Skip to main content

The Revenge of Password Crackers: Automated Training of Password Cracking Tools

  • Conference paper
  • First Online:
Computer Security – ESORICS 2022 (ESORICS 2022)


Passwords are stored in the form of salted one-way hashes so that attacks on servers cannot leak them in the clear. However, humans tend to select passwords that are easy to remember, and a motivated attacker may attempt to hash quite large sets of easy passwords until a match is found with the target hash. Password cracking tools such as hashcat and john the ripper do this job very efficiently, using different forms of attacks that, for example, try passwords with a certain syntactic structure or passwords taken from a dictionary and mangled through appropriate rules. Recent work on password guessing has shown that machine learning can, in principle, outperform existing cracking tools in terms of success rate, by generating sophisticated password models. In this paper, we give password cracking tools a second chance, by exploring automated training techniques that aim to effectively improve the success rate. To achieve this ambitious goal, we carry out a systematic and in-depth analysis of various cracking strategies, and we propose a new combination of techniques that we train and test on a dataset of more than 700M real passwords. Our results show that, with this new approach, we can almost double the success rate, returning the primacy to password cracking tools. The techniques are general, repeatable and publicly available up to ethical constraints, providing a new benchmark for future research on password guessing.

This work has been partially supported by the POR FESR project SAFE PLACE: “Sistemi IoT per ambienti di vita salubri e sicuri”.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions


  1. 1.

    The number of 82 billion passwords indicated in [7] is incorrect. We double-checked it, and found the same number already indicated in [23].

  2. 2.

    Option -m 99999 does not perform any hash and just looks for plaintext passwords.

  3. 3.

    Since hbp is hashed with NTLM we set the corresponding hash mode with -m 1000.


  1. Hashcat.

  2. John the Ripper.

  3. One rule to rule them all.

  4. Pantagrule.

  5. Password analysis and cracking kit (PACK).

  6. Rockyou dataset.

  7. Rockyou2021 dataset.

  8. Brodkin, J.: 10 (or so) of the worst passwords exposed by the LinkedIn hack. Ars Technica, June 2012

    Google Scholar 

  9. de Carné de Carnavalet, X., Mannan, M.: From very weak to very strong: analyzing password-strength meters. In: 21st Annual Network and Distributed System Security Symposium, NDSS 2014. The Internet Society (2014)

    Google Scholar 

  10. Cubrilovic, N.: RockYou hack: from bad to worse. TechCrunch, December 2009

    Google Scholar 

  11. Di Campi, A.M., Focardi, R., Luccio, F.L.: Automated training of password cracking tools (repository).

  12. Duckett, C.: Login duplication allows 20M Alibaba accounts to be attacked. ZDNet, February 2016.

  13. Hitaj, B., Gasti, P., Ateniese, G., Perez-Cruz, F.: PassGAN: a deep learning approach for password guessing. In: Deng, R.H., Gauthier-Umaña, V., Ochoa, M., Yung, M. (eds.) ACNS 2019. LNCS, vol. 11464, pp. 217–237. Springer, Cham (2019).

    Chapter  Google Scholar 

  14. Hranický, R., Lištiak, F., Mikuš, D., Ryšavý, O.: On practical aspects of PCFG password cracking. In: Foley, S.N. (ed.) DBSec 2019. LNCS, vol. 11559, pp. 43–60. Springer, Cham (2019).

    Chapter  Google Scholar 

  15. Hunt, T.: Pwned Passwords.

  16. Hunt, T.: Open source Pwned Passwords with FBI feed and 225M new NCA passwords is now live! December 2021.

  17. Kelley, P.G., et al.: Guess again (and again and again): measuring password strength by simulating password-cracking algorithms. In: 2012 IEEE Symposium on Security and Privacy, pp. 523–537 (2012)

    Google Scholar 

  18. Komanduri, S.: Modeling the adversary to evaluate password strength with limited samples, Ph.D. thesis, CMU-ISR (2016)

    Google Scholar 

  19. Liu, E., Nakanishi, A., Golla, M., Cash, D., Ur, B.: Reasoning analytically about password-cracking software. In: 2019 IEEE S &P Symposium, pp. 380–397 (2019)

    Google Scholar 

  20. Ma, J., Yang, W., Luo, M., Li, N.: A study of probabilistic password models. In: 2014 IEEE S &P Symposium, pp. 689–704 (2014)

    Google Scholar 

  21. Melicher, W., et al.: Fast, lean, and accurate: modeling password guessability using neural networks. In: 25th USENIX Security Symposium, pp. 175–191 (2016)

    Google Scholar 

  22. Meyer, B.: COMB: largest breach of all time leaked online with 3.2 billion records. Cybernews, February 2021

    Google Scholar 

  23. Mikalauskas, E.: RockYou2021: largest password compilation of all time leaked online with 8.4 billion entries. Cybernews, June 2021

    Google Scholar 

  24. Morris, R., Thompson, K.: Password security: a case history. Commun. ACM 22(11), 594–597 (1979)

    Article  Google Scholar 

  25. Narayanan, A., Shmatikov, V.: Fast dictionary attacks on passwords using time-space tradeoff. In: ACM CCS 2005, pp. 364–372 (2005)

    Google Scholar 

  26. NIST: Digital Identity Guidelines - Authentication and Lifecycle Management. Special Publication 800-63B (2017)

    Google Scholar 

  27. Pasquini, D., Cianfriglia, M., Ateniese, G., Bernaschi, M.: Reducing bias in modeling real-world password strength via deep learning and dynamic dictionaries. In: 30th USENIX Security Symposium, pp. 821–838, August 2021

    Google Scholar 

  28. Pasquini, D., Gangwal, A., Ateniese, G., Bernaschi, M., Conti, M.: Improving password guessing via representation learning. In: 42nd IEEE S &P Symposium, pp. 1382–1399 (2021)

    Google Scholar 

  29. Ur, B., et al.: Design and evaluation of a data-driven password meter. In: CHI Conference on Human Factors in Computing Systems, pp. 3775–3786. ACM (2017)

    Google Scholar 

  30. Ur, B., et al.: How does your password measure up? The effect of strength meters on password creation. In: 21th USENIX Security Symposium, pp. 65–80 (2012)

    Google Scholar 

  31. Ur, B., et al.: Measuring real-world accuracies and biases in modeling password guessability. In: 24th USENIX Security Symposium, pp. 463–481 (2015)

    Google Scholar 

  32. Weir, M., Aggarwal, S., de Medeiros, B., Glodek, B.: Password cracking using probabilistic context-free grammars. In: 30th IEEE S &P Symposium, pp. 391–405 (2009)

    Google Scholar 

Download references

Author information

Authors and Affiliations


Corresponding author

Correspondence to Flaminia L. Luccio .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Di Campi, A.M., Focardi, R., Luccio, F.L. (2022). The Revenge of Password Crackers: Automated Training of Password Cracking Tools. In: Atluri, V., Di Pietro, R., Jensen, C.D., Meng, W. (eds) Computer Security – ESORICS 2022. ESORICS 2022. Lecture Notes in Computer Science, vol 13555. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-17145-1

  • Online ISBN: 978-3-031-17146-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics