32 — PassGAN: A Deep Learning Approach for Password Guessing

This work focuses on better password-generation technology. But, unlike a lot of the work in this field that focuses on generating more secure passwords, this paper tries to generate realistic, in-use passwords. This GAN tries to guess passwords, and is rewarded for successfully generating real credentials. In short, this is a brute-forcer’s dream.

Conventional approaches have used dictionary-based and perturbation-based algorithms: Take a password like Password, and perturb it in a way that a human might. Character replacement: P@$$w0rd and addition of extra characters: P@$$w0rd12!.

PassGAN, on the other hand, uses long lists of leaked passwords to self-train; it then tries to generate a password that would fit inconspicuously into a list of leaked real-life passwords, and the adversary tries to differentiate the fake from the real.

The authors demonstrate a dramatic improvement in the ability to correctly guess a user’s password compared with SpyderLab by John the Ripper (a 2x increase!!), and show that the PassGAN’s guess list provides an extra 18-24% of coverage to the HashCat algorithm alone.

This is…troubling… because PassGAN doesn’t need to be taught a password-generation strategy; it learned from leaked passwords. So if you’re feeling high-and-mighty because your password is something hard to guess like correct1horse2battery3staple4 (and I was certainly feeling pretty confident in my passwords before reading this), PassGAN is much more likely to guess it than any existing systems before it.