21 research outputs found
PassGAN: A Deep Learning Approach for Password Guessing
State-of-the-art password guessing tools, such as HashCat and John the
Ripper, enable users to check billions of passwords per second against password
hashes. In addition to performing straightforward dictionary attacks, these
tools can expand password dictionaries using password generation rules, such as
concatenation of words (e.g., "password123456") and leet speak (e.g.,
"password" becomes "p4s5w0rd"). Although these rules work well in practice,
expanding them to model further passwords is a laborious task that requires
specialized expertise. To address this issue, in this paper we introduce
PassGAN, a novel approach that replaces human-generated password rules with
theory-grounded machine learning algorithms. Instead of relying on manual
password analysis, PassGAN uses a Generative Adversarial Network (GAN) to
autonomously learn the distribution of real passwords from actual password
leaks, and to generate high-quality password guesses. Our experiments show that
this approach is very promising. When we evaluated PassGAN on two large
password datasets, we were able to surpass rule-based and state-of-the-art
machine learning password guessing tools. However, in contrast with the other
tools, PassGAN achieved this result without any a-priori knowledge on passwords
or common password structures. Additionally, when we combined the output of
PassGAN with the output of HashCat, we were able to match 51%-73% more
passwords than with HashCat alone. This is remarkable, because it shows that
PassGAN can autonomously extract a considerable number of password properties
that current state-of-the art rules do not encode.Comment: This is an extended version of the paper which appeared in NeurIPS
2018 Workshop on Security in Machine Learning (SecML'18), see
https://github.com/secml2018/secml2018.github.io/raw/master/PASSGAN_SECML2018.pd
A World Full of Privacy and Security (Mis)conceptions? Findings of a Representative Survey in 12 Countries
Misconceptions about digital security and privacy topics in the general public frequently lead to insecure behavior. However, little is known about the prevalence and extent of such misconceptions in a global context. In this work, we present the results of the first large-scale survey of a global population on misconceptions: We conducted an online survey with n = 12, 351 participants in 12 countries on four continents. By investigating influencing factors of misconceptions around eight common security and privacy topics (including E2EE, Wi-Fi, VPN, and malware), we find the country of residence to be the strongest estimate for holding misconceptions. We also identify differences between non-Western and Western countries, demonstrating the need for region-specific research on user security knowledge, perceptions, and behavior. While we did not observe many outright misconceptions, we did identify a lack of understanding and uncertainty about several fundamental privacy and security topics
Talking to the Overlooked: A Nationwide Telephone Survey with Four Groups Under-represented in Privacy and Security Studies
Online surveys - a primary research tool in the field of usable security and
privacy research - frequently rely on web-panel platforms. However, these
platforms tend not to generalize well to specific user groups. Our study
addresses this research gap by studying security and privacy perceptions of
four under-represented groups. We conducted telephone interviews with n = 1003
participants in Germany: (I) teenagers aged 14-17, (II) older adults 70+, (III)
people with low formal education, and (IV) people with migration background. We
found these groups to be under-represented in our online comparison survey. We
further identified target group-specific perceptions for each group compared to
the general population, e.g., regarding their experiences with cybercrime, and
provide detailed insight into the privacy and security knowledge and behavior
of each group. Our findings underscore the effectiveness of telephone
interviews and lay the foundation for further research on these groups
Why Do Developers Get Password Storage Wrong? A Qualitative Usability Study
Passwords are still a mainstay of various security systems, as well as the
cause of many usability issues. For end-users, many of these issues have been
studied extensively, highlighting problems and informing design decisions for
better policies and motivating research into alternatives. However, end-users
are not the only ones who have usability problems with passwords! Developers
who are tasked with writing the code by which passwords are stored must do so
securely. Yet history has shown that this complex task often fails due to human
error with catastrophic results. While an end-user who selects a bad password
can have dire consequences, the consequences of a developer who forgets to hash
and salt a password database can lead to far larger problems. In this paper we
present a first qualitative usability study with 20 computer science students
to discover how developers deal with password storage and to inform research
into aiding developers in the creation of secure password systems
Why Unaccusatives Have it Easy: Reduced Relative Garden Path Effects and Verb Type
This paper provides a new account for why unaccusative verbs are easier to process than unergative verbs in the reduced relative garden path construction, as demonstrated in Stevenson and Merlo [1997]. Reanalysis to the passivized reduced relative clause form requires the verb to be causative. Stevenson and Merlo [1997] argued that unaccusatives are causativized in the lexicon, while unergatives are causativized in the syntax. This account argues instead that an independently attested co-occurrence restriction contributes to greater initial ambiguity in the unergative case; causative unergatives require an argument/directional attachment of prepositional phrase [Hoekstra, 1988, Levin and Rappaport-Hovav, 1995, Folli and Harley, 2006].We implement the unergative-PP co-occurrence restriction in Minimalist Grammars [Stabler, 1997]. We model the contribution of prepositional phrase ambiguity to unergative reduced relative ambiguity with Entropy Reduction [Hale, 2003]. We obtain greater Entropy Reductions for the unergative condition, modeling that human comprehenders are more taxed by compounded ambiguity
A Provably Secure and Efficient Countermeasure against Timing Attacks
We show that the amount of information about the key that an
unknown-message attacker can extract from a deterministic
side-channel is bounded from above by |O| \log_2 (n+1) bits, where
n is the number of side-channel measurements and O is the set of
possible observations. We use this bound to derive a novel
countermeasure against timing attacks, where the strength of the
security guarantee can be freely traded for the resulting
performance penalty. We give algorithms that efficiently and
optimally adjust this trade-off for given constraints on the
side-channel leakage or on the efficiency of the
cryptosystem. Finally, we perform a case-study that shows that
applying our countermeasure leads to implementations with minor
performance overhead and formal security guarantees