Publication Details
Beyond the Dictionary Attack: Enhancing Password Cracking Efficiency through Machine Learning-Induced Mangling Rules
In the realm of digital forensics, password recovery is a critical task, with dictionary attacks remaining one of the oldest yet most effective methods. These attacks systematically test strings from pre-defined wordlists. To increase the attack power, developers of cracking tools have introduced password-mangling rules that apply additional modifications like character swapping, substitution, or capitalization. Despite several attempts to automate rule creation that have been proposed over the years, creating a suitable ruleset is still a significant challenge. The current state-of-the-art research lacks a deeper comparison and evaluation of the individual methods and their implications. In this paper, we introduce RuleForge, an ML-based mangling-rule generator that integrates four clustering techniques, 19 mangling rule commands, and configurable rule-command priorities. Our contributions include advanced optimizations, such as an extended rule command set and improved cluster-representative selection. We conduct extensive experiments on real-world datasets, evaluating clustering methods in terms of time, memory use, and hit ratios. Our approach, applied to the MDBSCAN method, achieves up to an 11.67%pt. higher hit ratio than the best yet-known state-of-the-art solution.
@INPROCEEDINGS{FITPUB13282,
author = "Radek Hranick\'{y} and Lucia \v{S}\'{i}rov\'{a} and Viktor Ruck\'{y}",
title = "Beyond the Dictionary Attack: Enhancing Password Cracking Efficiency through Machine Learning-Induced Mangling Rules",
year = 2025,
language = "english",
url = "https://www.fit.vut.cz/research/publication/13282"
}