Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 26 Sep 2017 08:55:57 -0500
From: Tim Yardley <>
Subject: Re: 'PassGAN: A Deep Learning Approach'


I agree with your analysis. Even the CMU work is just so-so in this
particular domain. For pubicly released toolsets though, it's not bad.

To briefly explaijn... In private work, I applied a slightly adapted
HTM model and external data sources to build behavioral models based
on the presumed user profile (built via google searchs as an example
for related content to the email address or name) and that type of
approach was, let's say... very successful even in the cases of common
names. The behavioral profiles I built also had less tightly bound
criterium as well that could be presumed in some way from the username
or other information. If all of that failed, it applied a "general
model" that was an aggregate of preferences across different profiles.
Just OPSEC applied in an automated way really.

In reading the PassGAN paper, I applauded the concept of applying GANs
to this, but my applause were short lived, sadly.


On Tue, Sep 26, 2017 at 8:25 AM, Matt Weir <> wrote:
> Oh, and my apologies for typoing your name Jeroen!!! Just realized
> that after hitting send.
> Matt
> On Tue, Sep 26, 2017 at 9:23 AM, Matt Weir <> wrote:
>> Thanks for sending that along Jeoren!
>> I've gone through that paper a number of times now. As background for
>> the people on this mailinglist who don't want to read it, the paper
>> describes using Generated Adversarial Networks (GANs) to train a
>> neural network to create password guesses. It a ways, it is very
>> similar to the earlier work done by CMU on using neural networks to
>> crack passwords. CMU's code is here:
>> And if you actually want to get that code to run I highly recommend
>> checking out Maximilian's tutorial here:
>> Both the PassGAN and the CMU teams generate guesses much like JtR
>> --Markov and --Incremental modes by using the conditional
>> probabilities of letters appearing together. For example, if the first
>> letter is a 'q' then then next letter will likely be a 'u'. A more
>> sophisticated example would be, if the first three letters are '123',
>> then the next letter will likely be a '4'.
>> Where PassGAN is different from the CMU approach is mostly from the
>> training stage as far as I can tell. While I can't directly compare
>> the two attacks since I'm not aware of the PassGAN code being publicly
>> released, at least based on reading the papers the CMU approach is
>> much, much more effective.
>> Actually the PassGAN paper is a bit of a mess when it comes to looking
>> at other password cracking approaches. For example it uses the
>> SpiderLab ruleset for JtR vs the default one, or --single. The actual
>> results of PassGAN were very poor, and while the team said that
>> combining PassGAN with Hashcat's best64 ruleset + wordlist cracked
>> more passwords than just running best64, they didn't bother to
>> contrast that with other attack modes + best64.  Long story short, the
>> research is interesting but if you are looking to use neural networks
>> for generating password guesses the current go-to is still the CMU
>> codebase.
>> Matt
>> On Tue, Sep 26, 2017 at 6:33 AM, Jeroen <> wrote:
>>> FYI: [1709.00440] PassGAN: A Deep Learning Approach for Password Guessing
>>> @<>.
>>> Cheers,
>>> Jeroen

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.