AI Just Made Guessing Your Password a Whole Lot Easier

sciencehabit shares a report from Science Magazine: The Equifax breach is reason for concern, of course, but if a hacker wants to access your online data by simply guessing your password, you're probably toast in less than an hour. Now, there's more bad news: Scientists have harnessed the power of artificial intelligence (AI) to create a program that, combined with existing tools, figured more than a quarter of the passwords from a set of more than 43 million LinkedIn profiles.

Researchers at Stevens Institute of Technology in Hoboken, New Jersey, started with a so-called generative adversarial network, or GAN, which comprises two artificial neural networks. A "generator" attempts to produce artificial outputs (like images) that resemble real examples (actual photos), while a "discriminator" tries to detect real from fake. They help refine each other until the generator becomes a skilled counterfeiter. The Stevens team created a GAN it called PassGAN and compared it with two versions of hashCat and one version of John the Ripper. The scientists fed each tool tens of millions of leaked passwords from a gaming site called RockYou, and asked them to generate hundreds of millions of new passwords on their own. Then they counted how many of these new passwords matched a set of leaked passwords from LinkedIn, as a measure of how successful they'd be at cracking them. On its own, PassGAN generated 12% of the passwords in the LinkedIn set, whereas its three competitors generated between 6% and 23%. But the best performance came from combining PassGAN and hashCat. Together, they were able to crack 27% of passwords in the LinkedIn set, the researchers reported this month in a draft paper posted on arXiv. Even failed passwords from PassGAN seemed pretty realistic: saddracula, santazone, coolarse18.

pwgen -s 16, bitches.

That is all.

Entropy is _everything_ in passwords. Use lots of it.

Re:pwgen -s 16, bitches.

[KozmoStevnNaut]

NemID, the big all-encompassing public Danish login system, which is used for everything from public services to online banking, uses case insensitive passwords, which is just mind-boggling.

Of course, it also uses mandatory 2-factor authentication, but still.

Re:pwgen -s 16, bitches.

[Carewolf]

NemID, the big all-encompassing public Danish login system, which is used for everything from public services to online banking, uses case insensitive passwords, which is just mind-boggling.

Of course, it also uses mandatory 2-factor authentication, but still.

Well, after people complaining about case-insensitive passwords, the did change. Now they only allow digits.

Not new, John the Ripper does this, just not "AI"

[aberglas]

Maybe this is a bit better than John (or maybe not), but John also employs "Learning Heuristics" but just calls them clever code.

Not exactly cracking

[mbone]

This is a dictionary attack, which is not the same as cracking, assuming that they can't make a few 100 million trials to crack into each account.

Call it Machine Learning

[Xylantiel]

Not AI, since it is actually machine learning. It's really stunning how far the rebranding of machine learning as AI has progressed. Maybe even machine training is more appropriate. AI is just not.

Re:Call it Machine Learning

[Luthair]

Sad when this used to be one of the sites with the most technical background. Now we're no better than the tech blocks spamming these submissions.

Re:Call it Machine Learning

[lorinc]

From https://aaai.org/ in the description of next year's conference:

AAAI-18 welcomes submissions reporting research that advances artificial intelligence, broadly conceived. The conference scope includes all subareas of AI and machine learning.

Now, if you think you are such an expert in the field to say that the Association for the Advancement of Artificial Intelligence, which was founded in 1979 as an academic association, is wrong about the definition of artificial intelligence, I'd like to hear what contributions to the field you made that can back up the idea. If you did none, then just let the scientists working in the field define what AI means and contains, and accept it.

Not Impressed

[pubwvj]

"figured more than a quarter of the passwords from a set of more than 43 million LinkedIn profiles. "

That is not all that impressive given that most people use poor passwords.

It is easy to do good passwords but not common.

Re:Not Impressed

[Kjella]

It's easy to do one good password. But when you have one for your email, your bank, your home machine, your work machine, facebook, linkedin, slashdot and so on you either:

a) Use the same good password with or without a trivial modifier (hint: if your password is 4s!fFNkC_gmail, it doesn't take a genius to figure out every other password)
b) Use a password manager (which means you're always carrying all your keys, you're lost without it etc.)
c) Got an absurdly good memory wasted remembering tons of gibberish.
d) Divide it into tiers and use the same not-so-important password for all the not-so-important accounts.

My email password is unique, because it's the reset for so much else. My online bank password is unique, because it's actual money. The rest goes into buckets like "Wow, you can troll as me on forums... whatever." while LinkedIn go one tier higher like "Can drag my name through the shitter" and above that is "Can run off with my Steam, Spotify account etc." which is not directly cash but valuable none the less. There's just too many passwords to care about all of them.

AI can never match my skill.

[140Mandak262Jamuna]

I guessed all, 100%, every last code of ALL ATM Cards. OMG, I am amazing. I will post my guess of mere 10,000 numeric four digit codes used to secure the ATM cards. It will definitely contain your ATM card code. Am I not amazing.

Yeah, true, my set has the code but does not link the code with any actual card. But, this AI thing also just guessed some possible passwords. That is all, It did not match it with any account. So, at least in that sense, I beat that thing hollow!

I don't get how this helps

[Maxo-Texas]

With limited attempts, you can't try that many passwords before the account is blocked.

What secure sites give you unlimited attempts to sign in?

Re:Good reason to not have a Slashdot account.

[AvitarX]

The fact that you can identify bad posters and filter them out is reason enough to have an account IMO.

Passwords at least 14 random chars, nums, symbols.

[kauaidiver]

A good estimator: https://www.grc.com/haystack.h...

For example: abc123ABC!1234

Search Space Depth (Alphabet): 26+26+10+33 = 95
Search Space Length (Characters): 14 characters
Exact Search Space Size (Count):
(count of all possible passwords with this alphabet size and up to this password's length) 4,928,630,108,082,482,617,642,017,120
Search Space Size (as a power of 10): 4.93 x 1027
Time Required to Exhaustively Search this Password's Space:
Online Attack Scenario: (Assuming one thousand guesses per second) 1.57 thousand trillion centuries
Offline Fast Attack Scenario: (Assuming one hundred billion guesses per second) 15.67 million centuries
Massive Cracking Array Scenario:(Assuming one hundred trillion guesses per second) 15.67 thousand centuries

Re: Good reason to not have a Slashdot account.

[ColdWetDog]

That's nonsense. Slashdot could easily implement a reply notification system that doesn't rely on an explicit, persistent user account here. It's trivial to do using ...

I take it you forgot about the beta debacle.

'Slashdot could easily implement' is really just crazy talk.

My ego is now Trumpsize

[Tablizer]

I called it 3 years ago! (Well, okay C2 called it, but I get repost cred. Biggest repost ever, believe me!)

Re:Good reason to not have a Slashdot account.

[AmiMoJo]

Look at creimer/cdreimer or AmiMoJo or PopeRatzo or the many other registered users here who, in my opinion, routinely post idiotic shit.

Unlike Anonymous Coward, who seems to be suffering from multiple split personalities and politically can best be described as a Nazi communist anarcho-authoritarian ballsack.

Still, nice to know the Pope and I are somewhat (in)famous.

Re:Good reason to not have a Slashdot account.

[Cederic]

registered users here who, in my opinion, routinely post idiotic shit.

Having my posts against my pseudonym makes it easier for people that dislike my idiotic shit to use the Slashdot 'foe' system to auto-mod me out of their sight. I'm fine with that.

Slashdot knowing that my posts are from me means that the site can send me emails when people reply to my posts. That lets me continue a conversation.

There are nothing but drawbacks to having an account here. There are no benefits that I can see.

Slashdot should also go back to how it used to be and get rid of the need for an account when submitting stories.

Well, I've highlighted a couple of benefits. I'm with you on the story submissions though, a story either stands on its own or it doesn't. Much the same as an AC comment.

There has to be a better way

[hyades1]

How about, after an arbitrary number of attempts, say 10, characters entered into the password window would only be accepted at about the typing speed of an average person. For real people, no discernible difference; for a hacking program, frustration.