Comparison of Automated Password Guessing Strategies

Abstract: This thesis examines some of the currently available programs for password guessing, in terms of designs and strengths. The programs Hashcat, OMEN, PassGAN, PCFG and PRINCE were tested for effectiveness, in a series of experiments similar to real-world attack scenarios. Those programs, as well as the program TarGuess, also had their design examined, in terms of the extent of how they use different important parameters. It was determined that most of the programs use different models to deal with password lists, in order to learn how new, similar, passwords should be generated. Hashcat, PCFG and PRINCE were found to be the most effective programs in the experiments, in terms of number of correct password guessed each second. Finally, a program for automated password guessing based on the results was built and implemented in the cyber range at the Swedish defence research agency.