak password problem. Building upon chaotic dynamics, criticality at phase transitions, CAPTCHA recognition, and computational round-off errors we design an algorithm that strengthens security of passwords. The core idea of our method is to split a long and secure password into two components. The first component is memorized by the user. The second component is transformed into a CAPTCHA image and then protected using evolution of a two-dimensional dynamical system close to a phase transition, in such a way that standard brute-force attacks become ineffective. We expect our approach to have wide applications for authentication and encryption technologies.

Cryptography and Security,Other Condensed Matter,Chaotic Dynamics

Xinyu Jiang,Ke Xu,Xiangyu Liu,Chenyun Dai,David A. Clifton,Edward A. Clancy,Metin Akay,Wei Chen

DOI: https://doi.org/10.1109/tii.2020.3001612

IF: 12.3

2021-04-01

IEEE Transactions on Industrial Informatics

Abstract:In this article, we propose a novel neuromuscular password-based user authentication method. The method consists of two parts: surface electromyogram (sEMG) based finger muscle isometric contraction password (FMICP) and neuromuscular biometrics. FMICP can be entered through isometric contraction of different finger muscles in a prescribed order without actual finger movement, which makes it difficult for observers to obtain the password. In our study, the isometric contraction patterns of different finger muscles were recognized through high-density sEMG signals acquired from the right dorsal hand. Moreover, both time–frequency–space domain features at macroscopic level (interference-pattern EMG) and motor neuron firing rate features at microscopic level (via decomposition) were extracted to represent neuromuscular biometrics, serving as a second defense. The FMICP and macro–micro neuromuscular biometrics together form a neuromuscular password. The proposed neuromuscular password achieved an equal error rate (EER) of 0.0128 when impostors entered a wrong FMICP. Even when impostors entered the correct FMICP, the neuromuscular biometrics, as the second defense, inhibited impostors with an EER of 0.1496. To the best of our knowledge, this is the first study to use individually unique neuromuscular information during unobservable muscle isometric contractions for user authentication, with training and testing data acquired on different days.

automation & control systems,computer science, interdisciplinary applications,engineering, industrial

Sylvain Gelly,Karol Kurach,Marcin Michalski,Xiaohua Zhai

DOI: https://doi.org/10.48550/arXiv.1803.11203

IF: 5.414

2018-03-29

Machine Learning

Abstract:We propose a new learning paradigm called Deep Memory. It has the potential to completely revolutionize the Machine Learning field. Surprisingly, this paradigm has not been reinvented yet, unlike Deep Learning. At the core of this approach is the \textit{Learning By Heart} principle, well studied in primary schools all over the world. Inspired by poem recitation, or by $\pi$ decimal memorization, we propose a concrete algorithm that mimics human behavior. We implement this paradigm on the task of generative modeling, and apply to images, natural language and even the $\pi$ decimals as long as one can print them as text. The proposed algorithm even generated this paper, in a one-shot learning setting. In carefully designed experiments, we show that the generated samples are indistinguishable from the training examples, as measured by any statistical tests or metrics.

Dario Pasquini,Marco Cianfriglia,Giuseppe Ateniese,Massimo Bernaschi

DOI: https://doi.org/10.48550/arXiv.2010.12269

2021-02-26

Abstract:Password security hinges on an in-depth understanding of the techniques adopted by attackers. Unfortunately, real-world adversaries resort to pragmatic guessing strategies such as dictionary attacks that are inherently difficult to model in password security studies. In order to be representative of the actual threat, dictionary attacks must be thoughtfully configured and tuned. However, this process requires a domain-knowledge and expertise that cannot be easily replicated. The consequence of inaccurately calibrating dictionary attacks is the unreliability of password security analyses, impaired by a severe measurement bias. In the present work, we introduce a new generation of dictionary attacks that is consistently more resilient to inadequate configurations. Requiring no supervision or domain-knowledge, this technique automatically approximates the advanced guessing strategies adopted by real-world attackers. To achieve this: (1) We use deep neural networks to model the proficiency of adversaries in building attack configurations. (2) Then, we introduce dynamic guessing strategies within dictionary attacks. These mimic experts' ability to adapt their guessing strategies on the fly by incorporating knowledge on their targets. Our techniques enable more robust and sound password strength estimates within dictionary attacks, eventually reducing overestimation in modeling real-world threats in password security. Code available: <a class="link-external link-https" href="https://github.com/TheAdamProject/adams" rel="external noopener nofollow">this https URL</a>

Cryptography and Security,Machine Learning

Junbin Ye,Min Jin,Guoliang Gong,Rongxuan Shen,Huaxiang Lu

DOI: https://doi.org/10.3390/s22176484

2022-08-29

Abstract:The frequent incidents of password leakage have increased people's attention and research on password security. Password guessing is an essential part of password cracking and password security research. The progression of deep learning technology provides a promising way to improve the efficiency of password guessing. However, the mainstream models proposed for password guessing, such as RNN (or other variants, such as LSTM, GRU), GAN and VAE still face some problems, such as the low efficiency and high repetition rate of the generated passwords. In this paper, we propose a password-guessing model based on the temporal convolutional neural network (PassTCN). To further improve the performance of the generated passwords, we propose a novel password probability label-learning method, which reconstructs labels based on the password probability distribution of the training set and deduplicates the training set when training. Experiments on the RockYou dataset showed that, when generating 108 passwords, the coverage rate of PassTCN with password probability label learning (PassTCN-PPLL) reached 12.6%, which is 87.2%, 72.6% and 42.9% higher than PassGAN (a password-guessing model based on GAN), VAEPass (a password-guessing model based on VAE) and FLA (a password-guessing model based on LSTM), respectively. The repetition rate of our model is 25.9%, which is 45.1%, 31.7% and 17.4% lower than that of PassGAN, VAEPass and FLA, respectively. The results confirm that our approach not only improves the coverage rate but also reduces the repetition rate.