AI Just Made Guessing Your Password a Whole Lot Easier

sciencehabit shares a report from Science Magazine: The Equifax breach is reason for concern, of course, but if a hacker wants to access your online data by simply guessing your password, you're probably toast in less than an hour. Now, there's more bad news: Scientists have harnessed the power of artificial intelligence (AI) to create a program that, combined with existing tools, figured more than a quarter of the passwords from a set of more than 43 million LinkedIn profiles.

Researchers at Stevens Institute of Technology in Hoboken, New Jersey, started with a so-called generative adversarial network, or GAN, which comprises two artificial neural networks. A "generator" attempts to produce artificial outputs (like images) that resemble real examples (actual photos), while a "discriminator" tries to detect real from fake. They help refine each other until the generator becomes a skilled counterfeiter. The Stevens team created a GAN it called PassGAN and compared it with two versions of hashCat and one version of John the Ripper. The scientists fed each tool tens of millions of leaked passwords from a gaming site called RockYou, and asked them to generate hundreds of millions of new passwords on their own. Then they counted how many of these new passwords matched a set of leaked passwords from LinkedIn, as a measure of how successful they'd be at cracking them. On its own, PassGAN generated 12% of the passwords in the LinkedIn set, whereas its three competitors generated between 6% and 23%. But the best performance came from combining PassGAN and hashCat. Together, they were able to crack 27% of passwords in the LinkedIn set, the researchers reported this month in a draft paper posted on arXiv. Even failed passwords from PassGAN seemed pretty realistic: saddracula, santazone, coolarse18.

Good reason to not have a Slashdot account.

The inherent vulnerability of online accounts is a great reason why we shouldn't have Slashdot accounts. Having an account here, or at any other discussion site where identity is totally irrelevant, is just an unnecessarily risky thing to do.

It's not like having an account somehow magically makes somebody's comments better. Look at creimer/cdreimer or AmiMoJo or PopeRatzo or the many other registered users here who, in my opinion, routinely post idiotic shit.

There are nothing but drawbacks to having an account here. There are no benefits that I can see.

Slashdot should also go back to how it used to be and get rid of the need for an account when submitting stories. Maybe we'd actually get some good submissions on the front page again.

Not exactly cracking

[mbone]

This is a dictionary attack, which is not the same as cracking, assuming that they can't make a few 100 million trials to crack into each account.

AI can never match my skill.

[140Mandak262Jamuna]

I guessed all, 100%, every last code of ALL ATM Cards. OMG, I am amazing. I will post my guess of mere 10,000 numeric four digit codes used to secure the ATM cards. It will definitely contain your ATM card code. Am I not amazing.

Yeah, true, my set has the code but does not link the code with any actual card. But, this AI thing also just guessed some possible passwords. That is all, It did not match it with any account. So, at least in that sense, I beat that thing hollow!

Re:Not Impressed

[Kjella]

It's easy to do one good password. But when you have one for your email, your bank, your home machine, your work machine, facebook, linkedin, slashdot and so on you either:

a) Use the same good password with or without a trivial modifier (hint: if your password is 4s!fFNkC_gmail, it doesn't take a genius to figure out every other password)
b) Use a password manager (which means you're always carrying all your keys, you're lost without it etc.)
c) Got an absurdly good memory wasted remembering tons of gibberish.
d) Divide it into tiers and use the same not-so-important password for all the not-so-important accounts.

My email password is unique, because it's the reset for so much else. My online bank password is unique, because it's actual money. The rest goes into buckets like "Wow, you can troll as me on forums... whatever." while LinkedIn go one tier higher like "Can drag my name through the shitter" and above that is "Can run off with my Steam, Spotify account etc." which is not directly cash but valuable none the less. There's just too many passwords to care about all of them.