|
Message-ID: <CAJ9ii1EsJgtjCuEsV=YB91LFgfD-Q3uu-YFhF_zD3pQsg4eX3g@mail.gmail.com> Date: Thu, 18 Aug 2016 13:47:08 -0400 From: Matt Weir <cweir@...edu> To: "john-users@...ts.openwall.com" <john-users@...ts.openwall.com> Subject: Re: neural networks I've gone through the paper a couple of times. Haven't looked through the code though. They way they use John the Ripper is in wordlist mode. They use the SpiderLabs rules-set for the mangling rules. For the wordlist, (directly from the paper): "We explore two different sets of training data. We term the first set the Password Guessability Service (PGS) training set, used by prior work [89]. It contains the Rockyou [90] and Yahoo! [43] leaked password sets. For guessing methods that use natural language, it also includes the web2 list [11], Google web corpus [47], and an inflection dictionary [78]. This set totals 33 million passwords and 5.9 million natural-language words" Their Markov modes are using their own tools, not JtR. The advantage of using a neural network is the small size of the program to assign a probability to user's passwords. You don't have to include the full input dictionary, (for example if you were using a reverse-mangling approach), or a full grammar if you were using a PCFG. Even a full Markov character set would be much larger if you are training 5 or 6-gram Markov models. I'd argue that John's incremental training sets are smaller though. As to the ability to incorporate it in to other password cracking tools or using it as a stand-alone guess generator, or for the matter how it performs compared to incremental mode, I'd like to look at the code first before I start speculating on that ;p Matt On Thu, Aug 18, 2016 at 12:30 PM, Solar Designer <solar@...nwall.com> wrote: > Hi, > > This is not an end-user topic yet, because there's no end-user usable > code yet, and there might not ever be. But I felt this is of interest > to the JtR user community anyway, and as we do not dive into source code > details yet it is not a topic for john-dev yet. > > There's interesting new work here: > > "Code for cracking passwords with neural networks" > https://github.com/cupslab/neural_network_cracking > > Paper/slides: > > https://www.usenix.org/conference/usenixsecurity16/technical-sessions/ > presentation/melicher > > The authors include a comparison against JtR and hashcat, but without > detail on which versions and modes were used. (I am guessing JtR's > Markov mode was, but incremental mode was not. That's unfortunate.) > > I only skimmed the paper so far. In one place, it mentions needing 16 > days to generate 10^10 candidate passwords on a GPU. This would make > the approach usable for attacking (semi-)slow hashes, but not fast ones. > > I am not convinced there's an improvement over Markov and incremental > modes here - need independent testing for that - but maybe this is a > mode that would be reasonable to have alongside other modes we have. > > Alexander >
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.