Universal Neural-Cracking-Machines: Self-Configurable Password Models from Auxiliary Data

[Undescribed Horrific Abuse, One Victim & Survivor of Many]

bumped into this while scrubbing briefly for metalearning information

https://arxiv.org/abs/2301.07628

We introduce the concept of "universal password model" -- a password
model that, once pre-trained, can automatically change its guessing
strategy based on the target system. To achieve this, the model does
not need to access any plaintext passwords from the target
credentials. Instead, it exploits users' auxiliary information, such
as email addresses, as a proxy signal to predict the underlying
password distribution. Specifically, the model uses deep learning to
capture the correlation between the auxiliary data of a group of users
(e.g., users of a web application) and their passwords. It then
exploits those patterns to create a tailored password model for the
target system at inference time. No further training steps, targeted
data collection, or prior knowledge of the community's password
distribution is required. Besides improving over current password
strength estimation techniques and attacks, the model enables any
end-user (e.g., system administrators) to autonomously generate
tailored password models for their systems without the often
unworkable requirements of collecting suitable training data and
fitting the underlying machine learning model. Ultimately, our
framework enables the democratization of well-calibrated password
models to the community, addressing a major challenge in the
deployment of password security solutions at scale.