In this work, we investigate the effectiveness of deep-learning-based password guessing models for targeted attacks on human-chosen passwords. In recent years, service providers have increased the level of security of users'passwords. This is done by requiring more complex password generation patterns and by using computationally expensive hash functions. For the attackers this means a reduced number of available guessing attempts, which introduces the necessity to target their guess by exploiting a victim's publicly available information. In this work, we introduce a context-aware password guessing model that better capture attackers'behavior. We demonstrate that knowing a victim's email address is already critical in compromising the associated password and provide an in-depth analysis of the relationship between them. We also show the potential of such models to identify clusters of users based on their password generation behaviour, which can spot fake profiles and populations more vulnerable to context-aware guesses. The code is publicly available at https://github.com/spring-epfl/DCM_sp

翻译：在本研究中，我们探讨了基于深度学习的密码猜测模型在针对人类选择密码的定向攻击中的有效性。近年来，服务提供商通过要求更复杂的密码生成模式以及使用计算成本高昂的哈希函数，提高了用户密码的安全级别。对于攻击者而言，这意味着可用的猜测尝试次数减少，因此需要利用受害者的公开信息来定向猜测。本文提出了一种上下文感知的密码猜测模型，能够更好地捕捉攻击者的行为。我们证明，知晓受害者的邮箱地址对于破解其关联密码已至关重要，并对二者之间的关系进行了深入分析。同时，我们还展示了此类模型在根据用户密码生成行为识别用户群体的潜力，这有助于发现虚假档案以及更易受上下文感知猜测攻击的人群。相关代码已在 https://github.com/spring-epfl/DCM_sp 公开。