A recent study from the University of Cagliari and the University of Salerno has uncovered significant risks associated with user passwords that are shaped by publicly available social media data. The research highlights how easily personal information can be reconstructed from social media profiles and how this information affects the strength and security of user passwords.
The team developed a tool called SODA ADVANCE, which is designed to analyze the relationship between publicly accessible data and password strength. This tool compiles user profiles from social media platforms such as Facebook, Instagram, and LinkedIn, utilizing facial recognition technology to merge data from different accounts. By doing so, SODA ADVANCE reconstructs a comprehensive profile for each user, enabling the evaluation of passwords against a new metric known as Cumulative Password Strength.
Understanding Password Vulnerabilities Through Social Media
In their experiments, the researchers recruited 100 volunteers who provided their name, surname, and a photograph. Using this limited information, SODA ADVANCE was able to locate matching profiles across various social media platforms and construct a unified profile. Once completed, the tool assessed the strength of user passwords, scoring them between 0 and 1 based on their syntax and links to publicly available traits.
The research team then employed several large language models (LLMs) to assess how well these models could generate and evaluate passwords influenced by the reconstructed personal data. Among the LLMs tested were Claude, ChatGPT, Google Gemini, Dolly, LLaMa, and Falcon. In the initial phase, the models were tasked with creating strong and memorable passwords based on user details, deliberately avoiding the direct reuse of that information.
The results revealed that Claude produced the strongest average score at 0.82, followed by Gemini at 0.75 and ChatGPT at 0.74. Conversely, Dolly, LLaMa, and Falcon generated weaker passwords with average scores of 0.65 to 0.66. The lower scores were attributed to repetitive structures and guessable patterns, while the best results came from models that employed varied syntax and avoided obvious connections to user data.
Evaluating Password Strength with Personal Context
In the second phase of the research, the models were asked to evaluate password strength when provided with reconstructed user information alongside both strong and weak passwords. Claude again excelled with an accuracy rate of 0.75 across various metrics, including precision and recall. The study examined how model performance improved when richer personal data was included. For instance, Falcon’s precision increased dramatically from 0.48 to 0.77 when presented with full user profiles.
These findings underscore the importance of context in password security. Passwords that included hints of birthdays, locations, or hobbies were more easily flagged as risky when the models had access to relevant personal information. This suggests that LLMs become significantly more effective at identifying vulnerable passwords when supplied with comprehensive user data.
To further understand SODA ADVANCE’s effectiveness, the researchers compared it to common password strength tools by analyzing 250 passwords from leaked datasets. While most tools classified the passwords into medium strength categories, SODA ADVANCE frequently identified those linked to personal information as weak. This discrepancy illustrates a critical flaw in traditional password strength assessments, which often prioritize complexity over the connection between a password and the user’s online presence.
In a final experiment, the researchers tested PassBERT, a model designed for targeted password guessing, against the passwords generated by the LLMs. Out of 25,000 passwords assessed, PassBERT only successfully inferred 22. This low number indicates that despite being influenced by user characteristics, the generated passwords maintained a level of syntactic complexity that did not align with common guessing patterns.
The study emphasizes the urgent need for users to understand the implications of their social media presence on password security. As personal information becomes increasingly available, the risks associated with weak passwords are amplified. By utilizing tools like SODA ADVANCE, both individuals and organizations can better assess password strength and enhance their security measures in an evolving digital landscape.