AI Just Made Guessing Your Password a Whole Lot Easier

sciencehabit shares a report from Science Magazine: The Equifax breach is reason for concern, of course, but if a hacker wants to access your online data by simply guessing your password, you're probably toast in less than an hour. Now, there's more bad news: Scientists have harnessed the power of artificial intelligence (AI) to create a program that, combined with existing tools, figured more than a quarter of the passwords from a set of more than 43 million LinkedIn profiles.

Researchers at Stevens Institute of Technology in Hoboken, New Jersey, started with a so-called generative adversarial network, or GAN, which comprises two artificial neural networks. A "generator" attempts to produce artificial outputs (like images) that resemble real examples (actual photos), while a "discriminator" tries to detect real from fake. They help refine each other until the generator becomes a skilled counterfeiter. The Stevens team created a GAN it called PassGAN and compared it with two versions of hashCat and one version of John the Ripper. The scientists fed each tool tens of millions of leaked passwords from a gaming site called RockYou, and asked them to generate hundreds of millions of new passwords on their own. Then they counted how many of these new passwords matched a set of leaked passwords from LinkedIn, as a measure of how successful they'd be at cracking them. On its own, PassGAN generated 12% of the passwords in the LinkedIn set, whereas its three competitors generated between 6% and 23%. But the best performance came from combining PassGAN and hashCat. Together, they were able to crack 27% of passwords in the LinkedIn set, the researchers reported this month in a draft paper posted on arXiv. Even failed passwords from PassGAN seemed pretty realistic: saddracula, santazone, coolarse18.

pwgen -s 16, bitches.

That is all.

Entropy is _everything_ in passwords. Use lots of it.

Not exactly cracking

[mbone]

This is a dictionary attack, which is not the same as cracking, assuming that they can't make a few 100 million trials to crack into each account.

Call it Machine Learning

[Xylantiel]

Not AI, since it is actually machine learning. It's really stunning how far the rebranding of machine learning as AI has progressed. Maybe even machine training is more appropriate. AI is just not.

AI can never match my skill.

[140Mandak262Jamuna]

I guessed all, 100%, every last code of ALL ATM Cards. OMG, I am amazing. I will post my guess of mere 10,000 numeric four digit codes used to secure the ATM cards. It will definitely contain your ATM card code. Am I not amazing.

Yeah, true, my set has the code but does not link the code with any actual card. But, this AI thing also just guessed some possible passwords. That is all, It did not match it with any account. So, at least in that sense, I beat that thing hollow!

Passwords at least 14 random chars, nums, symbols.

[kauaidiver]

A good estimator: https://www.grc.com/haystack.h...

For example: abc123ABC!1234

Search Space Depth (Alphabet): 26+26+10+33 = 95
Search Space Length (Characters): 14 characters
Exact Search Space Size (Count):
(count of all possible passwords with this alphabet size and up to this password's length) 4,928,630,108,082,482,617,642,017,120
Search Space Size (as a power of 10): 4.93 x 1027
Time Required to Exhaustively Search this Password's Space:
Online Attack Scenario: (Assuming one thousand guesses per second) 1.57 thousand trillion centuries
Offline Fast Attack Scenario: (Assuming one hundred billion guesses per second) 15.67 million centuries
Massive Cracking Array Scenario:(Assuming one hundred trillion guesses per second) 15.67 thousand centuries

My ego is now Trumpsize

[Tablizer]

I called it 3 years ago! (Well, okay C2 called it, but I get repost cred. Biggest repost ever, believe me!)

Re:Good reason to not have a Slashdot account.

[Cederic]

registered users here who, in my opinion, routinely post idiotic shit.

Having my posts against my pseudonym makes it easier for people that dislike my idiotic shit to use the Slashdot 'foe' system to auto-mod me out of their sight. I'm fine with that.

Slashdot knowing that my posts are from me means that the site can send me emails when people reply to my posts. That lets me continue a conversation.

There are nothing but drawbacks to having an account here. There are no benefits that I can see.

Slashdot should also go back to how it used to be and get rid of the need for an account when submitting stories.

Well, I've highlighted a couple of benefits. I'm with you on the story submissions though, a story either stands on its own or it doesn't. Much the same as an AC comment.

Re:Not Impressed

[Kjella]

It's easy to do one good password. But when you have one for your email, your bank, your home machine, your work machine, facebook, linkedin, slashdot and so on you either:

a) Use the same good password with or without a trivial modifier (hint: if your password is 4s!fFNkC_gmail, it doesn't take a genius to figure out every other password)
b) Use a password manager (which means you're always carrying all your keys, you're lost without it etc.)
c) Got an absurdly good memory wasted remembering tons of gibberish.
d) Divide it into tiers and use the same not-so-important password for all the not-so-important accounts.

My email password is unique, because it's the reset for so much else. My online bank password is unique, because it's actual money. The rest goes into buckets like "Wow, you can troll as me on forums... whatever." while LinkedIn go one tier higher like "Can drag my name through the shitter" and above that is "Can run off with my Steam, Spotify account etc." which is not directly cash but valuable none the less. There's just too many passwords to care about all of them.