PassGAN: Password Cracking Using Machine Learning

Researchers at the Stevens Institute of Technology in New York, and the New York Institute of Technology have devised what they claim is a highly effective way to guess passwords using a deep learning tool called Generative Adversarial Networks (GANs). Tests of the'PassGAN' technique, as the researchers are calling it, show the method to be an improvement over state-of-the-art, rules-based password guessing tools such as HashCat and John the Ripper, the researchers said in a recently published technical paper. In their experiments the researchers were able to match nearly 47% -- or some 2,774,269 out of 5,919,936 passwords -- from a testing set comprised of real user passwords that were publicly leaked after a 2010 data breach at RockYou. Overall, the evaluations showed PassGAN outperforming John the Ripper by a factor of two, and being at least as competitive with passwords generated using the best rules from HashCat. When the output from PassGAN was combined with HashCat output the researchers could match about 24% more passwords than generated by HashCat alone.