|A new tool in deep learning renders passwords less secure.|
Topics: Artificial Intelligence, Commentary, Computer Science
"Locks are made for honest people." Robert H. Goodwin, June 19 (Juneteenth), 1925 - August 26, 1999 (Pop)
Last week, the credit reporting agency Equifax announced that malicious hackers had leaked the personal information of 143 million people in their system. That’s reason for concern, of course, but if a hacker wants to access your online data by simply guessing your password, you’re probably toast in less than an hour. Now, there’s more bad news: Scientists have harnessed the power of artificial intelligence (AI) to create a program that, combined with existing tools, figured more than a quarter of the passwords from a set of more than 43 million LinkedIn profiles. Yet the researchers say the technology may also be used to beat baddies at their own game.
The work could help average users and companies measure the strength of passwords, says Thomas Ristenpart, a computer scientist who studies computer security at Cornell Tech in New York City but was not involved with the study. “The new technique could also potentially be used to generate decoy passwords to help detect breaches.”
The strongest password guessing programs, John the Ripper and hashCat, use several techniques. One is simple brute force, in which they randomly try lots of combinations of characters until they get the right one. But other approaches involve extrapolating from previously leaked passwords and probability methods to guess each character in a password based on what came before. On some sites, these programs have guessed more than 90% of passwords. But they’ve required many years of manual coding to build up their plans of attack.
The new study aimed to speed this up by applying deep learning, a brain-inspired approach at the cutting edge of AI. Researchers at Stevens Institute of Technology in Hoboken, New Jersey, started with a so-called generative adversarial network, or GAN, which comprises two artificial neural networks. A “generator” attempts to produce artificial outputs (like images) that resemble real examples (actual photos), while a “discriminator” tries to detect real from fake. They help refine each other until the generator becomes a skilled counterfeiter.
Giuseppe Ateniese, a computer scientist at Stevens and paper co-author, compares the generator and discriminator to a police sketch artist and eye witness, respectively; the sketch artist is trying to produce something that can pass as an accurate portrait of the criminal. GANs have been used to make realistic images, but have not been applied much to text.
The Stevens team created a GAN it called PassGAN and compared it with two versions of hashCat and one version of John the Ripper. The scientists fed each tool tens of millions of leaked passwords from a gaming site called RockYou, and asked them to generate hundreds of millions of new passwords on their own. Then they counted how many of these new passwords matched a set of leaked passwords from LinkedIn, as a measure of how successful they’d be at cracking them.
Artificial intelligence just made guessing your password a whole lot easier
Matthew Hutson, Science Magazine, AAAS