Passwords are stored in the form of salted one-way hashes so that attacks on servers cannot leak them in the clear. However, humans tend to select passwords that are easy to remember, and a motivated attacker may attempt to hash quite large sets of easy passwords until a match is found with the target hash. Password cracking tools such as hashcat and john the ripper do this job very efficiently, using different forms of attacks that, for example, try passwords with a certain syntactic structure or passwords taken from a dictionary and mangled through appropriate rules. Recent work on password guessing has shown that machine learning can, in principle, outperform existing cracking tools in terms of success rate, by generating sophisticated password models. In this paper, we give password cracking tools a second chance, by exploring automated training techniques that aim to effectively improve the success rate. To achieve this ambitious goal, we carry out a systematic and in-depth analysis of various cracking strategies, and we propose a new combination of techniques that we train and test on a dataset of more than 700M real passwords. Our results show that, with this new approach, we can almost double the success rate, returning the primacy to password cracking tools. The techniques are general, repeatable and publicly available up to ethical constraints, providing a new benchmark for future research on password guessing.

The Revenge of Password Crackers: Automated Training of Password Cracking Tools

Alessia Michela Di Campi;Riccardo Focardi;Flaminia Luccio
2022-01-01

Abstract

Passwords are stored in the form of salted one-way hashes so that attacks on servers cannot leak them in the clear. However, humans tend to select passwords that are easy to remember, and a motivated attacker may attempt to hash quite large sets of easy passwords until a match is found with the target hash. Password cracking tools such as hashcat and john the ripper do this job very efficiently, using different forms of attacks that, for example, try passwords with a certain syntactic structure or passwords taken from a dictionary and mangled through appropriate rules. Recent work on password guessing has shown that machine learning can, in principle, outperform existing cracking tools in terms of success rate, by generating sophisticated password models. In this paper, we give password cracking tools a second chance, by exploring automated training techniques that aim to effectively improve the success rate. To achieve this ambitious goal, we carry out a systematic and in-depth analysis of various cracking strategies, and we propose a new combination of techniques that we train and test on a dataset of more than 700M real passwords. Our results show that, with this new approach, we can almost double the success rate, returning the primacy to password cracking tools. The techniques are general, repeatable and publicly available up to ethical constraints, providing a new benchmark for future research on password guessing.
2022
Computer Security, ESORICS 2022
File in questo prodotto:
File Dimensione Formato  
ESORICS2022-preprint-DiCampiFocardiLuccio.pdf

non disponibili

Tipologia: Documento in Pre-print
Licenza: Accesso chiuso-personale
Dimensione 2.59 MB
Formato Adobe PDF
2.59 MB Adobe PDF   Visualizza/Apri

I documenti in ARCA sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/10278/5004097
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 6
  • ???jsp.display-item.citation.isi??? 2
social impact