Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 26 Sep 2017 09:25:01 -0400
From: Matt Weir <cweir@...edu>
To: "john-users@...ts.openwall.com" <john-users@...ts.openwall.com>
Subject: Re: 'PassGAN: A Deep Learning Approach'

Oh, and my apologies for typoing your name Jeroen!!! Just realized
that after hitting send.

Matt

On Tue, Sep 26, 2017 at 9:23 AM, Matt Weir <cweir@...edu> wrote:
> Thanks for sending that along Jeoren!
>
> I've gone through that paper a number of times now. As background for
> the people on this mailinglist who don't want to read it, the paper
> describes using Generated Adversarial Networks (GANs) to train a
> neural network to create password guesses. It a ways, it is very
> similar to the earlier work done by CMU on using neural networks to
> crack passwords. CMU's code is here:
>
> https://github.com/cupslab/neural_network_cracking
>
> And if you actually want to get that code to run I highly recommend
> checking out Maximilian's tutorial here:
>
> https://www.password-guessing.org/blog/post/cupslab-neural-network-cracking-manual/
>
> Both the PassGAN and the CMU teams generate guesses much like JtR
> --Markov and --Incremental modes by using the conditional
> probabilities of letters appearing together. For example, if the first
> letter is a 'q' then then next letter will likely be a 'u'. A more
> sophisticated example would be, if the first three letters are '123',
> then the next letter will likely be a '4'.
>
> Where PassGAN is different from the CMU approach is mostly from the
> training stage as far as I can tell. While I can't directly compare
> the two attacks since I'm not aware of the PassGAN code being publicly
> released, at least based on reading the papers the CMU approach is
> much, much more effective.
>
> Actually the PassGAN paper is a bit of a mess when it comes to looking
> at other password cracking approaches. For example it uses the
> SpiderLab ruleset for JtR vs the default one, or --single. The actual
> results of PassGAN were very poor, and while the team said that
> combining PassGAN with Hashcat's best64 ruleset + wordlist cracked
> more passwords than just running best64, they didn't bother to
> contrast that with other attack modes + best64.  Long story short, the
> research is interesting but if you are looking to use neural networks
> for generating password guesses the current go-to is still the CMU
> codebase.
>
> Matt
>
> On Tue, Sep 26, 2017 at 6:33 AM, Jeroen <spam@...lab.nl> wrote:
>> FYI: [1709.00440] PassGAN: A Deep Learning Approach for Password Guessing
>> @<https://arxiv.org/abs/1709.00440>.
>>
>> Cheers,
>>
>> Jeroen
>>
>>

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ