Óðinn: A Framework for Large-Scale Wordlist Analysis and Structure-Based Password Guessing (Master Thesis, Finished)


Sein Coray


In the last years, multiple websites were breached, compromising personal information of billions of users, often including their passwords. These collected credentials provide insights about used passwords. Analysis tools may provide information about the structure and common patterns of passwords, helping to understand the typical process followed by a human when choosing a password. Current state-of-the-art tools only allow the statistical analysis of the password length or characters used. While there exist approaches to further explore structures of passwords, they usually were not made to work with large-scale lists of passwords and are computationally too expensive.

This thesis introduces Óðinn: a tool exploring additional possibilities of analysis aiming at understanding human structures of passwords. We present an approach to split them into their essential components, and classifying them according to their semantic meaning. Furthermore, we show that these analysis results can be visualized and used to conclude about the quality of a password list, for example, when there are entries which most likely are not real passwords. Additionally, the analysis results can be used to guess new password candidates using observed combinations and patterns. We evaluate these new guessing methods against other state-of-the-art tools, and we find that our approaches create better candidates when benchmarking against difficult-to-guess passwords.



Start / End Dates

2019/03/04 - 2019/09/03


Research Topics