PassGAN: A Deep Learning Approach for Password Guessing

State-of-the-art password guessing tools, such as HashCat and John the Ripper, enable users to check billions of passwords per second against password hashes. In addition to performing straightforward dictionary attacks, these tools can expand password dictionaries using password generation rules, such as concatenation of words (e.g., "password123456") and leet speak (e.g., "password" becomes "p4s5w0rd"). Although these rules work well in practice, expanding them to model further passwords is a laborious task that requires specialized expertise. To address this issue, in this paper we introduce PassGAN, a novel approach that replaces human-generated password rules with theory-grounded machine learning algorithms. Instead of relying on manual password analysis, PassGAN uses a Generative Adversarial Network (GAN) to autonomously learn the distribution of real passwords from actual password leaks, and to generate high-quality password guesses. Our experiments show that this approach is very promising. When we evaluated PassGAN on two large password datasets, we were able to surpass rule-based and state-of-the-art machine learning password guessing tools. However, in contrast with the other tools, PassGAN achieved this result without any a-priori knowledge on passwords or common password structures. Additionally, when we combined the output of PassGAN with the output of HashCat, we were able to match 51%-73% more passwords than with HashCat alone. This is remarkable, because it shows that PassGAN can autonomously extract a considerable number of password properties that current state-of-the art rules do not encode.Comment: This is an extended version of the paper which appeared in NeurIPS 2018 Workshop on Security in Machine Learning (SecML'18), see https://github.com/secml2018/secml2018.github.io/raw/master/PASSGAN_SECML2018.pd

A World Full of Privacy and Security (Mis)conceptions? Findings of a Representative Survey in 12 Countries

Misconceptions about digital security and privacy topics in the general public frequently lead to insecure behavior. However, little is known about the prevalence and extent of such misconceptions in a global context. In this work, we present the results of the first large-scale survey of a global population on misconceptions: We conducted an online survey with n = 12, 351 participants in 12 countries on four continents. By investigating influencing factors of misconceptions around eight common security and privacy topics (including E2EE, Wi-Fi, VPN, and malware), we find the country of residence to be the strongest estimate for holding misconceptions. We also identify differences between non-Western and Western countries, demonstrating the need for region-specific research on user security knowledge, perceptions, and behavior. While we did not observe many outright misconceptions, we did identify a lack of understanding and uncertainty about several fundamental privacy and security topics

Talking to the Overlooked: A Nationwide Telephone Survey with Four Groups Under-represented in Privacy and Security Studies

Online surveys - a primary research tool in the field of usable security and privacy research - frequently rely on web-panel platforms. However, these platforms tend not to generalize well to specific user groups. Our study addresses this research gap by studying security and privacy perceptions of four under-represented groups. We conducted telephone interviews with n = 1003 participants in Germany: (I) teenagers aged 14-17, (II) older adults 70+, (III) people with low formal education, and (IV) people with migration background. We found these groups to be under-represented in our online comparison survey. We further identified target group-specific perceptions for each group compared to the general population, e.g., regarding their experiences with cybercrime, and provide detailed insight into the privacy and security knowledge and behavior of each group. Our findings underscore the effectiveness of telephone interviews and lay the foundation for further research on these groups

Why Do Developers Get Password Storage Wrong? A Qualitative Usability Study

Passwords are still a mainstay of various security systems, as well as the cause of many usability issues. For end-users, many of these issues have been studied extensively, highlighting problems and informing design decisions for better policies and motivating research into alternatives. However, end-users are not the only ones who have usability problems with passwords! Developers who are tasked with writing the code by which passwords are stored must do so securely. Yet history has shown that this complex task often fails due to human error with catastrophic results. While an end-user who selects a bad password can have dire consequences, the consequences of a developer who forgets to hash and salt a password database can lead to far larger problems. In this paper we present a first qualitative usability study with 20 computer science students to discover how developers deal with password storage and to inform research into aiding developers in the creation of secure password systems

Why Unaccusatives Have it Easy: Reduced Relative Garden Path Effects and Verb Type

This paper provides a new account for why unaccusative verbs are easier to process than unergative verbs in the reduced relative garden path construction, as demonstrated in Stevenson and Merlo [1997]. Reanalysis to the passivized reduced relative clause form requires the verb to be causative. Stevenson and Merlo [1997] argued that unaccusatives are causativized in the lexicon, while unergatives are causativized in the syntax. This account argues instead that an independently attested co-occurrence restriction contributes to greater initial ambiguity in the unergative case; causative unergatives require an argument/directional attachment of prepositional phrase [Hoekstra, 1988, Levin and Rappaport-Hovav, 1995, Folli and Harley, 2006].We implement the unergative-PP co-occurrence restriction in Minimalist Grammars [Stabler, 1997]. We model the contribution of prepositional phrase ambiguity to unergative reduced relative ambiguity with Entropy Reduction [Hale, 2003]. We obtain greater Entropy Reductions for the unergative condition, modeling that human comprehenders are more taxed by compounded ambiguity

A Provably Secure and Efficient Countermeasure against Timing Attacks

We show that the amount of information about the key that an unknown-message attacker can extract from a deterministic side-channel is bounded from above by |O| \log_2 (n+1) bits, where n is the number of side-channel measurements and O is the set of possible observations. We use this bound to derive a novel countermeasure against timing attacks, where the strength of the security guarantee can be freely traded for the resulting performance penalty. We give algorithms that efficiently and optimally adjust this trade-off for given constraints on the side-channel leakage or on the efficiency of the cryptosystem. Finally, we perform a case-study that shows that applying our countermeasure leads to implementations with minor performance overhead and formal security guarantees