Although passwords remain the primary defense against unauthorized access, users often tend to use passwords that are easy to remember. This behavior significantly increases security risks, also due to the fact that traditional password strength evaluation methods are often inadequate. In this discussion paper, we present soda advance, a data reconstruction tool also designed to enhance evaluation processes related to the password strength. In particular, soda advance integrates a specialized module aimed at evaluating password strength by leveraging publicly available data from multiple sources, including social media platforms. Moreover, we investigate the capabilities and risks associated with emerging Large Language Models (LLMs) in evaluating and generating passwords, respectively. Experimental assessments conducted with 100 real users demonstrate that LLMs can generate strong and personalized passwords possibly defined according to user profiles. Additionally, LLMs were shown to be efective in evaluating passwords, especially when they can take into account user profile data.
Traditional password strength assessments often fall short, as they focus on static syntax rules
without considering the semantic context of user choices. Indeed, users generally choose
passwords by using keywords easy to remember. However, since much personal information is
shared on social networks, attackers can exploit these details to infer user passwords. Thus,
through data reconstruction tools, it is possible to reconstruct information semantically related
to a context close to users [
new module for evaluating password strength based on information publicly available on social
networks. This module exploits some approaches such as cupp [
impact the capabilities of LLMs to generate and evaluate password strength?
2. Combining soda advance and LLMs for Evaluating Passwords
combine the capabilities of LLMs1 (e.g., Google Gemini, ChatGPT, Claude, Dolly, Falcon, and
soda advance Tool. The soda advance tool evaluates password strength based on reconstructed personal data from social networks. The soda advance pipeline (see Figure 1) starts with basic user information, i.e., name and photo as input ( 1 ). It then extracts public data from
uses facial recognition to verify the user’s identity across all platforms ( 3 ). Finally, it merges
the extracted information ( 4 ) and evaluates the strength of the provided password based on
the reconstructed data ( 5 ). The evaluation module in soda advance uses four methods (i.e.,
cupp, leet, coverage and force) and a new metric cps that combines their results to provide a
cumulative value in the range [
capabilities of LLMs to generate strong passwords based on specific information provided by users. The process begins with the generation of passwords using LLMs, where each template creates a set of strong but memorable passwords based on user input. The generated passwords are then evaluated with the soda advance module, which analyzes their strength. Consequently, each password is labeled as weak or strong according to the strength score.
strength of passwords by also considering their semantics in relation to user data. The process begins by generating strong passwords using the best LLM of the Generation Pipeline.
www.llama.meta.com NAME SURNAME ...
USER PHOTO 3 3 3 4
NAME George Smith OCraITnYge 1/2D3A/1T9E94 UniveErDsiUtyCoAfTCIOalNifornia
... 4 5
Face Recognition 3 PPRROOFFIILLEEPPHHOOTTOO MERGING
...... 1 NAME CITY
George Smith Orange, California ...
3 2 CLEUEPTPSODCAOFVOERRCAEGE 31 ONCrAaITMnYgEe 1/2D3A/1T9E94..G.eUonrgiveeESrDsmiUtyiCthoAfTCIOalNifornia a, A: @,4; b, B: 3, 8;
... i, I: 1, |;
... z,Z: 2, %; LEET: 0.33
.. .. WEI1GHT
Orange123 Orange123
COVERAGE: 0.67 FORCE: 0.47 6 EVALUATION 66
6 4
5 5 LLMs
TYPE PASSWORDS
OrangeSystems23 ......... Male...S....y..stems*?
GeorgeCali1023 Syst3msSm1th@
Parsing
new prompt is generated to evaluate their strength. The evaluation involves submitting the
user data along with the generated passwords to an LLM, which then assigns each password a
numerical strength score. Finally, passwords are categorized as weak or strong according to
obtained score. Details concerning the above-described pipelines can be found in [
ing passwords required the definition of an ad-hoc prompting function, namely password-generation, as shown in the following.
On the basis of the following personal information: [Name: George], [Surname: Smith], [City: Orange, California], [Date: 10/23/1994]. Could you generate a set of passwords that do not have to directly contain personal data, but must be easy for the user to memorize?
at several steps. Among these, we defined a new function prompt-generation to ask each LLM to automatically generate prompts for password evaluation and a new function parsing-prompt to ask each LLM to provide a strength score for each textual description. These prompts enabled us to automatically create a new prompting function, namely evaluate-password for each LLM involved in our study. An example of the prompt automatically generated for ChatGPT follows:
User information: [Name: George], [Surname: Smith], [City: Orange, California], [Date: 10/23/1994], [Education: University of California]. For each line containing a password that I could use for a social network account, give me an answer for each of them and write whether the password can be considered secure or not, giving secure or not secure. Assess the password’s strength using the information supplied by the user, considering factors like its length and ability to resist guessing techniques. Passwords: [OrangeSystems23], [MaleSystems*?], [GeorgeCali1023], [C@liforn1Sm1th49], [Syst3msSm1th@], [0r@nge@n3@]
the use of some of the previous prompting functions, and the definition of new ones to explain the metrics (i.e., understanding-metrics) to LLMs and evaluate the password, by also considering the results of soda advance. We manually defined two new prompting functions following the
passwords for each LLMs, by means of metrics-prompt-generation function. Starting from the generated function eval, we automatically generate a new specific prompt is provided to each LLM.
User information: [Name: George, Surname: Smith, City: Orange, California, Date: 10/23/1994]
Passwords Evaluation Results: Password; Force; Leet; Coverage; CUPP; CPS
OrangeSystems; 23; 57; 57; 0; 0.45
MaleSystems*?; 27; 2; 71; 1; 1 GeorgeCali1023; 63; 12; 76; 0; 0.50
C@liforn1Sm1th49; 65; 0; 83; 0; 0.49 Please assess the security of each password listed. Using the user information provided, analyze the password strength based on the following methods: Leet Coverage, Force, CUPP, and Cumulative Password Strength. Upon evaluation, please provide a response of Strong if the password is deemed suficiently strong and efectively safeguards the user’s information based on the provided data, or Weak if the password could potentially be compromised or guessed based on the available details.
The experiments in this study aim to evaluate how password strength can be afected by the information publicly available on social network platforms from both syntactical and semantic perspectives. To this end, we investigate the behavior of soda advance and generative LLMs following the three diferent pipelines discussed in the previous section. We involved 100 users, each of whom filled out an information survey and an authorization form for profiling their social network using soda advance. Among the questions submitted to users, we required their name, surname, and a photo. The collected data is used as starting points of the evaluation.
server side and using web programming frameworks for graphical interfaces. Concerning LLMs, we adopt ChatGPT 3.5.5, Claude 2.1, LLaMa 2024.2.19.1, Falcon in its version at 40B, Google
passwords we used two diferent tools (i.e., Passat and Node-password-analyzer)2. Furthermore,
to make a comparative evaluation with soda advance, we use the Zxcvbn library [
patterns in the generation of strong passwords, with variations in syntactical complexity and the combination of letters/characters. Thus, to evaluate the strength of passwords we used the new metric cps of soda advance. In average, we obtained that Claude, Google Gemini, and
the other hand, Dolly, LLaMa, and Falcon have generated more weak passwords, achieving a score of 0.65, 0.66, and 0.66, respectively. This is probably due to their tendency to generate repetitive or predictable passwords, using recurring and easily guessable patterns. RQ2. Starting from the values provide by cps, we consider a password as strong when its strength score is greater than or equal to 0.55, weak otherwise. Those, we are able to get a binary evaluation of passwords and compare the results achieved by LLMs with those achieved by methods proposed in the state-of-the-art. By considering the average value achieved by each LLM, Claude obtained the highest values for accuracy, precision, recall, and F1-score, i.e., 0.75, 0.76, 0.75, and 0.75, respectively. The high precision score indicates that it has a low rate of False Positive, meaning that it correctly identifies strong passwords with a high degree of confidence. To further investigate if the ensemble of diferent LLMs improves the values of metrics, we considered two diferent ensembles: ) including all the LLMs and ) including the three LLMs with the highest scores; but both performed lower than Claude.
strength evaluations significantly improved with respect to scenario in which a few user data is provided to LLMs. Compared to the latter scenario, the inclusion of broader personal information led to better performance across most models. For instance, Falcon improved its precision from 0.48 to 0.77 and ChatGPT reached high scores in accuracy, precision, recall, and F1-score. Instead, Claude showed the best overall performance (i.e., accuracy equal to 0.77 and precision equal to 0.89). Ensemble models also benefited, likely due to the enhanced performance of individual LLMs. These improvements suggest that public social media data provides valuable context, allowing LLMs to make more accurate assessments. However, this also raises privacy concerns: as more personal data becomes accessible, users face increased risks. LLMs could be exploited by attackers to guess passwords based on publicly shared information. This highlights the importance of strong privacy settings, secure password practices, and the need for clear ethical and legal guidelines regarding the use of LLMs.
as well as the efectiveness of soda advance in assessing password strength, we analyzed the medium-security passwords and compared the results with state-of-the-art tools.
Medium Password Strength evaluation. Starting from the initial dataset provided by 100 users, we generated a set of 30 passwords for each user using the prompt password-generation. The values of cps obtained for medium-strength passwords generated by LLMs and evaluated through soda advance range between 0.36 and 0.60. In particular, Claude, Google Gemini, and ChatGPT outperform all other LLMs achieving the highest number of medium passwords. Then, to assess the evaluation capabilities of LLMs and soda advance, we asked each model to evaluate each password. By using the evaluation pipeline, the classification task involving multiple labels (i.e., weak, medium, strong), significantly reduced the performance of all LLMs with respect to the binary classification task (i.e., weak and strong). In particular, we have noticed that most of the passwords correctly evaluated were weak passwords, containing recurrent patterns and combinations of user data. Instead, LLMs were not able to discriminate passwords between strong and medium levels. Conversely, with the data reconstruction and password evaluation pipeline, the overall performance was higher, demonstrating that Claude outperformed all other
Comparative evaluation with state-of-the-art tools. We performed a comparison with soda advance and some of the most recent tools for password evaluation available in the state-ofthe-art, i.e., Zxcvbn, CKL_PSM, and Semantic PCFG. In order to be able to compare the values obtained from the library and tools with those of the evaluation module of soda advance, we uniform the ranges to fit the strength of the passwords in three categories, weak, medium, and strong. For the purposes of our evaluation, we extracted a random sample of 250 passwords, ranging in length from 8 to 25 characters. Figure 3 shows the results of soda advance, CKL_PSM, Zxcvbn, and Semantic PCFG on the considered set of passwords. As we can see, most of the passwords have been classified as medium by all tools, and only a few of them as strong. soda advance has demonstrated good capabilities of evaluation for the passwords containing these types of information, classifying them as weak. Moreover, soda advance classified as 180 36
34 CKL_PSM 65 152 61
165 33
24 Zxcvbn
Semantic PCFG medium some passwords consisting of simple dictionary words not semantically linked to users.
By summarizing, we have noticed that no model excels at evaluating password strength. As we expected, soda advance demonstrated good evaluation capabilities for passwords that contain some user information but overestimates the complexity of passwords when they contain words not semantically linked to the user. On the other hand, tools that evaluate passwords based on crack attempts often underestimate the strength of passwords with complex syntax if they contain information related to the user. However, as also demonstrated for LLMs, considering the problem of evaluating password strength based on semantics with three levels of strength is extremely more dificult and the evaluations are less accurate.
Evaluating passwords with a state-of-the-art model. To further investigate the
passwordgeneration capabilities of LLMs, we evaluated the strength of the passwords with PassBERT
[
We have investigated the threats related to the definition of password when users publicly share their data on social network platforms. To this end, we have first proposed a new data reconstruction tool, namely soda advance, capable of reconstructing public user data and evaluating a password according to them. Moreover, we have designed three diferent pipelines aiming to evaluate the performance of emerging LLMs, in the generation of strong passwords and the evaluation of their strength by a new ad-hoc prompting functions based on automatic and manual prompt engineering approaches. The experimental evaluations with real users have shown that Claude revealed good capabilities in generating strong passwords and evaluating password strength based on user data. Moreover, the combination of LLMs with the soda advance tool has led to significant improvements in the password evaluation process with LLMs. To further investigate the efectiveness of LLMs and soda advance in password generation and evaluation, we compared it with state-of-the-art approaches. The results highlight that LLMs do not perform well in the generation of medium-level passwords.
it has been shown that a very small percentage of strong passwords generated by LLMs succeed in being leaked by PassBERT’s TPG model.
The methodologies and results obtained in this study open the research in several new directions. Future research could investigate in-depth the understanding and mitigation of threats, including exploring alternative approaches to password management and authentication in the context of widespread public data availability. In addition, further investigation could focus on enhancing the capabilities of the data reconstruction tool to extract a large set of public information from other Web platforms. Moreover, password strength assessment can be further explored using LLM by investigating the efectiveness of models trained specifically for this problem. Finally, emerging trends related to LLMs require further investigation for a better understanding of how these models treat personal information and whether they comply with