Reducing Bias in Modeling Real-world Password Strength via Deep Learning and Dynamic Dictionaries.

Password security hinges on an accurate understanding of the techniques adopted by attackers. Unfortunately, real-world adversaries resort on pragmatic guessing strategies such as dictionary attacks that are inherently difficult to model in password security studies. In order to be representative of the actual threat, dictionary attacks must be thoughtfully configured and tuned. However, this process requires a domain-knowledge and expertise that cannot be easily replicated by researchers and security practitioners. The consequence of inaccurately calibrating those attacks is the unreliability of password security analyses, impaired by a severe measurement bias. In the present work, we introduce new guessing techniques that make dictionary attacks consistently more resilient to inadequate configurations. Our framework allows dictionary attacks to self-heal and converge towards optimal attacks' performance, requiring no supervision or domain-knowledge. To achieve this: (1) we use a deep neural network to model and then simulate the proficiency of expert adversaries. (2) Then, we introduce dynamic guessing strategies within dictionary attacks. These mimic experts' ability to adapt their guessing strategies on the fly by incorporating knowledge on their targets. Our techniques enable more robust and sound password strength estimates within dictionary attacks, eventually reducing bias in modeling real-world threats in password security.