Interpretable Probabilistic Password Strength Meters via Deep Learning

Probabilistic password strength meters have been proved to be the most accurate tools to measure password strength. Unfortunately, by construction, they are limited to solely produce an opaque security estimation that fails to fully support the user during the password composition. In the present work, we move the first steps towards cracking the intelligibility barrier of this compelling class of meters. We show that probabilistic password meters inherently own the capability of describing the latent relation occurring between password strength and password structure. In our approach, the security contribution of each character composing a password is disentangled and used to provide explicit fine-grained feedback for the user. Furthermore, unlike existing heuristic constructions, our method is free from any human bias, and, more importantly, its feedback has a clear probabilistic interpretation. In our contribution: (1) we formulate the theoretical foundations of interpretable probabilistic password strength meters; (2) we describe how they can be implemented via an efficient and lightweight deep learning framework suitable for client-side operability.Comment: An abridged version of this paper appears in the proceedings of the 25th European Symposium on Research in Computer Security (ESORICS) 202

On a generalization of the Dvoretzky-Wald-Wolfowitz theorem with an application to a robust optimization problem

A generalization of the Dvoretzky-Wald-Wolfowitz theorem to the case of conditional expectations is provided assuming that the $\sigma$-field on the state space has no conditional atoms.Comment: 10 page

Universal Neural-Cracking-Machines: Self-Configurable Password Models from Auxiliary Data

We develop the first universal password model -- a password model that, once pre-trained, can automatically adapt to any password distribution. To achieve this result, the model does not need to access any plaintext passwords from the target set. Instead, it exploits users' auxiliary information, such as email addresses, as a proxy signal to predict the underlying target password distribution. The model uses deep learning to capture the correlation between the auxiliary data of a group of users (e.g., users of a web application) and their passwords. It then exploits those patterns to create a tailored password model for the target community at inference time. No further training steps, targeted data collection, or prior knowledge of the community's password distribution is required. Besides defining a new state-of-the-art for password strength estimation, our model enables any end-user (e.g., system administrators) to autonomously generate tailored password models for their systems without the often unworkable requirement of collecting suitable training data and fitting the underlying password model. Ultimately, our framework enables the democratization of well-calibrated password models to the community, addressing a major challenge in the deployment of password security solutions on a large scale.Comment: v0.0

Improving Password Guessing via Representation Learning

Learning useful representations from unstructured data is one of the core challenges, as well as a driving force, of modern data-driven approaches. Deep learning has demonstrated the broad advantages of learning and harnessing such representations. In this paper, we introduce a deep generative model representation learning approach for password guessing. We show that an abstract password representation naturally offers compelling and versatile properties that can be used to open new directions in the extensively studied, and yet presently active, password guessing field. These properties can establish novel password generation techniques that are neither feasible nor practical with the existing probabilistic and non-probabilistic approaches. Based on these properties, we introduce:(1) A general framework for conditional password guessing that can generate passwords with arbitrary biases; and (2) an Expectation Maximization-inspired framework that can dynamically adapt the estimated password distribution to match the distribution of the attacked password set.Comment: This paper appears in the proceedings of the 42nd IEEE Symposium on Security and Privacy (Oakland) S&P 202

The integration of 3D modeling and simulation to determine the energy potential of low-temperature geothermal systems in the Pisa (Italy) sedimentary plain

Shallow, low-temperature geothermal resources can significantly reduce the environmental impact of heating and cooling. Based on a replicable standard workflow for three-dimensional (3D) geothermal modeling, an approach to the assessment of geothermal energy potential is proposed and applied to the young sedimentary basin of Pisa (north Tuscany, Italy), starting from the development of a geothermal geodatabase, with collated geological, stratigraphic, hydrogeological, geophysical and thermal data. The contents of the spatial database are integrated and processed using software for geological and geothermal modeling. The models are calibrated using borehole data. Model outputs are visualized as three-dimensional reconstructions of the subsoil units, their volumes and depths, the hydrogeological framework, and the distribution of subsoil temperatures and geothermal properties. The resulting deep knowledge of subsoil geology would facilitate the deployment of geothermal heat pump technology, site selection for well doublets (for open-loop systems), or vertical heat exchangers (for closed-loop systems). The reconstructed geological-hydrogeological models and the geothermal numerical simulations performed help to define the limits of sustainable utilization of an area's geothermal potential

Breach Extraction Attacks: Exposing and Addressing the Leakage in Second Generation Compromised Credential Checking Services

Credential tweaking attacks use breached passwords to generate semantically similar passwords and gain access to victims\u27 services. These attacks sidestep the first generation of compromised credential checking (C3) services. The second generation of compromised credential checking services, called Might I Get Pwned (MIGP), is a privacy-preserving protocol that defends against credential tweaking attacks by allowing clients to query whether a password or a semantically similar variation is present in the server\u27s compromised credentials dataset. The desired privacy requirements include not revealing the user\u27s entered password to the server and ensuring that no compromised credentials are disclosed to the client. In this work, we formalize the cryptographic leakage of the MIGP protocol and perform a security analysis to assess its impact on the credentials held by the server. We focus on how this leakage aids breach extraction attacks, where an honest-but-curious client interacts with the server to extract information about the stored credentials. Furthermore, we discover additional leakage that arises from the implementation of Cloudflare\u27s deployment of MIGP. We evaluate how the discovered leakage affects the guessing capability of an attacker in relation to breach extraction attacks. Finally, we propose MIGP 2.0, a new iteration of the MIGP protocol designed to minimize data leakage and prevent the introduced attacks

A non‑lethal method to assess element content in the endangered Pinna nobilis

The fan shell Pinna nobilis is the largest bivalve endemic to the Mediterranean and is actually a strongly endangered species. Due to the biological, ecological, and historical relevance of this species, the research of a non-lethal method to relate the element content in organism’s tissues and environment can provide information potentially useful to evaluate environmental pollution and organism physiological status. In this study, a screening on element concentration in the animal growing environment (seawater and sediments) and in four soft tissues (hepatopancreas, gills, mantle, and muscle), and two acellular tissues (calcite shell layer, and byssus) was performed. The comparison among these results was used to assess whether the no-lethal acellular tissue element concentration can be used to reveal the element presence in the environment and soft tissues. Elements, such as B, Ag, As, Mn, Mo, Pb, or Se, showed a possible relationship between their presence in the byssus and soft tissues. In the byssus Cr, Sb, Sn, and V have shown to be mostly related to the environment, more than the soft tissues, and might be used to draw a historical record of the exposure of the organism. The element concentration in the calcite shell layer did not relate with environmental element concentrations. Essential elements, like Cu, Fe, Ni, and Zn, were present in calcite shell layer and byssus and are likely related to their biological activity in the organism. The research also gave an overview on the presence of pollution and on the preferential intake route of the element. In summary, this study, performed on a limited number of specimens of this protected species, indicated that element concentration in the byssus can be applied as non-lethal method to monitor this endangered species and its interaction with the elements in the growing environment

Circulating haematopoietic and endothelial progenitor cells are decreased in COPD

Circulating CD34+ cells are haemopoietic progenitors that may play a role in tissue repair. No data are available on circulating progenitors in chronic obstructive pulmonary disease (COPD). Circulating CD34+ cells were studied in 18 patients with moderate-to-severe COPD (age: mean+/-sd 68+/-8 yrs; forced expiratory volume in one second: 48+/-12% predicted) and 12 controls, at rest and after endurance exercise. Plasma concentrations of haematopoietic growth factors (FMS-like tyrosine kinase 3 (Flt3) ligand, kit ligand), markers of hypoxia (vascular endothelial growth factor (VEGF)) and stimulators of angiogenesis (VEGF, hepatocyte growth factor (HGF)) and markers of systemic inflammation (tumour necrosis factor (TNF)-alpha, interleukin (IL)-6, IL-8) were measured. Compared with the controls, the COPD patients showed a three-fold reduction in CD34+ cell counts (3.3+/-2.5 versus 10.3+/-4.2 cells.microL-1), and a 50% decrease in AC133+ cells. In the COPD patients, progenitor-derived haemopoietic and endothelial cell colonies were reduced by 30-50%. However, four COPD patients showed progenitor counts in the normal range associated with lower TNF-alpha levels. In the entire sample, CD34+ cell counts correlated with exercise capacity and severity of airflow obstruction. After endurance exercise, progenitor counts were unchanged, while plasma Flt3 ligand and VEGF only increased in the COPD patients. Plasma HGF levels were higher in the COPD patients compared with the controls and correlated inversely with the number of progenitor-derived colonies. In conclusion, circulating CD34+ cells and endothelial progenitors were decreased in chronic obstructive pulmonary disease patients and could be correlated with disease severity