PassGAN: A Deep Learning Approach for Password Guessing
State-of-the-art password guessing tools, such as HashCat and John the Ripper (JTR), enable users to check billions of passwords per second against password hashes. In addition to straightforward dictionary attacks, these tools can expand dictionaries using password generation rules. Although these rules perform well on current password datasets, creating new rules that are optimized for new datasets is a laborious task that requires specialized expertise. In this paper, we devise how to replace human-generated password rules with a theory-grounded password generation approach based on machine learning. The result of this effort is PassGAN, a novel technique that leverages Generative Adversarial Networks (GANs) to enhance password guessing. PassGAN generates password guesses by training a GAN on a list of leaked passwords. Because the output of the GAN is distributed closely to its training set, the password generated using PassGAN are likely to match passwords that have not been leaked yet. PassGAN represents a substantial improvement on rule-based password generation tools because it infers password distribution information autonomously from password data rather than via manual analysis. As a result, it can effortlessly take advantage of new password leaks to generate richer password distributions. Our experiments show that this approach is very promising. When we evaluated PassGAN on two large password datasets, we were able to outperform JTR's rules by a 2x factor, and we were competitive with HashCat's rules - within a 2x factor. More importantly, when we combined the output of PassGAN with the output of HashCat, we were able to match 18 alone. This is remarkable because it shows that PassGAN can generate a considerable number of passwords that are out of reach for current tools.
READ FULL TEXT