Skip to main content
Book cover

European Symposium on Research in Computer Security

ESORICS 2022: Computer Security – ESORICS 2022 pp 317–336Cite as

The Revenge of Password Crackers: Automated Training of Password Cracking Tools

Part of the Lecture Notes in Computer Science book series (LNCS,volume 13555)

Abstract

Passwords are stored in the form of salted one-way hashes so that attacks on servers cannot leak them in the clear. However, humans tend to select passwords that are easy to remember, and a motivated attacker may attempt to hash quite large sets of easy passwords until a match is found with the target hash. Password cracking tools such as hashcat and john the ripper do this job very efficiently, using different forms of attacks that, for example, try passwords with a certain syntactic structure or passwords taken from a dictionary and mangled through appropriate rules. Recent work on password guessing has shown that machine learning can, in principle, outperform existing cracking tools in terms of success rate, by generating sophisticated password models. In this paper, we give password cracking tools a second chance, by exploring automated training techniques that aim to effectively improve the success rate. To achieve this ambitious goal, we carry out a systematic and in-depth analysis of various cracking strategies, and we propose a new combination of techniques that we train and test on a dataset of more than 700M real passwords. Our results show that, with this new approach, we can almost double the success rate, returning the primacy to password cracking tools. The techniques are general, repeatable and publicly available up to ethical constraints, providing a new benchmark for future research on password guessing.

Keywords

  • Passwords
  • Cracking tools
  • Automated training

This work has been partially supported by the POR FESR project SAFE PLACE: “Sistemi IoT per ambienti di vita salubri e sicuri”.

This is a preview of subscription content, access via your institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-031-17146-8_16
  • Chapter length: 20 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   39.99
Price excludes VAT (USA)
  • ISBN: 978-3-031-17146-8
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   54.99
Price excludes VAT (USA)
Learn about institutional subscriptions
Fig. 1.
Fig. 2.
Fig. 3.
Fig. 4.
Fig. 5.
Fig. 6.

Notes

  1. 1.

    The number of 82 billion passwords indicated in [7] is incorrect. We double-checked it, and found the same number already indicated in [23].

  2. 2.

    Option -m 99999 does not perform any hash and just looks for plaintext passwords.

  3. 3.

    Since hbp is hashed with NTLM we set the corresponding hash mode with -m 1000.

References

  1. Hashcat. https://hashcat.net/hashcat/

  2. John the Ripper. https://www.openwall.com/john/

  3. One rule to rule them all. https://notsosecure.com/one-rule-to-rule-them-all

  4. Pantagrule. https://github.com/rarecoil/pantagrule

  5. Password analysis and cracking kit (PACK). https://github.com/iphelix/pack

  6. Rockyou dataset. https://gitlab.com/kalilinux/packages/wordlists

  7. Rockyou2021 dataset. https://github.com/ohmybahgosh/RockYou2021.txt

  8. Brodkin, J.: 10 (or so) of the worst passwords exposed by the LinkedIn hack. Ars Technica, June 2012

    Google Scholar 

  9. de Carné de Carnavalet, X., Mannan, M.: From very weak to very strong: analyzing password-strength meters. In: 21st Annual Network and Distributed System Security Symposium, NDSS 2014. The Internet Society (2014)

    Google Scholar 

  10. Cubrilovic, N.: RockYou hack: from bad to worse. TechCrunch, December 2009

    Google Scholar 

  11. Di Campi, A.M., Focardi, R., Luccio, F.L.: Automated training of password cracking tools (repository). https://github.com/focardi/PasswordCrackingTraining

  12. Duckett, C.: Login duplication allows 20M Alibaba accounts to be attacked. ZDNet, February 2016. https://www.zdnet.com/article/login-duplication-allows-20m-alibaba-accounts-to-be-attacked/

  13. Hitaj, B., Gasti, P., Ateniese, G., Perez-Cruz, F.: PassGAN: a deep learning approach for password guessing. In: Deng, R.H., Gauthier-Umaña, V., Ochoa, M., Yung, M. (eds.) ACNS 2019. LNCS, vol. 11464, pp. 217–237. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-21568-2_11

    CrossRef  Google Scholar 

  14. Hranický, R., Lištiak, F., Mikuš, D., Ryšavý, O.: On practical aspects of PCFG password cracking. In: Foley, S.N. (ed.) DBSec 2019. LNCS, vol. 11559, pp. 43–60. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-22479-0_3

    CrossRef  Google Scholar 

  15. Hunt, T.: Pwned Passwords. https://haveibeenpwned.com/Passwords

  16. Hunt, T.: Open source Pwned Passwords with FBI feed and 225M new NCA passwords is now live! December 2021. https://www.troyhunt.com/open-source-pwned-passwords-with-fbi-feed-and-225m-new-nca-passwords-is-now-live/

  17. Kelley, P.G., et al.: Guess again (and again and again): measuring password strength by simulating password-cracking algorithms. In: 2012 IEEE Symposium on Security and Privacy, pp. 523–537 (2012)

    Google Scholar 

  18. Komanduri, S.: Modeling the adversary to evaluate password strength with limited samples, Ph.D. thesis, CMU-ISR (2016)

    Google Scholar 

  19. Liu, E., Nakanishi, A., Golla, M., Cash, D., Ur, B.: Reasoning analytically about password-cracking software. In: 2019 IEEE S &P Symposium, pp. 380–397 (2019)

    Google Scholar 

  20. Ma, J., Yang, W., Luo, M., Li, N.: A study of probabilistic password models. In: 2014 IEEE S &P Symposium, pp. 689–704 (2014)

    Google Scholar 

  21. Melicher, W., et al.: Fast, lean, and accurate: modeling password guessability using neural networks. In: 25th USENIX Security Symposium, pp. 175–191 (2016)

    Google Scholar 

  22. Meyer, B.: COMB: largest breach of all time leaked online with 3.2 billion records. Cybernews, February 2021

    Google Scholar 

  23. Mikalauskas, E.: RockYou2021: largest password compilation of all time leaked online with 8.4 billion entries. Cybernews, June 2021

    Google Scholar 

  24. Morris, R., Thompson, K.: Password security: a case history. Commun. ACM 22(11), 594–597 (1979)

    CrossRef  Google Scholar 

  25. Narayanan, A., Shmatikov, V.: Fast dictionary attacks on passwords using time-space tradeoff. In: ACM CCS 2005, pp. 364–372 (2005)

    Google Scholar 

  26. NIST: Digital Identity Guidelines - Authentication and Lifecycle Management. Special Publication 800-63B (2017)

    Google Scholar 

  27. Pasquini, D., Cianfriglia, M., Ateniese, G., Bernaschi, M.: Reducing bias in modeling real-world password strength via deep learning and dynamic dictionaries. In: 30th USENIX Security Symposium, pp. 821–838, August 2021

    Google Scholar 

  28. Pasquini, D., Gangwal, A., Ateniese, G., Bernaschi, M., Conti, M.: Improving password guessing via representation learning. In: 42nd IEEE S &P Symposium, pp. 1382–1399 (2021)

    Google Scholar 

  29. Ur, B., et al.: Design and evaluation of a data-driven password meter. In: CHI Conference on Human Factors in Computing Systems, pp. 3775–3786. ACM (2017)

    Google Scholar 

  30. Ur, B., et al.: How does your password measure up? The effect of strength meters on password creation. In: 21th USENIX Security Symposium, pp. 65–80 (2012)

    Google Scholar 

  31. Ur, B., et al.: Measuring real-world accuracies and biases in modeling password guessability. In: 24th USENIX Security Symposium, pp. 463–481 (2015)

    Google Scholar 

  32. Weir, M., Aggarwal, S., de Medeiros, B., Glodek, B.: Password cracking using probabilistic context-free grammars. In: 30th IEEE S &P Symposium, pp. 391–405 (2009)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Ca’ Foscari University, Venice, Italy

    Alessia Michela Di Campi, Riccardo Focardi & Flaminia L. Luccio

Authors
  1. Alessia Michela Di Campi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Riccardo Focardi
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Flaminia L. Luccio
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Flaminia L. Luccio .

Editor information

Editors and Affiliations

  1. Rutgers University, Newark, NJ, USA

    Vijayalakshmi Atluri

  2. Hamad Bin Khalifa University, Doha, Qatar

    Roberto Di Pietro

  3. Technical University of Denmark, Kongens Lyngby, Denmark

    Christian D. Jensen

  4. Technical University of Denmark, Kongens Lyngby, Denmark

    Weizhi Meng

Rights and permissions

Reprints and Permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Di Campi, A.M., Focardi, R., Luccio, F.L. (2022). The Revenge of Password Crackers: Automated Training of Password Cracking Tools. In: Atluri, V., Di Pietro, R., Jensen, C.D., Meng, W. (eds) Computer Security – ESORICS 2022. ESORICS 2022. Lecture Notes in Computer Science, vol 13555. Springer, Cham. https://doi.org/10.1007/978-3-031-17146-8_16

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-17146-8_16

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-17145-1

  • Online ISBN: 978-3-031-17146-8

  • eBook Packages: Computer ScienceComputer Science (R0)