DeepSec 2021 Talk: Releasing The Cracken – A Data Driven Approach for Password Generation – Or Safran & Shmuel Amar

Sanna/ October 21, 2021/ Conference

By now, it should be well known that passwords are like underwear, they should be changed often, the longer the better and it’s better not to leave them lying around.
While the big players advocating for passwordless authentication, passwords are still the most common authentication method. In the wild, we’ve seen thousands of organizations experiencing password spraying and bruteforce attacks on their users. Although MFA should mitigate some of the threats, it’s still not implemented on all protocols and in some cases was bypassed by security flaws in the IDP.

In this talk, we’ll present a new concept for password security – smartlists, built on a new data driven approach that utilizes recent advancements in NLP. Together with this talk, we are proud to release a new FOSS tool that makes these new concepts practical and easy to use by generating 200M+ password candidates per second written in Rust.


Or Safran is an experienced and passionate security researcher working for Proofpoint at the Israel R&D site as a security researcher for cloud applications and enjoys publishing his findings in blogs and technical talks. Prior to Proofpoint, Or worked as a malware researcher and reverse engineer for IBM cybercrime research labs. In his free time, he likes to break stuff while trying to dump their firmware, tinkers with hardware projects and plays online games.



Shmuel Amar is an experienced software architect working for Proofpoint at the Israel R&D site. During his free time, Shmuel likes to crack passwords for fun. Shmuel is part of the BIU NLP research lab completing his MSc.

Share this Post