Fast, Learn and Accurate: Modeling Password Guessability Using Neural Networks

Speaker/Bio

Vijay Thakkar is a rising junior in the college of engineering studying computer engineering. He is in Boston over the summer doing research under the UROP program. His main area of interest is deep learning and its potential applications in automation, which is what his research is in for the summer: generating structured and coherent music using WaveNet. His interest in cybersecurity is mostly due to how "cool" but also applicable it is, especially now that big data and IoT, two things that are going to affect deep learning the most, are also major cybersecurity issues.

Abstract

Passwords for most of the general population pose an interesting dilemma: short, simple passwords are easy to bruteforce or common enough to be found in a rainbow table. Long, easy to remember passwords are easy to remember and hard to crack. However, passwords of either type are vulnerable to guessing attacks. Existing approaches for evaluating password strength by modeling adversarial password guessing are either inaccurate or orders of magnitude too large and too slow for real-time, client-side password checking. This paper from Carnegie Melon University by William Melicher et. al. proposes to use neural networks to model password guessability and show how different network architectures and training methods impact guessing effectiveness of the model. The model is shown to be better at guessing passwords than other state of the art approaches such as Markov models and probabilistic context free grammars. The model is also shown to be highly compressible without substantial decrease to its effectiveness. The authors also provide a proof of concept light-weight JavaScript client side model that can analyze guessing resilience of a password from an arbitrary duration guessing attack within a manor of seconds.

Reference