PassGAN: making password guessing a lot easier with AI and machine learning

[captain_to_fire]

Sources: Cornell University Library, Science Mag, and Threat post

 

Quote

 

Scientists have harnessed the power of artificial intelligence (AI) to create a program that, combined with existing tools, figured more than a quarter of the passwords from a set of more than 43 million LinkedIn profiles. Yet the researchers say the technology may also be used to beat baddies at their own game. The work could help average users and companies measure the strength of passwords, says Thomas Ristenpart, a computer scientist who studies computer security at Cornell Tech in New York City but was not involved with the study. “The new technique could also potentially be used to generate decoy passwords to help detect breaches.”

 

The strongest password guessing programs, John the Ripper and hashCat, use several techniques. One is simple brute force, in which they randomly try lots of combinations of characters until they get the right one. But other approaches involve extrapolating from previously leaked passwords and probability methods to guess each character in a password based on what came before. On some sites, these programs have guessed more than 90% of passwords. But they’ve required many years of manual coding to build up their plans of attack.

 

The new study aimed to speed this up by applying deep learning, a brain-inspired approach at the cutting edge of AI. Researchers at Stevens Institute of Technology in Hoboken, New Jersey, started with a so-called generative adversarial network, or GAN, which comprises two artificial neural networks. A “generator” attempts to produce artificial outputs (like images) that resemble real examples (actual photos), while a “discriminator” tries to detect real from fake. They help refine each other until the generator becomes a skilled counterfeiter. Giuseppe Ateniese, a computer scientist at Stevens and paper co-author, compares the generator and discriminator to a police sketch artist and eye witness, respectively; the sketch artist is trying to produce something that can pass as an accurate portrait of the criminal. GANs have been used to make realistic images, but have not been applied much to text.

 

The Stevens team created a GAN it called PassGAN and compared it with two versions of hashCat and one version of John the Ripper. The scientists fed each tool tens of millions of leaked passwords from a gaming site called RockYou, and asked them to generate hundreds of millions of new passwords on their own. Then they counted how many of these new passwords matched a set of leaked passwords from LinkedIn, as a measure of how successful they’d be at cracking them.

 

On its own, PassGAN generated 12% of the passwords in the LinkedIn set, whereas its three competitors generated between 6% and 23%. But the best performance came from combining PassGAN and hashCat. Together, they were able to crack 27% of passwords in the LinkedIn set, the researchers reported this month in a draft paper posted on arXiv. Even failed passwords from PassGAN seemed pretty realistic: saddracula, santazone, coolarse18.Using GANs to help guess passwords is “novel,” says Martin Arjovsky, a computer scientist who studies the technology at New York University in New York City. The paper “confirms that there are clear, important problems where applying simple machine learning solutions can bring a crucial advantage,” he says.

The article however didn't mentioned password managers so I guess it's safe to use a reliable password manager with two factor authentication. I have a feeling that as AI, machine learning and neural engines become more powerful, we might see cyber attacks much more serious. At the moment, it predicts what passwords are the easiest to guess to give companies chance to change their weak passwords into a more secure one. But as far as I'm concerned, most websites don't read passwords as plain text like "I<3myhotboss", websites read it hashed like this one "eed4b508e6f5acda3178c880bc490546" and I think there's already an online database containing hashed passwords that are used by hackers to brute force.

 

But then, I can see this being used by legit password managers and they'll notify the user if the password they're using is easy to guess or has been used somewhere else so that they'll notify the user to change for a more secure password. So I'm all for this and I hope this will be implemented to current password managers.

Edited September 22, 2017 by hey_yo_

[Creed1]

I sort of like it as long as this technology doesn't get into the wrong hands......

[Stefan1024]

Hmmm just to apply neural net to everything doesn't make it the best solution.

Also if the users use enought "randomness" in theier passwords, every combination has the same probability and no algorithm can be better than brute force.

 

It only tells me, about a quarrter of the people use to trivial passwords.

[captain_to_fire]

13 minutes ago, CmzPlusHardware said:

I sort of like it as long as this technology doesn't get into the wrong hands......

Just like anything else it's just a tool just like a knife. You can use a knife to slice a medium rare steak or stab someone, same goes to this. I just hope password managers use a similar machine learning API too.

[captain_to_fire]

1 minute ago, Stefan1024 said:

Also if the users use enought "randomness" in theier passwords, every combination has the same probability and no algorithm can be better than brute force.

Unless the password is stolen in plain text which happens when people use public wifi which makes them susceptible to SSL stripping, the password is later hashed and dumped on a database. So I see the value of PassGAN.

[TidaLWaveZ]

It's nearing time for everything to have multi-factor authentication.