Following the Equifax hack (143 million accounts breached), cautious readers will already have changed their passwords (again). However, the latest research from Stevens Institute of Technology in the USA means that regardless of how fiendish your passwords, you may want to go for something even more complex and difficult to guess.
Researchers gave two Artificial Intelligences, linked together in a Generative Adversarial Network (GAN) access to the powerful hacking tools hashcat and John The Ripper.
In a GAN, one AI acts as a ‘generator’ which attempts to produce artificial outputs that resemble real examples. The other AI becomes the ‘discriminator’ and attempts to detect real from fake. The AIs help refine each other until the generator becomes a skilled counterfeiter.
AI Password Cracker
The Stevens research team’s PassGAN was compared to two versions of hashCat and one version of John the Ripper. The scientists fed each tool tens of millions of leaked passwords and asked them to generate hundreds of millions of new passwords on their own. Then they counted how many of these new passwords matched a set of leaked passwords from LinkedIn, as a measure of how successful they’d be at cracking.
On its own, PassGAN generated 12% of the passwords in the LinkedIn set, whereas its three hacking tool competitors generated between 6% and 23%.
However, when the Steven’s PassGAN and hashCat were combined they were able to crack 27% of passwords in a LinkedIn set of 43 million passwords. Even the GAN’s failed passwords seemed fairly realistic: with attempts such as saddracula, santazone and coolarse18.
Using GANs to help guess passwords is ‘novel,’ says Martin Arjovsky, a computer scientist at New York University. The research “confirms that there are clear, important problems where applying simple machine learning solutions can bring a crucial advantage.”
Stronger, Better, Faster
Giuseppe Ateniese, a computer scientist at Stevens and paper co-author says that though PassGAN gave hashCat an assist in this study, he’s ‘certain’ future iterations could surpass hashCat. In part because hashCat uses fixed rules – and was unable to produce more than 650 million passwords.
PassGan, which invents its own rules, can create passwords indefinitely. “It’s generating millions of passwords as we speak,” says Ateniese. He went on to say PassGAN will improve with more layers in the neural networks and training on more leaked passwords.
Ateniese compared PassGAN to AlphaGo, the Google DeepMind program that recently beat a human champion at the board game Go using deep learning algorithms. “AlphaGo was devising new strategies that experts had never seen before,” says Ateniese. “I personally believe that if you give enough data to PassGAN, it will be able to come up with rules that humans cannot think about.”
Fight Fire With Fire
All is not lost however. Researchers say the technology may also be used to beat hackers at their own game.
The work could help users and companies measure the strength of passwords, says Thomas Ristenpart, a computer scientist who studies computer security at Cornell Tech.”The new technique could also potentially be used to generate decoy passwords to help detect breaches.”