| layout | title | byline | arxiv | tags | summary | |||||
|---|---|---|---|---|---|---|---|---|---|---|
post |
PassGAN: A Deep Learning Approach for Password Guessing |
Hitaj et al |
1709.00440 |
|
Password guessers have always relied on dictionary size and simple heuristics. PassGAN makes more nuanced and accurate guesses based on password list leaks. |
This work focuses on better password-generation technology. But, unlike a lot of the work in this field that focuses on generating more secure passwords, this paper tries to generate realistic, in-use passwords. This GAN tries to guess passwords, and is rewarded for successfully generating real credentials. In short, this is a brute-forcer's dream.
Conventional approaches have used dictionary-based and perturbation-based algorithms: Take a password like Password, and perturb it in a way that a human might. Character replacement: P@$$w0rd and addition of extra characters: P@$$w0rd12!.
PassGAN, on the other hand, uses long lists of leaked passwords to self-train; it then tries to generate a password that would fit inconspicuously into a list of leaked real-life passwords, and the adversary tries to differentiate the fake from the real.
The authors demonstrate a dramatic improvement in the ability to correctly guess a user's password compared with SpyderLab by John the Ripper (a 2x increase!!), and show that the PassGAN's guess list provides an extra 18-24% of coverage to the HashCat algorithm alone.
This is...troubling... because PassGAN doesn't need to be taught a password-generation strategy; it learned from leaked passwords. So if you're feeling high-and-mighty because your password is something hard to guess like correct1horse2battery3staple4 (and I was certainly feeling pretty confident in my passwords before reading this), PassGAN is much more likely to guess it than any existing systems before it.