AI Just Made Guessing Your Password a Whole Lot Easier

sciencehabit shares a report from Science Magazine: The Equifax breach is reason for concern, of course, but if a hacker wants to access your online data by simply guessing your password, you're probably toast in less than an hour. Now, there's more bad news: Scientists have harnessed the power of artificial intelligence (AI) to create a program that, combined with existing tools, figured more than a quarter of the passwords from a set of more than 43 million LinkedIn profiles.

Researchers at Stevens Institute of Technology in Hoboken, New Jersey, started with a so-called generative adversarial network, or GAN, which comprises two artificial neural networks. A "generator" attempts to produce artificial outputs (like images) that resemble real examples (actual photos), while a "discriminator" tries to detect real from fake. They help refine each other until the generator becomes a skilled counterfeiter. The Stevens team created a GAN it called PassGAN and compared it with two versions of hashCat and one version of John the Ripper. The scientists fed each tool tens of millions of leaked passwords from a gaming site called RockYou, and asked them to generate hundreds of millions of new passwords on their own. Then they counted how many of these new passwords matched a set of leaked passwords from LinkedIn, as a measure of how successful they'd be at cracking them. On its own, PassGAN generated 12% of the passwords in the LinkedIn set, whereas its three competitors generated between 6% and 23%. But the best performance came from combining PassGAN and hashCat. Together, they were able to crack 27% of passwords in the LinkedIn set, the researchers reported this month in a draft paper posted on arXiv. Even failed passwords from PassGAN seemed pretty realistic: saddracula, santazone, coolarse18.

pwgen -s 16, bitches.

That is all.

Entropy is _everything_ in passwords. Use lots of it.

Re: pwgen -s 16, bitches.

Bingo.

And just FYI, "correcthorsebatterystapler" has jack shit for entropy, as does anything with words... real or mangled.

Re:pwgen -s 16, bitches.

[chuckugly]

There are actually sites out there that won't eat any password over 12 characters if you can believe that.

Re: pwgen -s 16, bitches.

Bingo.

And just FYI, "correcthorsebatterystapler" has jack shit for entropy, as does anything with words... real or mangled.

That isn't true at all. The whole point of that xkcd comic is that you can use a combination of words to make a memorable and secure password (as long as the words are chosen in a truly random way). Any diceware password is 12.9 bits of entropy per word even if the dictionary is publicly known [1]. Randall claims that password has 44 bits of entropy which is less than diceware would yield so I'm not sure of his methodology but the general idea that a series of words is more secure and more memorable than a random jumble of characters has some truth to it.

[1]: One caveat is that some diceware dictionary contain words with less than 12.9 bits of entropy such as pairs of numbers (e.g. 21), in a case like that a naive brute force attack could actually outperform one that knows the dictionary in use.

Re:pwgen -s 16, bitches.

There are also websites that use non-case-sensitive passwords.

Re: pwgen -s 16, bitches.

[Arnold+Reinhold]

[1]: One caveat is that some diceware dictionary contain words with less than 12.9 bits of entropy such as pairs of numbers (e.g. 21), in a case like that a naive brute force attack could actually outperform one that knows the dictionary in use.

That's not quite right. The entropy in Diceware, or any other system that selects random words from a list, comes for the number of words in the list, not from the individual words. It is of course possible that a random Diceware passphrase could consist entirely of "words" that were numeric, or single characters or the like, and that passphrase could then be vulnerable to a brute force attack, but the odds of that happening are extremely low and it would be easy to spot and just generate another passphrase. This is not much different from the fact that a password randomly selected from alphanumeric characters could (with very low probability) come out all numeric.

Re:pwgen -s 16, bitches.

Entropy is _everything_ in passwords.

So is Alzheimer's. But it only works on the owner of the account.

Re:pwgen -s 16, bitches.

I've posted my password online before. Nothing came of it.

Posting AC this time, but was under my account before. It's almost like nobody cared.

Re:pwgen -s 16, bitches.

[hattable]

Even worse, my previous bank maxed passwords out at eight chars. But instead of telling you this when registering or changing passwords, the interface simply made the input field a fixed width at eight em and fixed input length at eight. I only realized this was the case while seriously fat fingering the last few characters and enter, but still logged right in.

Re:pwgen -s 16, bitches.

[WinstonWolfIT]

Pointless. 2fa your bank and get on with your life.

Re: pwgen -s 16, bitches.

Just not with SMS...

Re:pwgen -s 16, bitches.

Generally, most evil people do not care about hacking your shit online, or aren't technically aware/capable.
But when you do cross them, there is a chance the "take care" of you in real life (see e.g. Seth Rich's robbery-gone-wrong).

Re:pwgen -s 16, bitches.

[Buchenskjoll]

But what if the universe runs out of entropy?

Re:pwgen -s 16, bitches.

[K.+S.+Kyosuke]

The original Interbase had fascinating password limitations. Eight characters, case insensitive...

Re:pwgen -s 16, bitches.

[KozmoStevnNaut]

NemID, the big all-encompassing public Danish login system, which is used for everything from public services to online banking, uses case insensitive passwords, which is just mind-boggling.

Of course, it also uses mandatory 2-factor authentication, but still.

Re:pwgen -s 16, bitches.

Maybe the purpose of this is to reduce the probability of people writing down their passwords on the back of their hardware token ? Having easy to remember passwords reduces that probability.

While writing down passwords may be recommended in some situations (where you need good entropy and have some physical security), the whole purpose of two factor authentication is to use something you have with something you remember (you are).

You don't take password complexity separately from other security issues - having a good entropy and all is nice but it makes no sense if it forces your user to write it down on a sheet of p

Re:pwgen -s 16, bitches.

[GNious]

Based on news throughout the lifetime of NemID, this seems to be FAR from the worst issue with NemID.

Re:pwgen -s 16, bitches.

and there's some sites that let you use long passwords... BUT when they actually do something with it on the back end, they strip it down to a "more manageable" length.. like 6 or 8 letters, and then work with hashes from that.

Re:pwgen -s 16, bitches.

Fraudulent transactions aren't my problem. The bank has to prove I authorized the transaction or they are on the hook for it. My bank has a maximum 6 character password limit (no joke, they think they are clever by using a on-screen keyboard and disallowing keyboard input) and that's not my problem either.

Re:pwgen -s 16, bitches.

[Maritz]

Hey no problem, fresh entropy every day.

Re: pwgen -s 16, bitches.

And why do you use this bank?

Re:pwgen -s 16, bitches.

[Ol+Olsoc]

That is all.

Entropy is _everything_ in passwords. Use lots of it.

Oh boy, it's she semi-monthly Slashdot Password thread.

Make certain you use 5 sets of random numbers, and all special characters, and a minimum length of 1200 characters with a new password generated every 5 minutes. And for gawd's sake, never write it down.

Re:pwgen -s 16, bitches.

[Carewolf]

NemID, the big all-encompassing public Danish login system, which is used for everything from public services to online banking, uses case insensitive passwords, which is just mind-boggling.

Of course, it also uses mandatory 2-factor authentication, but still.

Well, after people complaining about case-insensitive passwords, the did change. Now they only allow digits.

Re: pwgen -s 16, bitches.

[sound+vision]

Probably cuts down on the number of support requests which I could see being expensive in a system like this. Most users would not take advantage of case anyway. And you, as a conscious user, can still make a secure password despite the limited character set.

Re: pwgen -s 16, bitches.

[sound+vision]

Who will he switch to, Wells Fargo?

Re: pwgen -s 16, bitches.

There are also banks that only allow digits as a password. And 4-digit PINs at that (my bank does that); luckily you can't perform any transaction using the PIN...

Re:pwgen -s 16, bitches.

[KozmoStevnNaut]

I'm still using an alphanumeric password. The PIN thing is optional AFAIK.

Re:pwgen -s 16, bitches.

[snookiex]

+1 Been there, done that

Re: pwgen -s 16, bitches.

The point Randal was making is that a "word" is a symbol that is easily remembered compared to a "alphanumeric character", and because there are lots of them a 4 symbol password composed of randomly chosen words is stronger than a 4 symbol password composed of randomly selected alphanumeric characters while also being easier for a human to remember. let alone the terribly predictable passwords people actually choose when presented with guidelines that are meant to make them choose a password composed of random alphanumeric characters.

The advise is bad, but not because the method described is bad so much as because nobody who needs to hear it will correctly implement the method so instead of getting 7+ symbol random word passwords you'll get english sentences and similar low entropy implementations.

Re:pwgen -s 16, bitches.

Yep, it used DES, not even 3DES.

Re:pwgen -s 16, bitches.

You know the joke: masterke :)

Re:pwgen -s 16, bitches.

Just download entropy from the Internet.

Re:pwgen -s 16, bitches.

[Carewolf]

My alphanumeric password stopped working, and when I generated a new password I was not allowed to use letters anymore :D

Re:pwgen -s 16, bitches.

Maybe the purpose of this is to reduce the probability of people writing down their passwords on the back of their hardware token ? Having easy to remember passwords reduces that probability.

I think you missed the point: case insensitive password systems are a strong indicator that the site stores passwords with reversible encryption, if not just plain text.

Re:pwgen -s 16, bitches.

[pslytely+psycho]

God dies.....??

Re: pwgen -s 16, bitches.

Most users wont take advantage of case, but some will. Similiarly, many don't go beyond ascii, but some do. And only a few uses totally random strings.

With many tecniques used only by a few, many will in fact be using at least one - and security increases.

Re: pwgen -s 16, bitches.

[WinstonWolfIT]

This point is absurd.

Good reason to not have a Slashdot account.

The inherent vulnerability of online accounts is a great reason why we shouldn't have Slashdot accounts. Having an account here, or at any other discussion site where identity is totally irrelevant, is just an unnecessarily risky thing to do.

It's not like having an account somehow magically makes somebody's comments better. Look at creimer/cdreimer or AmiMoJo or PopeRatzo or the many other registered users here who, in my opinion, routinely post idiotic shit.

There are nothing but drawbacks to having an account here. There are no benefits that I can see.

Slashdot should also go back to how it used to be and get rid of the need for an account when submitting stories. Maybe we'd actually get some good submissions on the front page again.

Re: Good reason to not have a Slashdot account.

I disagree. Having an account aids in the conversation process. Replying to AC posts means that an AC is unlikely to receive a notice and reply.

While slashdot accounts can be hacked, nothing of value is lost. As long as the member can prove their identity via other means.

Signed, testing "Post Anonymously" checkbox.

Re: Good reason to not have a Slashdot account.

Replying to AC posts means that an AC is unlikely to receive a notice and reply.

That's nonsense. Slashdot could easily implement a reply notification system that doesn't rely on an explicit, persistent user account here. It's trivial to do using comment IDs stored in a cookie, for example. When an AC posts a comment, a cookie is set with the comment ID. On subsequent page loads the comment IDs are passed along with the request, and if a reply has been made then the AC user is alerted when the requested page is rendered.

While slashdot accounts can be hacked, nothing of value is lost.

That's exactly the point. Accounts here or on other discussion forums are without positive value, and if anything are actually a liability because of the risk of them getting hacked. So it's better to not use an account, and it's better not to require an account. It's the message that matters, not who's expressing it.

As long as the member can prove their identity via other means.

We could never fully trust these other sources. If somebody's discussion forum account could get hacked, then so could their other accounts, including email accounts, social media accounts, web hosting accounts, and so forth. One hacked account could falsely "verify" the other hacked accounts.

All in all, online accounts are more of a burden than a benefit.

Re: Good reason to not have a Slashdot account.

For similar reasons, AC posts are less likely to be moderated up. And with the natural handicap of starting with 0 score and decreased likelihood of positive moderation, AC posts are overall less likely to be read at all when comments are sorted by score. It's almost as if the comment scoring system is biased against anonymity.

Re:Good reason to not have a Slashdot account.

[AvitarX]

The fact that you can identify bad posters and filter them out is reason enough to have an account IMO.

Re:Good reason to not have a Slashdot account.

Slashdot isn't 4chan, don't bring that trash in here.

Re: Good reason to not have a Slashdot account.

[ColdWetDog]

That's nonsense. Slashdot could easily implement a reply notification system that doesn't rely on an explicit, persistent user account here. It's trivial to do using ...

I take it you forgot about the beta debacle.

'Slashdot could easily implement' is really just crazy talk.

Re:Good reason to not have a Slashdot account.

[AmiMoJo]

Look at creimer/cdreimer or AmiMoJo or PopeRatzo or the many other registered users here who, in my opinion, routinely post idiotic shit.

Unlike Anonymous Coward, who seems to be suffering from multiple split personalities and politically can best be described as a Nazi communist anarcho-authoritarian ballsack.

Still, nice to know the Pope and I are somewhat (in)famous.

Re:Good reason to not have a Slashdot account.

[arobatino]

An account is only vulnerable if people use weak passwords, or reuse them across multiple sites (some of which are probably storing them in plaintext). People should use a unique randomly generated password for each site, storing them with a password manager (and backing it up), not try to be Rain Man and remembering all of them.

An account can develop a reputation, which helps moderation. And the owner can be anonymous, so not vulnerable to retaliation.

Having said all that, I can't see any good reason for requiring an account for submitting stories. They can stand or fall on their own merit.

Re:Good reason to not have a Slashdot account.

[Cederic]

registered users here who, in my opinion, routinely post idiotic shit.

Having my posts against my pseudonym makes it easier for people that dislike my idiotic shit to use the Slashdot 'foe' system to auto-mod me out of their sight. I'm fine with that.

Slashdot knowing that my posts are from me means that the site can send me emails when people reply to my posts. That lets me continue a conversation.

There are nothing but drawbacks to having an account here. There are no benefits that I can see.

Slashdot should also go back to how it used to be and get rid of the need for an account when submitting stories.

Well, I've highlighted a couple of benefits. I'm with you on the story submissions though, a story either stands on its own or it doesn't. Much the same as an AC comment.

Re:Good reason to not have a Slashdot account.

[esperto]

The risk associated with the discussion forum account comes from people reusing passwords or having a pattern, if you use password managers with random passwords, the risk is almost non existent, but if you are really paranoid you could just use single use email accounts.

There are benefits to having an account here and in other discussion forums, as pointed out in other answers, and the security risk comes from bad habits, not the account themselves.

Re: Good reason to not have a Slashdot account.

AC wasn't suggesting your slashdot account security is precious. He's saying your banking password being reverse engineered by a fancy markov chain trained on your public post history is the downside, and the upside isn't worth it.

Re: Good reason to not have a Slashdot account.

[Monster_user]

Simple solution. Use throwaway passwords on less important sites, and break your standards to create super secure passwords for sites that are more important.

Re: Good reason to not have a Slashdot account.

[Monster_user]

I generally don't trust password managers. Too much power in one place. Too much of a risk if it got stolen.

Hence, I use password tiers.

A weak password for sites where it is potentially stored as plain text.

A throw-away password for various sites I'm not concerned about losing my account or access to.

A moderate password for sites I easily expire-able data, such as a credit card number.

And unique and complex passwords designed to not be guessable in any form for accounts which hold sensitive information.

Re:Good reason to not have a Slashdot account.

[SternisheFan]

I had /. email me a temporary password, but when I got to the configuring password page, no matter what I do I cannot create a new password. Constantly tells me 'current password is incorrect', and it's the temporary password /. just emailed me. Any help, eds?

Re: Good reason to not have a Slashdot account.

AC is right.

Sometimes it's amusing seeing what autistic screeching pile of shit you'll post up next.

Re:Good reason to not have a Slashdot account.

[SternisheFan]

I need to retract my statement above. Someone from Slashdot has just contacted me via my connected email account and has promised to investigate the matter. We are currently trying to work out this issue. I was told that whatever the reason is for my being unable to create a new password has nothing to do with a comment made by me some years ago about reddit. I may have jumped the gun on this one, and new management at slashdot is very responsive, it seems. Thank you Logan Abbot

Re: Good reason to not have a Slashdot account.

And unique and complex passwords designed to not be guessable in any form for accounts which hold sensitive information

[Serious question] How many of these unique and complex passwords do you have? How do you remember them?

Re: Good reason to not have a Slashdot account.

3 complex passwords, one of them is for the bank.

I remember them by using them often. And I do not change them every decade, which makes remembering easier.

Forced passwd changing is the biggest segurity risk, as it encourages trivial passwords. Changing passwords do not make it harder to break in - if I guess correctly, it doesn't matter that you changed passwords yesterday.

Not new, John the Ripper does this, just not "AI"

[aberglas]

Maybe this is a bit better than John (or maybe not), but John also employs "Learning Heuristics" but just calls them clever code.

Rules are made to be broken

[Monster_user]

Teach a person to create passwords according to certain rules, and then teach a machine learning implementation those same rules, its a computer doing what it was designed to do, what it was always going to do. A human just has to teach the computer to think like a human.

Rules create structure, consistency, something which can be automated.

A lack of rules lends itself towards laziness.

So we are the problem, and we must figure out how to outsmart ourselves.

Re:Rules are made to be broken

A lack of rules lends itself towards laziness.

Granpa?! Is...is that you? Oh! I always knew I'd find you!

Re:Rules are made to be broken

The problem is we do it backwards. We tell the user some arcane rules and then the user picks the password.

We should go the other way around. Tell the computer some rules and let it generate the password. No password lists, either. Give it a good enough set of rules that you can accept the random password.

It has to be done this way so that you can calculate the equivalent strength of a purely-random binary password and have it generate to whatever length is necessary to get the strength you need. Anything that reduces the password space needs to be either avoided or accounted for; the rules reduce the password-space to hopefully let the password be easier to remember, but can be quantified. Choosing from a list of passwords adds "looks good to a human" to the constraints, reducing the strength in an unquantifiable way to the generating problem (but not necessarily unquantifiable to potential attackers)

I'm partial to the XKCD method: the rules are simple (randomly pick words from a wordlist of known size) and the passwords are memorable. They're obviously not as "secure" as a password of the same length of purely random characters but you get your password strength back by making the password longer.

Re:Rules are made to be broken

[ColdWetDog]

The problem is, when you let the website do that, the idiot dev goes "I know, I'll base it off the time stamp - that'll be easy and unique and all"

I'm looking at YOU Experian.

Re:Rules are made to be broken

This is pretty much a solved problem. Entropy.

Those are crap passwords

[DontBeAMoran]

Complete words? Please.

Re:Those are crap passwords

Show me how long a password cracker would crack this passphrase;

'Needing dumpling over arching'

or this one:

'Go singly iguana jungling'

Or this one with words that I made up, but being literate and able to read phonemes properly, they are easy to remember (for me):

'Munti tarma janti nell'

Any good?

Life Choices

"coolarse18", really?

Re:Life Choices

"coolarse18", really?

Yes. I have been using it on all my gaming sites.

Re:Life Choices

[Cederic]

As your password, or your name?

True Story

Had a friend who never used a password on her laptops. She just got a Toshiba with Win7. This was 2010. I told her it was a good idea to use a password so only she could use it, and she agreed since she said she noticed others were using her computer before.

I told her to pick a password only she would know. To not tell me. She said okay, and I know I've told this here before, so I'll get to the chase, she picked the first digit of her house. ONE DIGIT PASSWORD! I noticed this, and told her why that's not a good idea. This mindset is normal, I think, as foreign as it is to me.

Re:True Story

[AvitarX]

It's probably enough to stop people from casually using her computer.

If that was indeed the goal, it seems fine to me.

Re:True Story

You are missing the "mindset" point. She thought it was a good password. And you made my point. Thank you, madam!

Re:True Story

Your point was inadequacy.
His point was sufficiency.
The difference is applicability. Theoretical threat or the present one.
In spirit you're right.
In practice he's right.

Go fuck yourself with a dildo made of your facebook civility. You should've outgrown that unclever faux stuff by high school.

Your ill-defined goalposts probably had more to do with "lol dumb" than security anyway.

Re:True Story

If her goal is to prevent a random passerby from casually using her computer, pranking her facebook profile, or whatever, then one character is fine.

If your goal is to prevent the NSA from getting at browser history and bomb plans, then they're just going to pull the drive and look at it on a second computer anyway.

First Post! Yes!

At least it would have been if AI didn't guess my password.

Not exactly cracking

[mbone]

This is a dictionary attack, which is not the same as cracking, assuming that they can't make a few 100 million trials to crack into each account.

Re:Not exactly cracking

Yeah. Only a problem, if anybody was ever to use the same password on multiple systems, one of which loses the user name and hash list.

Call it Machine Learning

[Xylantiel]

Not AI, since it is actually machine learning. It's really stunning how far the rebranding of machine learning as AI has progressed. Maybe even machine training is more appropriate. AI is just not.

Re:Call it Machine Learning

[AvitarX]

Not that shocking.

Machine learning and artificial intelligence are similar enough linguistically that I could see a translator using one instead of the other (context free).

Re:Call it Machine Learning

[Luthair]

Sad when this used to be one of the sites with the most technical background. Now we're no better than the tech blocks spamming these submissions.

Re:Call it Machine Learning

ML (machine learning) is a sub-domain of AI. Please stop using the Hollywood definitions of AI on a tech site. It's really stunning how far the misbranding of ML as not AI has progressed. Well, not really when you realize people just regurgitate things they hear rather than think about them deeply before accepting or rejecting them into their personal set of beliefs.

Re:Call it Machine Learning

FYI: You're fighting a lost battle.

The old term AI (artificial intelligence) includes stuff like NN (neural networks), GA (genetic algorithms) and ML (machine learning). That will never change. Give up. You've lost.

The new terms are AGI (artificial general intelligence) and ASI (artificial super intelligence).

Re:Call it Machine Learning

[lorinc]

From https://aaai.org/ in the description of next year's conference:

AAAI-18 welcomes submissions reporting research that advances artificial intelligence, broadly conceived. The conference scope includes all subareas of AI and machine learning.

Now, if you think you are such an expert in the field to say that the Association for the Advancement of Artificial Intelligence, which was founded in 1979 as an academic association, is wrong about the definition of artificial intelligence, I'd like to hear what contributions to the field you made that can back up the idea. If you did none, then just let the scientists working in the field define what AI means and contains, and accept it.

Re: Call it Machine Learning

Are these scientists working in the field of English? Do they work for Webster? No? Then piss off. Maybe we should let the machines define AI, then that sort of self actualization might actually be real artificial intelligence.

Re:Call it Machine Learning

So it isn't AI, and it isn't Cracking, so what is this?

They created a more interesting dictionary. Once you've gone through their entire dictionary you might have access to 27% of accounts.

Re:Call it Machine Learning

[hey!]

Well, to be fair machine learning addresses the most practical near-term applications of AI: replacing human judgment in classification, and extending that to volumes of data humans can't handle.

It may not be any kind of progress toward building something like Daneel Olivaw, but if that ever happens it probably won't happen because machines that are actually like humans are all that useful. It'll happen because someone wants to know if its possible.

Re:Call it Machine Learning

[andydouble07]

This. I was studying various machine learning techniques over a decade ago and everyone involved talked about them as being under the umbrella of AI. Any divergence of terms happened so long ago that it's not worth recognizing anymore.

Re:Call it Machine Learning

Not neural networks (NN), but specifically artificial neural networks (ANN).

Not Impressed

[pubwvj]

"figured more than a quarter of the passwords from a set of more than 43 million LinkedIn profiles. "

That is not all that impressive given that most people use poor passwords.

It is easy to do good passwords but not common.

Re:Not Impressed

[Kjella]

It's easy to do one good password. But when you have one for your email, your bank, your home machine, your work machine, facebook, linkedin, slashdot and so on you either:

a) Use the same good password with or without a trivial modifier (hint: if your password is 4s!fFNkC_gmail, it doesn't take a genius to figure out every other password)
b) Use a password manager (which means you're always carrying all your keys, you're lost without it etc.)
c) Got an absurdly good memory wasted remembering tons of gibberish.
d) Divide it into tiers and use the same not-so-important password for all the not-so-important accounts.

My email password is unique, because it's the reset for so much else. My online bank password is unique, because it's actual money. The rest goes into buckets like "Wow, you can troll as me on forums... whatever." while LinkedIn go one tier higher like "Can drag my name through the shitter" and above that is "Can run off with my Steam, Spotify account etc." which is not directly cash but valuable none the less. There's just too many passwords to care about all of them.

Re:Not Impressed

I live with

>b) Use a password manager (which means you're always carrying all your keys, you're lost without it etc.)

I don't need to access my bank except when I'm banking, and I schedule banking sessions for when I have access to my keys.

Because I value security and privacy, not having instant access to LinkedIn is not a problem.

Re:Not Impressed

There is also a more /. way: self-hosted password manager for better accessibility.

I use keeweb within the nextcloud. This way I basically need to memorize two strong passwords: one for the nextcloud, the other one for the .kdbx file. The rest of the passwords (and a good deal of user names) are generated. So in an emergency I could access my mail using web browser only (mail is also self-hosted :).

Re:Not Impressed

[pubwvj]

I have about 2,000 passwords that I use. It is a bother but it is the current tech. We'll all get past this soon. Yes, I fall in category (c) above. I also remember names. It makes for a good game.

Re: Not Impressed

Also not impressed - they guessed a bunch of passwords but did not match them to accounts. Trying 43 million passwords for each account takes too long.

Instead, create a passwd harvesting service, i.e. a gaming/shopping sites that log all the passwords. Many will use the same as everywhere else.

I'm gonna have to call bullshit on this

[Snotnose]

First, if your password is someone's birthday/anniversary/death day/pet name/kid name, a hacker targeting you has already tried it. Second, if you simply either A) think of a phrase and use every first letter for a password (my method); or b) think of 3-4 words and string them together (Randall Monroe's method), you ain't gonna get hacked via password guessing. Period.

Um, assuming the website you're using has basic security protocols in place, Which Equifax has just shown ain't the case.

Re:I'm gonna have to call bullshit on this

[Maxo-Texas]

Use words mixed with standard but arbitary punctuation and numbers.

For example
The quick brown fox jumped over the lazy dog.

Tqbfjotld - probably not secure.

T?qbfjotl9D - fairly secure now. Easy to type too.

Re:I'm gonna have to call bullshit on this

Only the more common (ie google's datapiles, book texts) phrases will be vulnerable. The pool of phrases is exponentially larger than the current dictionary fashion.

Adding a single dimension of modification to dictionary fashion only bought us some time, and TFS says it's up.

Adding a single dimension of modification to phrases will, by virtue of the larger base, be highly resilient. Even without modification, rrrybgdts is fairly strong in 2017's conditions. With mods (eg your eg)

However, GP's Monroe reference is an outdated joke. The comic is effectively a four-letter password. Unmodified, it's very low entropy. Praising resilience against a method no one uses is disingenuous. Small bruteforces are a lolwhynot sweep, no one bothers hiring botnets to crunch past 5~6 characters unless it's a targeted effort. A twenty-character password is like spending your entire country's defense budget on gasmasks.

Phrases are the way to go. Good luck using a year-old cracking tool that was built on a year-old database using a, at the time, year-old google scrape. It will be aware of Rick Astley's "nggyunglyd" and other stale pop culture.

rrrybnggyu is said nursery rhyme plus said rickroll. Take advantage of how human cognition works. A phrase (a concept) weighs one "recollection" of effort yet includes high entropy. You don't even remember the actual password, if you want to write it down you have to re-derive it from the much-easier mental concept.

Note your example mod (several in there) becomes powerful, yes, but that dogpile costs much more complexity. It weighs more. It's an overengineered scaffold, wasting metal. Increased complexity tax means encouraging re-use, multi-location use, encouraging storage (write-down) somewhere, discouraging password cycle-out, increasing need to provide Forgot Password functionality (whether system bake-in, human IT, etc)

Re:I'm gonna have to call bullshit on this

[Maxo-Texas]

My particular method (which I did not fully reveal) produces unique derivable passwords per site so writedown is not an issue.

It does develop a problem over a period of several years. I.e. I have some sites that change passwords frequently and that eventually drives me to change my base pattern. No problem at first but after several base phrase changes, now it becomes a question of which base phrase was in use when I return to a site I don't even recall visiting and it knows me and requests a password. I can try a couple likely candidates and reset to the current base pattern. After that it's password reset territory.

Purchasing a new phone also seems to set off a password storm.

I do not like using services or apps which store passwords. They just seem to be begging on my knees to be compromised when those sites are inevitably compromised.

Re:I'm gonna have to call bullshit on this

Amy string you can reproduce in your head is entirely predictable. Most people don't have access to a true RNG, but at least use a password manager and let it's pseudo RNG come up with 16 to 24 character password for you. There is no excuse for using wetware for security in this day and age, and frankly it should be a firing offense.

Sigh

AI has definitely become the new buzzword to ignore. I love how it is stated with certainty when it isn't necessarily the case. Tech journalism is really in a state these days.

Re: Sigh

Rust didn't even get a fair amount of time as the the most-hyped buzzword. Ruby on Rails, NoSQL and Node.js got a couple of years each. But Rust? It only got about a year, and now AI and blockchain have overtaken it already.

So people reuse passwards

So a program matches names from gaming site and linked in to see if same password is used. A simple program could do this.

Starting to think AI is worthless from all these simplistic things people make it do.

Where did they get the passwords?

How nice that LinkedIn is handing out large lists of hashed/encrypted passwords so other people can convert them into large lists of plain-text passwords. I feel so secure now.

AI can never match my skill.

[140Mandak262Jamuna]

I guessed all, 100%, every last code of ALL ATM Cards. OMG, I am amazing. I will post my guess of mere 10,000 numeric four digit codes used to secure the ATM cards. It will definitely contain your ATM card code. Am I not amazing.

Yeah, true, my set has the code but does not link the code with any actual card. But, this AI thing also just guessed some possible passwords. That is all, It did not match it with any account. So, at least in that sense, I beat that thing hollow!

Re:AI can never match my skill.

[freeze128]

That's why my ATM PIN has 5 digits.

Re:AI can never match my skill.

[140Mandak262Jamuna]

Is that so? Take my guess of just 100,000 code set. Gotcha!

I don't get how this helps

[Maxo-Texas]

With limited attempts, you can't try that many passwords before the account is blocked.

What secure sites give you unlimited attempts to sign in?

Re:I don't get how this helps

More than you'd like.

Re:I don't get how this helps

[AvitarX]

Isn't that how the fappening happened?

Apple didn't have attempt restrictions on its API access?

Re:I don't get how this helps

One of the usual disaster scenarios involves the theft of the whole password file from a compromised server. At that point you can spend as much time as you want guessing the passwords at your lisure.

Moore's Law and compute clusters

made password cracking trivial.

If password cracking can be done offline, fuggedabutit. The only defense is to limit the number of consecutive failed attempts before a lockout. Or use two-factor or some other means of authentication.

I see your AI...

... and raise you a random number generator. Picking passwords by hand is so 1990!

Passwords at least 14 random chars, nums, symbols.

[kauaidiver]

A good estimator: https://www.grc.com/haystack.h...

For example: abc123ABC!1234

Search Space Depth (Alphabet): 26+26+10+33 = 95
Search Space Length (Characters): 14 characters
Exact Search Space Size (Count):
(count of all possible passwords with this alphabet size and up to this password's length) 4,928,630,108,082,482,617,642,017,120
Search Space Size (as a power of 10): 4.93 x 1027
Time Required to Exhaustively Search this Password's Space:
Online Attack Scenario: (Assuming one thousand guesses per second) 1.57 thousand trillion centuries
Offline Fast Attack Scenario: (Assuming one hundred billion guesses per second) 15.67 million centuries
Massive Cracking Array Scenario:(Assuming one hundred trillion guesses per second) 15.67 thousand centuries

Trivial to defend against!

[blind+biker]

4 attempts: get a timeout of 1 hour. After 7 failed attempts get a timeout of 1 day. After 9 failed attempts get a timeout of 1 year.

Re:Trivial to defend against!

Hackers: "Great. Now we can DoS you for a year by guessing your password 9 times from 9 different computers! X^D"

You: "No, I meant from one computer."

Hackers: "Even better! Now we can just try 10 million different password from 10 million different unique IP addresses."

You: "*sigh* I guess I'll leave security to the experts."

Idiot submitter

Okay Einstein, so with a targeted attack you can compromise 1 account an hour. How in the f*ck can you even begin to conflate that with an attack that compromised the privacy 143 million people? Go be bad at maths somewhere else, idiot.

My ego is now Trumpsize

[Tablizer]

I called it 3 years ago! (Well, okay C2 called it, but I get repost cred. Biggest repost ever, believe me!)

Re:Passwords at least 16 random chars, nums

I've been using 16-digit random alphanumeric passwords for about a decade now. I use a script that dds from /dev/urandom, calls base64, strips out the two non-alphanumeric values, and then truncates to 16 digits. It works everywhere except backwater websites that limit you to 8 characters or 4-digit pins.

log2(95^14) = 14 * log2(95) = 91.98 bits of entropy for 14-digit alphanumeric+symbols
log2(62^16) = 16 * log2(62) = 95.27 bits of entropy for 16-digit alphanumeric-only

News for Nerds readers make up the whole quarter?

Slashdot has fallen so low that its readers (nerds) make up the 25% of those with passwords easily guessed! SAD! Slashdot readers used to have at least a modicum of tech sense.

no more biometrics then

Biometrics (touch Id, face Id) reduce the body parts to numerical patterns/long passwords.

As these AI systems are guessing the passwords from the hashes that means the biometrics are just as crackable.

Ergo - FaceId and TouchId fails - worse because you can't scramble your biometric when your "password" is cracked.

Somewhere out there...

[Yaztromo]

Even failed passwords from PassGAN seemed pretty realistic: saddracula, santazone, coolarse18.

You know, somewhere out there a /.er is frantically trying to change their password now that /. has posted it on the front page.

Yaz

I always use poor passwords

[FeelGood314]

For sites I don't care about. Most people have 3 good passwords, 1 for email, 1 for banking and one they reuse everywhere. Most people use shit passwords for work because the work password rules encourage poor passwords. Sites that actually care about security will use a single sign on service like gmail or facebook.

Barn-door fallacy

... counted how many of these new passwords matched a set ...

1. Shoot at barn door
2. Proclaim "Bulls-eye!"

Passwords aren't as random as people think, which is a flaw of that context-making machine; the human brain. It's also why dictionary attacks are useful. If a dictionary attack actually works against a provider, they've got bigger problems than letting you use "coolarse18" as a password.

There has to be a better way

[hyades1]

How about, after an arbitrary number of attempts, say 10, characters entered into the password window would only be accepted at about the typing speed of an average person. For real people, no discernible difference; for a hacking program, frustration.

Re:There has to be a better way

Or, allow say 30 attempts or attempts for an elapsed time of say 1 min, but after 3 - 5 attempts, return fail for any attempt (or even most attempts). Reduces effectiveness of repeating robots but doesn't really annoy humans.

Re:There has to be a better way

[Brandydy]

You should visit this page https://essayclick.net/ to find lots of cool articles and topics on related articles

Re:There has to be a better way

[hyades1]

Yeah, that would work.

I've always wondered why any site that feels it necessary to protect your access by demanding a password would allow a program clearly designed for gaining unauthorized access to blast billions of possible passwords at it until one worked.

Re:There has to be a better way

[xfade551]

How about just an exponential cooldown timer that increases after every failed attempt, that ignores input during the cooldown period. Start the timer after the first failed attempt at 0.5 seconds, then 1, 2, 4, 8... An automated attack might even guess it right during the cooldown period, but getting a negative result, would discard the correct password.

Re:There has to be a better way

That's an easy one. It's not about your security, it's about identifying and tracking your use.

Re:There has to be a better way

[hyades1]

That also sounds like an excellent idea. What really, really annoys me is that average people can come up with these in a minute or two. If they wouldn't work right out of the box, they could certainly be adapted by experts quickly enough.

If I'm going to sign into a password-protected site, I'll either have my password or admit fairly quickly I've forgotten it, and have the site initiate whatever reset procedure is appropriate. Under no circumstances will I need a couple of billion tries to access whatever it is the site holds for me.

Clickbait

[GLMDesigns]

Wow. It guessed linkedin passwords.

I hope that most people have an algorithm to remember their passwords and use a simple one for non-essential sites such as LinkedIn.

There is zero chance that an AI can guess my bank or email passwords. A little thing called entropy comes into play that AI doesn't help in breaking.

*cought* *cought* clickbait.

Re:Clickbait

[ebvwfbw]

Sounds like they're using the old linked pw hash released a few years ago. That was lame. I typed in just words and I was getting hits. Like company names, government agencies... Caps, no caps... It was surprising how people didn't seem to care about their accounts. Easy to hijack and put whatever. Imagine hijacking one and put in the profile - porn star. 1990-1995 - erotic studios, CA. Man oh man, could you imagine the fun you could have with the job description? I wouldn't want to put that here because I know there could be children reading this. Imagine the slang that could be used... did a 3-1 service.

But does it work?

It guessed passwords used by random accounts. Great. But how would one use this to target an individual, or even a large # of accounts?

I'm just asking for a friend. And posting to undo mis-moderation.

shit result

if applying neural networks only got you a 4% improvement over what was available before, you've done a shitty job.

oops

[p0larity]

Even failed passwords from PassGAN seemed pretty realistic: saddracula, santazone, coolarse18.

Dammit! Now I have to change my password. Thanks PassGAN!