Password security hinges on an accurate understanding of the techniques adopted by attackers. However, current studies mostly rely on probabilistic password models that are imperfect proxies of real-world guessing strategies. The main reason is that attackers rely on very pragmatic approaches such as dictionary attacks. Unfortunately, it is inherently difficult to correctly model those methods. To be representative, dictionary attacks must be thoughtfully configured according to a process that requires an expertise that cannot be easily replicated in password studies. The consequence of inaccurately calibrating those attacks is the unreliability of password security estimates, impaired by measurement bias. In the present work, we introduce new guessing techniques that make dictionary attacks consistently more resilient to inadequate configurations. Our framework allows dictionary attacks to self-heal and converge towards optimal attacks' performance, requiring no supervision or domain-knowledge. To achieve this: (1) We use a deep neural network to model and then simulate the proficiency of expert adversaries. (2) Then, we introduce automatic dynamic strategies within dictionary attacks to mimic experts' ability to adapt their guessing strategies on the fly by incorporating knowledge on their targets. Our techniques enable robust and sound password strength estimates, eventually reducing bias in modeling real-world threats in password security.
翻译:密码安全取决于对攻击者采用的技术的准确理解。 但是,目前的研究主要依赖于概率性密码模型,这些密码模型不完全的替代现实世界的猜测策略。 主要原因是攻击者依赖非常务实的方法, 如字典攻击。 不幸的是, 很难正确地模拟这些方法。 作为代表, 字典攻击必须经过深思熟虑的配置, 这一过程需要专门知识, 而在密码研究中无法轻易复制。 错误地校准这些攻击的后果是密码安全估计不可靠, 测量偏差会损害这些估计数。 在目前的工作中, 我们引入新的猜测技术, 使字典攻击持续地适应不足的配置。 我们的框架允许字典攻击自我健康, 并接近最佳攻击性能, 不需要监督或域知识。 要做到这一点, (1) 我们使用深层的神经网络来模拟和模拟专家对手的熟练程度。 (2) 然后, 我们在字典攻击中引入自动动态战略, 模拟专家的能力, 以便通过纳入对目标的了解来调整他们的测算策略。 我们的技术使密码强度估计数变得稳健和可靠, 最终减少在模拟实际威胁中的偏差。