Slashdot Mirror
AI Just Made Guessing Your Password a Whole Lot Easier (sciencemag.org)
sciencehabit shares a report from Science Magazine: The Equifax breach is reason for concern, of course, but if a hacker wants to access your online data by simply guessing your password, you're probably toast in less than an hour. Now, there's more bad news: Scientists have harnessed the power of artificial intelligence (AI) to create a program that, combined with existing tools, figured more than a quarter of the passwords from a set of more than 43 million LinkedIn profiles.
Researchers at Stevens Institute of Technology in Hoboken, New Jersey, started with a so-called generative adversarial network, or GAN, which comprises two artificial neural networks. A "generator" attempts to produce artificial outputs (like images) that resemble real examples (actual photos), while a "discriminator" tries to detect real from fake. They help refine each other until the generator becomes a skilled counterfeiter. The Stevens team created a GAN it called PassGAN and compared it with two versions of hashCat and one version of John the Ripper. The scientists fed each tool tens of millions of leaked passwords from a gaming site called RockYou, and asked them to generate hundreds of millions of new passwords on their own. Then they counted how many of these new passwords matched a set of leaked passwords from LinkedIn, as a measure of how successful they'd be at cracking them. On its own, PassGAN generated 12% of the passwords in the LinkedIn set, whereas its three competitors generated between 6% and 23%. But the best performance came from combining PassGAN and hashCat. Together, they were able to crack 27% of passwords in the LinkedIn set, the researchers reported this month in a draft paper posted on arXiv. Even failed passwords from PassGAN seemed pretty realistic: saddracula, santazone, coolarse18.
Researchers at Stevens Institute of Technology in Hoboken, New Jersey, started with a so-called generative adversarial network, or GAN, which comprises two artificial neural networks. A "generator" attempts to produce artificial outputs (like images) that resemble real examples (actual photos), while a "discriminator" tries to detect real from fake. They help refine each other until the generator becomes a skilled counterfeiter. The Stevens team created a GAN it called PassGAN and compared it with two versions of hashCat and one version of John the Ripper. The scientists fed each tool tens of millions of leaked passwords from a gaming site called RockYou, and asked them to generate hundreds of millions of new passwords on their own. Then they counted how many of these new passwords matched a set of leaked passwords from LinkedIn, as a measure of how successful they'd be at cracking them. On its own, PassGAN generated 12% of the passwords in the LinkedIn set, whereas its three competitors generated between 6% and 23%. But the best performance came from combining PassGAN and hashCat. Together, they were able to crack 27% of passwords in the LinkedIn set, the researchers reported this month in a draft paper posted on arXiv. Even failed passwords from PassGAN seemed pretty realistic: saddracula, santazone, coolarse18.
That is all.
Entropy is _everything_ in passwords. Use lots of it.
Not AI, since it is actually machine learning. It's really stunning how far the rebranding of machine learning as AI has progressed. Maybe even machine training is more appropriate. AI is just not.
registered users here who, in my opinion, routinely post idiotic shit.
Having my posts against my pseudonym makes it easier for people that dislike my idiotic shit to use the Slashdot 'foe' system to auto-mod me out of their sight. I'm fine with that.
Slashdot knowing that my posts are from me means that the site can send me emails when people reply to my posts. That lets me continue a conversation.
There are nothing but drawbacks to having an account here. There are no benefits that I can see.
Slashdot should also go back to how it used to be and get rid of the need for an account when submitting stories.
Well, I've highlighted a couple of benefits. I'm with you on the story submissions though, a story either stands on its own or it doesn't. Much the same as an AC comment.