Shulou(Shulou.com)05/31 Report--

This article introduces how to understand the deep learning method PassGAN for password deciphering. The content is very detailed. Interested friends can use it for reference. I hope it will be helpful to you.

These rules define conversion rules, such as the connection of words (for example, password123456) and leet speaking (for example, "password" becomes "p4s5w0rd"). Although these rules perform well in the current dataset, creating a new rule that is optimized for a new dataset is a laborious task, and specific expertise is required to complete this artifact.

In this article, we design how to replace the artificially generated password rules with a password generation method based on machine learning theory. The result of this achievement is PassGAN, a new way to enhance password breaking using generated confrontation networks (GANs). PassGAN implements password breaking by training GAN in the list of leaked passwords. Because the output of GAN is closely related to the training set, passwords generated through PassGAN are likely to match those that have not yet been disclosed. The advent of PassGAN indicates a substantial improvement in the rule-based password generation tool because it automatically infers password distribution information through password data rather than manual analysis. As a result, PassGAN can effortlessly generate a richer password distribution using new password leaks.

Our experiments show that this approach is very promising. When we evaluated PassGAN in two large cryptographic datasets, we averagely exceeded John the Ripper's SpyderLab rule by twice as much, and we competed with HashCat's best64 and gen2 rules-- our results were less than twice the HashCat rule. More importantly, when we combine the output of PassGAN with the output of HashCat, we match about 18% more passwords than using HashCat alone. This is remarkable because it shows that PassGAN can generate a considerable number of passwords, far more than current tools.

1. Introduction

Password is the most popular authentication method, mainly because it is easy to implement, does not need other hardware or software, users and developers are very familiar with passwords. Unfortunately, multiple password database leaks indicate that users tend to choose passwords that are easy to guess, mainly consisting of common strings and variants of common strings (such as password,1234546,iloveyou).

Password cracking tools provide a valuable tool for identifying weak passwords, especially when they are stored in a hash. The password cracking software tests the hash value of each password. The effectiveness of the password cracking software depends on the ability to quickly test a large number of passwords. Instead of trying all possible character combinations, the password-breaking tool uses a new approach, using words in the dictionary and previously leaked passwords as candidate passwords. Many temple-level password deciphering tools, such as John the Ripper and HashCat, further understand this method by defining heuristic methods for password conversion. This approach includes multiple word combinations (e.g. iloveyou123456), mixed letters (e.g. iLoVeyOu), and leet peak (e.g. il0v3you). These explorations, combined with the Markov model, allow John the Ripper and HashCat to generate a large number of new highly probable passwords.

Although this exploration method is likely to succeed in practice, they are peer-to-peer and based on the user's intuition of how to choose a password, rather than from the coherence and principle of a large password database. After that, developing and testing new exploratory methods is a time-consuming task. In order to solve this deficiency, we propose PassGAN, a new way to generate password evaluation, based on deep learning and generation of adversarial networks (GANs). GANs is a machine learning tool introduced recently, which is designed to perform density estimation in high-dimensional space. A GANs consists of two depth neural networks: a generated depth neural network (G) and a discriminant depth neural network (D). D is designed to distinguish between "real samples" and "pseudo samples" generated by G. The two depth neural networks influence each other through many iterations. In each iteration, the output of the pseudo-sample from G as DMague D will be provided to GMagne G and the output of D will be used as feedback to generate pseudo-samples which are closer and closer to the actual sample. After a sufficient number of repetitions, the output of G becomes the output of GAN. PassGAN promotes this technology to become a new password guessing. Our core idea is to use leaked password lists (real samples) to train D. Therefore, with each iteration, the output of PassGAN (pseudo-sample) becomes close to the distribution of passwords in the original disclosure, and therefore more matches the real user's password. As far as we know, this is the first time that GANs has been used for this purpose.

PassGAN said that the principled and grounded theory presents this generation of password guesses. We explore different neural network configurations, parameters and training procedures in order to determine the right balance between learning and overfitting, and to report our results. In particular, our contribution follows: (1) We show that GANs can generate high-quality password guesses. In our experiment, we were able to match 2774269 of the 5919936 passwords (46.86%) from a test set of real user passwords in the RockYou dataset and 4996980 (11.53%) of the 43354871 passwords in the LinkedIn dataset. Furthermore, the overwhelming number of passwords generated by PassGAN does not match our test suite still "looks like" human-generated passwords; (2) we find that our technology can compete with egg soup to remember password generation rules. Even if these rules are boring for the datasets used in our evaluation, the quality of PassGAN's output can be comparable to these palace-level password rules (in the case of hashCat), or better than those temple-level password rules (in the case of John the Ripper); (3) our results also show that PassGAN can be used to supplement password generation rules. In our experiment, we successfully used PassGAN to generate password matches that were not generated by password rules. When we combine the output of PassGAN with that of HashCat, we can match an additional 18% to 24% of unique code compared to HashCat; (4) compared with password generation rules, PassGAN can generate almost infinite password guesses. Our experiments show that the number of new password guesses increases steadily with the total number of passwords generated by GAN. This is important because the number of passwords currently generated with rules ultimately depends on the size of the password dataset that instantiates these rules.

We believe that this work is the first step in automating the generation of high-quality password guesses. When we train with sufficiently large cryptographic data sets, or when we instantiate a sufficiently complex neural network architecture, our results constitute evidence that GANs can exceed rule-based password guessing. In addition, PassGAN implements this result when no user achievement is required, usually with password guessing rules

We think this work is of great significance, importance and timeliness. It is important because, despite countless options, we hardly see the possibility that passwords will be replaced soon. It is important because establishing restrictions on password cracking can help make password-based systems more secure. As for timeliness, it is because recent password leaks contain hundreds of millions of passwords, providing a powerful data source for attackers to break the system, and system administrators re-evaluate password policies.

On how to understand the deep learning method PassGAN for password decoding is shared here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.