Abstract
Despite their well-known weaknesses, passwords are still the de-facto authentication method for most online systems. Due to its importance, password cracking has been vibrantly researched both for offensive and defensive purposes. Hashcat and John the Ripper are the most popular cracking tools, allowing users to crack millions of passwords in a short time. However, their rule-based cracking has an explicit limitation of depending on password-cracking experts to come up with creative rules. To overcome this limitation, a recent trend has been to apply machine learning techniques to research on password cracking. For instance, state-of-the-art password guessing studies such as PassGAN and rPassGAN adopted a Generative Adversarial Network (GAN) and used it to generate high-quality password guesses without knowledge of password structures. However, compared with the probabilistic context-free grammar (PCFG), rPassGAN shows inferior password cracking performance in some cases. It was also observed that each password cracker has its own cracking space that does not overlap with other models. This observation led us to realize that an optimized candidate dictionary can be made by combining the password candidates generated by multiple password generation models. In this paper, we suggest a deep learning-based approach called REDPACK that addresses the weakness of the cutting-edge cracking tools based on GAN. To this end, REDPACK combines multiple password candidate generator models in an effective way. Our approach uses the discriminator of rPassGAN as the password selector. Then, by collecting passwords selectively, our model achieves a more realistic password candidate dictionary. Also, REDPACK improves password cracking performance by incorporating both the generator and the discriminator of GAN. We evaluated our system on various datasets with password candidates composed of symbols, digits, upper and lowercase letters. The results clearly show that our approach outperforms all existing approaches, including rule-based Hashcat, GAN-based PassGAN, and probability-based PCFG. The proposed model was also able to reduce the number of password candidates by up to 65%, with only 20% cracking performance loss compared to the union set of passwords cracked by multiple-generation models.
Highlights
The password is the de-facto authentication method
We demonstrated the effectiveness of the password candidates generated by the rPassGAN for enhancing the password strength estimator through several experiments
We proposed a deep learning-based method to build an effective password cracking dictionary from multiple models’ password candidates
Summary
The password is the de-facto authentication method. It is popular due to its simplicity to implement and easiness to use. To maximize password cracking effectiveness, instead of trying all the possible character combinations (exhaustive attack or brute-force attack), password cracking tools use words that users are likely to generate, as can be inferred from cracked hashes dictionaries and plaintext password leaks, as candidate passwords. Such an attacking method is referred to as the dictionary attack. The rule files enable JtR and Hashcat to generate several password candidates that people are highly likely to use in the real world These rule-based heuristic approaches are successful to an extent in practice, they are based on experts’ intuitions on how people build their passwords; further, these methods are not based on a systematical analysis of a large number of passwords. Law enforcement agencies need to crack passwords to gather evidence that criminals have encrypted [8]
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
