PassGAN: A Deep Learning Approach for Password Guessing

PassGAN

This repository contains code for the PassGAN: A Deep Learning Approach for Password Guessing paper.

The model from PassGAN is taken from Improved Training of Wasserstein GANs and it is assumed that the authors of PassGAN used the improved_wgan_training tensorflow implementation in their work. For this reason, I have modified that reference implementation in this repository to make it easy to train (train.py) and sample (sample.py) from. This repo contributes:

• A command-line interface
• A pretrained PassGAN model trained on the RockYou dataset

Getting Started

# requires CUDA to be pre-installed

git clone https://github.com/brannondorsey/PassGAN.git
pip install -r requirements.txt

Generating password samples

Use the pretrained model to generate 1,000,000 passwords, saving them to gen_passwords.txt.

python sample.py \
	--input-dir pretrained \
	--checkpoint pretrained/checkpoints/195000.ckpt \
	--output gen_passwords.txt \
	--batch-size 1024 \
	--num-samples 1000000

Training your own models

Training a model on a large dataset (100MB+) can take several hours on a GTX 1080.

# download the rockyou training data
# contains 80% of the full rockyou passwords (with repeats)
# that are 10 characters or less
curl -L -o data/train.txt https://github.com/brannondorsey/PassGAN/releases/download/data/rockyou-train.txt

# train for 200000 iterations, saving checkpoints every 5000
# uses the default hyperparameters from the paper
python train.py --output-dir output --training-data data/train.txt

You are encouraged to train using your own password leaks and datasets. Some great places to find those include:

• LinkedIn leak (1.7GB compressed, direct download. Mirror from Hashes.org)
• Exploit.in torrent (10GB+, 800 million accounts. Infamous!)
• Hashes.org: Awesome shared password recovery site. Consider donating if you have the resources 😉

Results

I’ve yet to do an exhaustive analysis of my attempt to reproduce the results from the PassGAN paper. However, using the pretrained rockyou model to generate 10⁸ password samples I was able to match 630,347 (23.97%) unique passwords in the test data, using an 80%/20% train/test split.

In general, I am somewhat surprised (and disappointed) that the authors of PassGAN referenced prior work in the ML password generation domain but did not compare their results to that research. My initial experience with PassGAN leads me to believe that it would significantly underperform both the RNN and Markov-based approaches mentioned in that paper and I hope that it is not for this reason that the authors have chosen not to compare results.

Copyright (c) 2017 Ishaan Gulrajani, (c) 2017 Brannon Dorsey (PassGAN modification and modularization)

Source: https://github.com/brannondorsey/