2,005 research outputs found
Differentially Private Password Frequency Lists
Given a dataset of user-chosen passwords, the frequency list reveals the frequency of each unique password. We present a novel mechanism for releasing perturbed password frequency lists with rigorous security, efficiency, and distortion guarantees. Specifically, our mechanism is based on a novel algorithm for sampling that enables an efficient implementation of the exponential mechanism for differential privacy (naïve sampling is exponential time). It provides the security guarantee that an adversary will not be able to use this perturbed frequency list to learn anything of significance about any individual user\u27s password even if the adversary already possesses a wealth of background knowledge about the users in the dataset. We prove that our mechanism introduces minimal distortion, thus ensuring that the released frequency list is close to the actual list. Further, we empirically demonstrate, using the now-canonical password dataset leaked from RockYou, that the mechanism works well in practice: as the differential privacy parameter varies from to (smaller implies higher security), the normalized distortion coefficient (representing the distance between the released and actual password frequency list divided by the number of users ) varies from to . Given this appealing combination of security and distortion guarantees, our mechanism enables organizations to publish perturbed password frequency lists. This can facilitate new research comparing password security between populations and evaluating password improvement approaches. To this end, we have collaborated with Yahoo! to use our differentially private mechanism to publicly release a corpus of 50 password frequency lists representing approximately 70 million Yahoo! users. This dataset is now the largest password frequency corpus available. Using our perturbed dataset we are able to closely replicate the original published analysis of this data
Universal Neural-Cracking-Machines: Self-Configurable Password Models from Auxiliary Data
We develop the first universal password model -- a password model that, once
pre-trained, can automatically adapt to any password distribution. To achieve
this result, the model does not need to access any plaintext passwords from the
target set. Instead, it exploits users' auxiliary information, such as email
addresses, as a proxy signal to predict the underlying target password
distribution. The model uses deep learning to capture the correlation between
the auxiliary data of a group of users (e.g., users of a web application) and
their passwords. It then exploits those patterns to create a tailored password
model for the target community at inference time. No further training steps,
targeted data collection, or prior knowledge of the community's password
distribution is required. Besides defining a new state-of-the-art for password
strength estimation, our model enables any end-user (e.g., system
administrators) to autonomously generate tailored password models for their
systems without the often unworkable requirement of collecting suitable
training data and fitting the underlying password model. Ultimately, our
framework enables the democratization of well-calibrated password models to the
community, addressing a major challenge in the deployment of password security
solutions on a large scale.Comment: v0.0
- …