In this work, we investigate the effectiveness of deep-learning-based password guessing models for targeted attacks on human-chosen passwords. In recent years, service providers have increased the level of security of users'passwords. This is done by requiring more complex password generation patterns and by using computationally expensive hash functions. For the attackers this means a reduced number of available guessing attempts, which introduces the necessity to target their guess by exploiting a victim's publicly available information. In this work, we introduce a context-aware password guessing model that better capture attackers'behavior. We demonstrate that knowing a victim's email address is already critical in compromising the associated password and provide an in-depth analysis of the relationship between them. We also show the potential of such models to identify clusters of users based on their password generation behaviour, which can spot fake profiles and populations more vulnerable to context-aware guesses. The code is publicly available at https://github.com/spring-epfl/DCM_sp

翻译：本研究探讨了基于深度学习的密码猜测模型在针对人类选择密码进行定向攻击中的有效性。近年来，服务提供商通过要求更复杂的密码生成模式和使用计算代价高昂的哈希函数，提升了用户密码的安全级别。对于攻击者而言，这意味着可用的猜测尝试次数减少，从而需要利用受害者的公开信息来实施定向猜测。本文提出了一种上下文感知的密码猜测模型，能更好地模拟攻击者的行为。我们证明，知晓受害者的电子邮件地址已足以危及相应密码的安全，并深入分析了二者之间的关系。我们还展示了此类模型在根据用户密码生成行为识别用户群组的潜力，这有助于发现虚假账户及更易受上下文感知猜测攻击的群体。代码已公开于 https://github.com/spring-epfl/DCM_sp