Select Language

SODA ADVANCE: Password Strength Analysis via Social Network Data and LLMs

A research paper analyzing password strength through social network data exposure, combining data reconstruction tools like SODA ADVANCE with the capabilities and risks of Large Language Models.
strongpassword.org | PDF Size: 0.8 MB
Rating: 4.5/5
Your Rating
You have already rated this document
PDF Document Cover - SODA ADVANCE: Password Strength Analysis via Social Network Data and LLMs
View PDF Document Download PDF Translate PDF
Home » Documentation » SODA ADVANCE: Password Strength Analysis via Social Network Data and LLMs

1. Introduction

Passwords remain the primary defense against unauthorized access, yet user behavior often prioritizes memorability over security. Traditional password strength checkers, which rely on static syntax rules (e.g., length, character variety), fail to account for the semantic context of user choices. Users frequently derive passwords from personal information—names, birthdays, hobbies—much of which is now publicly available on social media platforms.

This paper introduces SODA ADVANCE, a data reconstruction tool extended with a module for evaluating password strength by leveraging publicly available social network data. Furthermore, it investigates the dual-edged role of Large Language Models (LLMs): as a potential asset for generating strong, personalized passwords and evaluating security, and as a significant threat if misused for password cracking.

The research is guided by three key questions (RQs): Can LLMs generate complex yet memorable passwords based on public data (RQ1)? Can they effectively evaluate password strength considering personal information (RQ2)? And how does data spread across multiple networks affect these capabilities (RQ3)?

2. The SODA ADVANCE Framework

SODA ADVANCE is an evolution of the SODA tool, specifically designed to assess password vulnerability by reconstructing a user's digital footprint from public sources.

2.1. Core Architecture & Modules

The framework's architecture, as depicted in Figure 1 of the PDF, involves several integrated modules:

  • Data Aggregation: Web crawlers and scrapers harvest publicly available user data (profile info, posts, photos) from multiple social networks.
  • Data Reconstruction & Merging: Information from disparate sources is merged to build a comprehensive user profile. Techniques like face recognition can link profile photos to other identities.
  • Password Strength Module: The core analysis module takes an input password and the reconstructed user profile to evaluate strength using multiple metrics.

Chart Description (Figure 1 Overview): The diagram illustrates a pipeline starting with data collection (Web Crawler/Scraper) from social networks, leading to a merging module (Face Recognition, Data Merging). The reconstructed profile (containing NAME, SURNAME, CITY, etc.) and an INPUT PASSWORD feed into an aggregating module that calculates metrics (CUPP, LEET, COVERAGE, FORCE, CPS) and outputs a strength score, visualized with a weight scale tipping towards "YES" or "NO."

2.2. Password Strength Metrics

SODA ADVANCE employs and extends several established metrics:

  • CUPP (Common User Password Profiler): Checks if a password is found in common dictionaries or patterns related to the user (score: 1 if common, else lower).
  • LEET Speak Transformation: Evaluates resistance to simple character substitutions (e.g., a→@, e→3). A lower score indicates higher leet transformation, suggesting an attempt to obfuscate a weak base word.
  • COVERAGE: Measures the proportion of the user's reconstructed personal data (tokens) that is present in the password. High coverage is bad.
  • FORCE (Password Force): A composite metric estimating cracking time based on length, charset, and entropy.

The paper introduces a novel Cumulative Password Strength (CPS) metric, which aggregates the scores from the above methods into a single, comprehensive strength indicator.

3. LLMs: Dual Role in Password Security

The research posits that LLMs like GPT-4 represent a paradigm shift, acting as both a powerful tool for defense and a potent weapon for attack.

3.1. LLMs for Password Generation

When prompted with a user's public profile data, LLMs can generate passwords that are:

  • Strong: They incorporate high entropy, length, and character diversity.
  • Personalized & Memorable: They can create passwords based on user interests (e.g., "OrangeSystem23" for a user named George who likes oranges and studied systems), making them easier to recall than random strings.
  • Context-Aware: They avoid obvious personal data pitfalls if instructed to do so.

This capability answers RQ1 affirmatively but also highlights the threat: attackers could use the same technique to generate highly probable password guesses.

3.2. LLMs for Password Evaluation

Beyond generation, LLMs can be prompted to evaluate a given password against a user profile. They can reason semantically, identifying non-obvious connections (e.g., "Orange123" might be weak for a user whose favorite basketball team is the Orlando Magic and whose birthday is December 3rd). This contextual evaluation surpasses traditional rule-based checkers, positively addressing RQ2.

4. Experimental Methodology & Results

4.1. Experimental Setup

The study involved 100 real users. Researchers reconstructed their public profiles from social networks. Two main pipelines were tested:

  1. LLM-Generated Passwords: LLMs were given user profiles and prompted to generate "strong but memorable" passwords.
  2. LLM-Evaluated Passwords: LLMs were given a user profile and a set of candidate passwords (including weak ones derived from the profile) to rank or score their strength.

These were compared against evaluations from SODA ADVANCE's metric-based module.

4.2. Key Findings

LLM Generation Success

High

LLMs consistently generated passwords that were both strong (high entropy) and contextually personalized for the user.

Evaluation Accuracy

Superior with Context

LLMs outperformed traditional metrics in identifying semantically weak passwords when provided with user profile data.

Multi-Network Impact (RQ3)

Significant

The richness and redundancy of data across multiple platforms (Facebook, LinkedIn, Instagram) drastically improved both the accuracy of SODA ADVANCE's reconstruction and the effectiveness of LLM-based generation/evaluation.

The experiments demonstrated that the public availability of personal information acts as a force multiplier for both defensive tools and potential attackers using similar AI-driven approaches.

5. Technical Analysis & Framework

5.1. Mathematical Formulation

The novel Cumulative Password Strength (CPS) metric is conceptualized as a weighted aggregation of normalized scores from individual metrics. While the exact formula is not fully detailed in the excerpt, it can be inferred as:

$CPS = 1 - \frac{1}{N} \sum_{i=1}^{N} w_i \cdot S_i$

Where:

  • $N$ is the number of base metrics (e.g., CUPP, LEET, COVERAGE, FORCE).
  • $S_i$ is the normalized score for metric $i$ (often where 1 indicates high risk/vulnerability).
  • $w_i$ is the weight assigned to metric $i$, with $\sum w_i = 1$.
A CPS score closer to 1 indicates a stronger password. The LEET metric itself can be modeled. If $L$ is the set of leet transformations (e.g., {'a': ['@','4'], 'e': ['3']...}), and $P$ is the password, the degree of leet transformation $\ell$ can be:

$\ell(P) = \frac{\text{count of characters in } P \text{ that have a leet substitution applied}}{\text{length of } P}$

A high $\ell(P)$ suggests the password may be a simple obfuscation of a dictionary word.

5.2. Analysis Framework Example

Case Study: Evaluating "GeorgeCali1023"

Inputs:

  • Password: "GeorgeCali1023"
  • Reconstructed Profile: {Name: "George", Surname: "Smith", Education: "University of California", Birthdate: "1994-01-23", City: "Cagliari"}

Framework Application:

  1. CUPP: Checks for "George", "Smith", "California", "Cal". "Cali" is a direct match for a common abbreviation of California. Score: High Risk (e.g., 0.8).
  2. LEET: No character substitutions (a→@, i→1, etc.). Score: Low Transformation (e.g., 0.1).
  3. COVERAGE: Tokens "George" and "Cali" (from California) are directly from the profile. "1023" could be derived from birth month/day (Jan 23 -> 1/23). High coverage. Score: High Risk (e.g., 0.9).
  4. FORCE: Length is 13, mix of upper/lower/digits. Entropy is reasonably high purely on syntax. Score: Moderate Strength (e.g., 0.4 risk).
  5. LLM Semantic Evaluation: Prompt: "How strong is password 'GeorgeCali1023' for a user named George Smith who attended University of California and was born on Jan 23, 1994?" LLM output: "Weak. It directly uses the user's name, a shorthand for their university, and likely their birth month and day. Easily guessable from public data."

Conclusion: While traditional entropy (FORCE) suggests moderate strength, the contextual metrics (CUPP, COVERAGE) and LLM evaluation flag it as critically weak due to its high semantic correlation with public personal data. This exemplifies the core thesis of the paper.

6. Critical Analyst Perspective

Core Insight: The paper successfully hammers home a terrifying and inevitable truth: the era of evaluating passwords in a contextual vacuum is over. Your "strong" password is only as strong as the weakest link in your public digital footprint. SODA ADVANCE formalizes this threat, but the real game-changer is the demonstration that LLMs don't just automate cracking—they understand it. This moves the attack surface from brute-force computation to semantic reasoning, a far more efficient and dangerous paradigm.

Logical Flow: The argument is compelling: 1) Personal data is public (fact), 2) Passwords are derived from personal data (fact), 3) Therefore, public data can crack passwords (established by tools like SODA). 4) LLMs are supremely adept at processing and generating language, including personal data and password patterns. 5) Ergo, LLMs are the ultimate dual-use technology for this domain. The research cleanly validates this flow with empirical data.

Strengths & Flaws:

  • Strength: Proactive Threat Modeling. The paper isn't just documenting a vulnerability; it's modeling the next-generation attack tool (AI-driven, context-aware) before it becomes mainstream. This is invaluable for defense.
  • Strength: Practical Validation. Using 100 real users grounds the research in reality, not theory.
  • Flaw: LLM Opacity. The paper treats LLMs as a black box. Why did the LLM deem a password weak? Without explainability, it's hard to fully trust or integrate this into automated systems. Contrast this with the interpretable, if simpler, metrics of CUPP or COVERAGE.
  • Significant Flaw: Ethical & Adversarial Blind Spot. The paper briefly mentions the threat but doesn't grapple with the colossal arms race it implies. If researchers can do this, so can malicious actors—potentially at scale. Where are the proposed mitigations or regulatory considerations for this new threat vector?

Actionable Insights:

  1. For Security Teams: Immediately deprioritize traditional password strength meters. Invest in or develop tools that perform SODA-like reconstructions of your executives' and key employees' public data to audit their credentials.
  2. For Password Managers & SaaS Providers: Integrate contextual strength checking. A password manager should warn: "This password is strong, but we found your cat's name 'Whiskers' and birth year '1988' on your public Instagram. Consider changing it."
  3. For Researchers: The urgent next step is Adversarial LLM Hardening. Can we train or prompt LLMs to generate passwords that resist their own analytical capabilities? This is akin to Generative Adversarial Networks (GANs) used in image generation, where a generator and discriminator compete. A "Password GAN" could be a groundbreaking defense.
  4. For Everyone: This is the final nail in the coffin for passwords as a sole authentication factor. The paper's unstated conclusion screams for the accelerated adoption of phishing-resistant MFA (WebAuthn/FIDO2) and passwordless technologies.
The research by Atzori et al. is a crucial wake-up call. It's not just about better password checkers; it's about recognizing that AI has fundamentally altered the cybersecurity landscape, making our old habits and tools dangerously obsolete.

7. Future Applications & Directions

The implications of this research extend far beyond academic interest:

  • Proactive Corporate Security Audits: Enterprises can deploy SODA ADVANCE-like tools internally to audit employee password practices against their professional digital footprints (LinkedIn, corporate bios), mitigating insider and spear-phishing risks.
  • Integration with Identity & Access Management (IAM): Future IAM systems could include a continuous, passive module that monitors changes in an employee's public social data and triggers a mandatory password reset if a high-risk correlation is detected.
  • AI-Powered, Privacy-Preserving Password Generation: The next evolution is on-device LLMs (e.g., Apple's on-device models) that generate strong passwords without sending personal data to the cloud, marrying the strength of AI with user privacy. Research in federated learning for LLMs, as explored by institutions like Google AI, could be directly applicable here.
  • Standardization of Contextual Password Metrics: The CPS metric or its successors could evolve into a new standard (beyond NIST guidelines) for high-security environments, mandating checks against publicly available information.
  • Digital Literacy and Privacy Education: This research provides concrete, frightening examples for educating the public. Demonstrating how a few social posts can crack a password is a powerful deterrent against oversharing.
  • Forensic and Investigative Tools: Law enforcement and ethical hackers could use these techniques in forensic investigations to access secured devices or accounts where traditional methods fail, raising important ethical and legal questions that need parallel development.

The convergence of OSINT (Open-Source Intelligence) tools, data reconstruction techniques, and generative AI marks a new frontier in security. The future lies not in creating ever more complex passwords, but in developing intelligent systems that understand and defend against the semantic connections we inevitably leak online.

8. References

  1. Atzori, M., Calò, E., Caruccio, L., Cirillo, S., Polese, G., & Solimando, G. (2025). Password Strength Analysis Through Social Network Data Exposure: A Combined Approach Relying on Data Reconstruction and Generative Models. SEBD 2025 Proceedings.
  2. Author(s). (Year). SODA: A Data Reconstruction Tool. Relevant Conference or Journal. (Reference [2] in PDF).
  3. Author(s). (Year). On data reconstruction and semantic context. Relevant Publication. (Reference [3] in PDF).
  4. Goodfellow, I., Pouget-Abadie, J., Mirza, M., Xu, B., Warde-Farley, D., Ozair, S., Courville, A., & Bengio, Y. (2014). Generative Adversarial Nets. Advances in Neural Information Processing Systems (NeurIPS). (External source on GANs).
  5. Author(s). (Year). FORCE password metric. Relevant Publication. (Reference [5] in PDF).
  6. Author(s). (Year). LEET speak transformation analysis. Relevant Publication. (Reference [6] in PDF).
  7. Author(s). (Year). COVERAGE metric for passwords. Relevant Publication. (Reference [7] in PDF).
  8. National Institute of Standards and Technology (NIST). (2017). Digital Identity Guidelines (SP 800-63B). https://pages.nist.gov/800-63-3/sp800-63b.html (External authoritative source on authentication).
  9. Author(s). (Year). CUPP - Common User Password Profiler. Relevant Publication. (Reference [9] in PDF).
  10. Google AI. (2023). Federated Learning and Analytics. https://ai.google/research/teams/federated-learning (External source on privacy-preserving AI).