Recent research from the University of Cagliari and the University of Salerno underscores the significant risks posed to user passwords by social media activity. The study introduces a tool called SODA ADVANCE, which reconstructs user profiles from public data to evaluate the strength of passwords. This innovative approach reveals how easily personal information can be exploited for password guessing, raising concerns for cybersecurity professionals.
The research team developed SODA ADVANCE to analyze public profiles on platforms such as Facebook, Instagram, and LinkedIn. By collecting minimal user information—specifically a name, surname, and a photo—the tool can generate comprehensive profiles. It utilizes facial recognition technology to merge data from different accounts, creating a unified view of an individual’s online presence. After reconstruction, SODA ADVANCE assesses passwords using a metric known as Cumulative Password Strength, which ranges from 0 to 1, reflecting both syntax and the connection between the password and the user’s publicly available traits.
The study involved 100 volunteers who provided their basic information. The researchers then tested various large language models (LLMs) including Claude, ChatGPT, Google Gemini, Dolly, LLaMa, and Falcon. The first phase required these models to generate strong yet memorable passwords based on the provided user details, avoiding direct reuse of that information. The results indicated that Claude produced the strongest passwords with an average score of 0.82, followed by Gemini at 0.75 and ChatGPT at 0.74. In contrast, Dolly, LLaMa, and Falcon yielded weaker passwords, averaging scores of 0.65 and 0.66.
The researchers found that the most effective passwords emerged from models that employed varied syntactic structures and avoided obvious links to user data. In contrast, models relying on repetitive patterns produced passwords that appeared sophisticated but were ultimately predictable.
In a second phase, the researchers evaluated the ability of LLMs to assess password strength when given reconstructed user data alongside a mix of strong and weak passwords. Claude excelled in this evaluation, achieving accuracy, precision, recall, and F1 scores of 0.75. Notably, when models were provided with more detailed user profiles, their performance improved significantly. For example, Falcon’s precision increased from 0.48 to 0.77, while ChatGPT demonstrated gains across all metrics. Claude maintained the lead with an accuracy of 0.77 and a precision of 0.89, showcasing the models’ enhanced capacity to identify risky passwords with more contextual information.
To contextualize SODA ADVANCE against existing password strength tools, the team analyzed 250 passwords from leaked datasets, categorizing them as weak, medium, or strong. The findings revealed that while most tools classified passwords as medium, SODA ADVANCE identified more passwords as weak when they contained personal information from the reconstructed profiles. This discrepancy highlights a critical gap in current password assessment methods, as many tools focus solely on complexity rather than the relationship between a password and the user’s online persona.
The final experiment tested the efficacy of PassBERT, a targeted password guessing model, against the strong passwords generated by the LLMs. Out of 25,000 passwords tested, PassBERT only successfully inferred 22. The researchers attributed this low number to the effective combination of semantic personalization and syntactic complexity in the generated passwords. Despite being inspired by user characteristics, the models produced structures that diverged from common guessing patterns, reinforcing the need for more sophisticated password creation strategies.
This research highlights the vulnerabilities inherent in password security, particularly as social media continues to grow. As users increasingly share personal information online, tools like SODA ADVANCE demonstrate the urgent need for enhanced password security measures to mitigate the risks associated with easily guessable passwords.
