Reasoning Analytically About Password Cracking Software

Explore a groundbreaking approach to analyzing password-cracking software in this IEEE Symposium on Security & Privacy conference talk. Delve into novel techniques for efficiently reasoning about transformation-based password cracking tools like John the Ripper and Hashcat. Learn about rule inversion and guess counting operations that enable analysis without enumerating guesses, significantly reducing password strength estimation time. Discover four practical applications demonstrating how these methods enhance scientific rigor in optimizing attack configurations, including improved rule ordering and identification of missing elements. Gain insights into the first principled mechanisms for understanding real-world password-guessing attacks, bridging the gap between theoretical models and practical implementations.