Sudhir Aggarwal
Shiva Houshmand

Abstract

In this short workshop, we cover both the theory and the practice of password cracking. We first briefly survey the basic ideas of how passwords are stored and what it means to crack a password. We then discuss prominent commonly used open source password cracking systems such as John the Ripper and Hashcat and explain their model, operation and use. We next focus on a research password cracking system called PCFG developed in the ECIT Laboratory at Florida State University. This system is based on using probabilistic context-free grammars (PCFGs). In the workshop we cover a training module that learns the grammar from revealed passwords sets, and a cracking module that effectively generates guesses in highest probability order. We overview both the standard patterns that were initially used in PCFG systems, as well as newer patterns such as keyboard and multiword that have been incorporated into a recent version of the cracking system.

The course will be very hands on with the participants learning both the theory and the implementations related to password cracking as well as doing exercises on how to use the cracking systems. These exercises will be interspersed with the lectures. As time permits we will briefly explore other modern cracking approaches such as those based on Markov models.