Text-based passwords are a fundamental and popular means of authentication. Password authentication is simple to implement because it does not require any equipment,
unlike biometric authentication, and it relies only on the user’s memory. Therefore, people
often use easy-to-remember passwords, such as ”iloveyou1234.” This reliance on memory,
however, is an inherent weakness of passwords, mainly because these easy-to-remember
passwords can also be cracked easily. Despite this well-known weakness, passwords are
still the de-facto authentication method for most online systems. Owing to this importance, password cracking has been researched extensively, both for offensive and defensive
purposes. Hashcat and John the Ripper are the most popular cracking tools, allowing
users to crack millions of passwords in a short time, based on password- cracking dictionaries and rule-sets. However, rule-based cracking has an explicit limitation of depending
on password-cracking experts to come up with creative rules. To overcome this limitation, a recent trend has been to apply machine learning techniques to conduct research
on password cracking. For instance, state-of-the-art password guessing studies such as
PassGAN adopted a Generative Adversarial Network (GAN) and used it to generate highquality password guesses without knowledge of password structures. However, compared
to the probabilistic context-free grammar (PCFG), PassGAN showed inferior passwordcracking performance in all experimental cases. In addition, PassGAN could not prove
its cracking performance under practical cases (long-length and complicated passwords).
In this thesis, I propose new methods for achieving improved password-cracking performance, which are based on both the generator and discriminator modules of a GAN. With
respect to the generator of GAN, I describe new techniques for improving the passwordcracking performance of PassGAN. Interestingly, changing both basic neural networks
and the hyper-parameter configuration of GANs outperforms the cracking performance of
PassGAN. In addition, transforming to dual-discriminator architecture has a beneficial
effect on improving the password-cracking performance. These new approaches are denoted as rPassGAN, rPassD2CGAN, and rPassD2SGAN. In some experimental cases, the
rPassGAN series surpasses PCFG as well.
Through several experiments with rPassGAN, I observed that each password guessing
model has its own cracking space that does not overlap with other models. This observation led me to realize that an optimized candidate dictionary can be made by combining
the password candidates generated by multiple password generation models. The second
technique I suggest is a deep learning-based approach called REDPACK that addresses
the weakness of the cutting-edge GAN-based password-cracking tools. To this end, REDPACK combines multiple password generator models in an effective way. This approach
uses the discriminator of the rPassGAN as the password-candidate selector. Then, by
collecting passwords selectively, REDPACK achieves a more realistic password candidate
dictionary. Also, REDPACK improves password cracking performance by incorporating
both the generator and the discriminator in a GAN framework. I evaluated this model
on various datasets with password candidates composed of symbols, digits, upper, and
lowercase letters. The results clearly show that my approach outperforms all existing
approaches, including rule-based Hashcat, GAN-based PassGAN, and probability-based
PCFG. Another advantage of the proposed model is that REDPACK can reduce the number of password candidates by up to one-third or one-fourth, with small cracking performance loss compared to the union set of passwords cracked by multiple-generation models.
Finally, I propose iREDPACK, which is the first heterogeneously-structured GAN model
in the password-cracking domain and adopts the concept of Google Inception. iREDPACK
is designed for handling passphrase-structured passwords. iREDPACK selects more password candidates of PCFG than REDPACK in all experiments.

• Abstract
• 1 Introduction 1
• 2 Preliminaries 8
• 2.1 Password Cracking Basic . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
• 2.2 Password Strength Estimation . . . . . . . . . . . . . . . . . . . . . . . . . 12
• 2.2.1 Entropy based Approaches . . . . . . . . . . . . . . . . . . . . . . . 12
• 2.2.2 Password Guessing Based Approaches . . . . . . . . . . . . . . . . 13
• 2.3 Advanced Password Guessing For Cracking . . . . . . . . . . . . . . . . . . 15
• 2.3.1 Markov and Context-Free Grammar Approaches . . . . . . . . . . . 15
• 2.3.2 Deep Learning Based Approaches . . . . . . . . . . . . . . . . . . . 16
• 3 Generating password candidates based on GANs 18
• 3.1 Background: Generative Adversarial Networks . . . . . . . . . . . . . . . . 18
• 3.2 Single Discriminator Model . . . . . . . . . . . . . . . . . . . . . . . . . . 22
• 3.3 Dual Discriminator Models . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
• 3.3.1 Weakness of rPassD2CGAN . . . . . . . . . . . . . . . . . . . . . . 25
• 3.3.2 Enhanced Dual-Discriminator Model: rPassD2SGAN . . . . . . . . 28
• 3.4 Experiments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
• 3.4.1 Training Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 30
• 3.4.2 Password Cracking . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
• 3.5 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
• 3.5.1 Dictionary Quality Perspective . . . . . . . . . . . . . . . . . . . . 33
• 3.5.2 Cracking Performance Perspective . . . . . . . . . . . . . . . . . . 34
• 3.5.3 Password Strength Estimation . . . . . . . . . . . . . . . . . . . . . 39
• 3.6 Limitation of rPassGAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
• 4 Selecting password candidates based on GANs 44
• 4.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
• 4.1.1 Relativistic GANs . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
• 4.1.2 Deep Convolutional Neural Network: Google Inception . . . . . . . 46
• 4.2 REDPACK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
• 4.2.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
• 4.2.2 The Discriminator Training Structure . . . . . . . . . . . . . . . . 50
• 4.2.3 Password Candidates Selecting Structure . . . . . . . . . . . . . . . 52
• 4.3 Experiments with REDPACK . . . . . . . . . . . . . . . . . . . . . . . . . 53
• 4.3.1 Experimental Data Preparation . . . . . . . . . . . . . . . . . . . . 53
• 4.3.2 REDPACK Training Configuration . . . . . . . . . . . . . . . . . . 55
• 4.3.3 GAN Training and Testing . . . . . . . . . . . . . . . . . . . . . . 56
• 4.3.4 Password Cracking . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
• 4.3.5 Limitation of REDPACK . . . . . . . . . . . . . . . . . . . . . . . 59
• 4.3.6 Further Improvement of Cracking Performance
• Using Proper Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
• 4.4 The inception REDPACK: iREDPACK . . . . . . . . . . . . . . . . . . . . 64
• 4.5 Experiments with iREDPACK . . . . . . . . . . . . . . . . . . . . . . . . . 64
• 4.5.1 The Effectiveness of Inception module layer . . . . . . . . . . . . . 65
• 4.5.2 The Limitation of iREDPACK: CJK Website Leaked Passwords . . 69
• 5 Conclusion 74
• A APPENDICES 77
• A.1 Custom Hashcat/JtR Rule-I: REDPACK100 . . . . . . . . . . . . . . . . . 77
• A.2 Custom Hashcat/JtR Rule-II: rPassGAN100 . . . . . . . . . . . . . . . . . 80
• Bibliography 83