AI Just Made Guessing Your Password a Whole Lot Easier

sciencehabit shares a report from Science Magazine: The Equifax breach is reason for concern, of course, but if a hacker wants to access your online data by simply guessing your password, you're probably toast in less than an hour. Now, there's more bad news: Scientists have harnessed the power of artificial intelligence (AI) to create a program that, combined with existing tools, figured more than a quarter of the passwords from a set of more than 43 million LinkedIn profiles.

Researchers at Stevens Institute of Technology in Hoboken, New Jersey, started with a so-called generative adversarial network, or GAN, which comprises two artificial neural networks. A "generator" attempts to produce artificial outputs (like images) that resemble real examples (actual photos), while a "discriminator" tries to detect real from fake. They help refine each other until the generator becomes a skilled counterfeiter. The Stevens team created a GAN it called PassGAN and compared it with two versions of hashCat and one version of John the Ripper. The scientists fed each tool tens of millions of leaked passwords from a gaming site called RockYou, and asked them to generate hundreds of millions of new passwords on their own. Then they counted how many of these new passwords matched a set of leaked passwords from LinkedIn, as a measure of how successful they'd be at cracking them. On its own, PassGAN generated 12% of the passwords in the LinkedIn set, whereas its three competitors generated between 6% and 23%. But the best performance came from combining PassGAN and hashCat. Together, they were able to crack 27% of passwords in the LinkedIn set, the researchers reported this month in a draft paper posted on arXiv. Even failed passwords from PassGAN seemed pretty realistic: saddracula, santazone, coolarse18.

pwgen -s 16, bitches.

[Anonymous Coward]

That is all.

Entropy is _everything_ in passwords. Use lots of it.

Re:

[Arnold Reinhold]

[1]: One caveat is that some diceware dictionary contain words with less than 12.9 bits of entropy such as pairs of numbers (e.g. 21), in a case like that a naive brute force attack could actually outperform one that knows the dictionary in use.

That's not quite right. The entropy in Diceware, or any other system that selects random words from a list, comes for the number of words in the list, not from the individual words. It is of course possible that a random Diceware passphrase could consist entirely of "words" that were numeric, or single characters or the like, and that passphrase could then be vulnerable to a brute force attack, but the odds of that happening are extremely low and it would be easy to spot and just generate another passphrase

Re:

[chuckugly]

There are actually sites out there that won't eat any password over 12 characters if you can believe that.

Re:

[K. S. Kyosuke]

The original Interbase had fascinating password limitations. Eight characters, case insensitive...

Re:

[KozmoStevnNaut]

NemID, the big all-encompassing public Danish login system, which is used for everything from public services to online banking, uses case insensitive passwords, which is just mind-boggling.

Of course, it also uses mandatory 2-factor authentication, but still.

Re:

[GNious]

Based on news throughout the lifetime of NemID, this seems to be FAR from the worst issue with NemID.

Re:

[Carewolf]

NemID, the big all-encompassing public Danish login system, which is used for everything from public services to online banking, uses case insensitive passwords, which is just mind-boggling.

Of course, it also uses mandatory 2-factor authentication, but still.

Well, after people complaining about case-insensitive passwords, the did change. Now they only allow digits.

Re:

[KozmoStevnNaut]

I'm still using an alphanumeric password. The PIN thing is optional AFAIK.

Re:

[Carewolf]

My alphanumeric password stopped working, and when I generated a new password I was not allowed to use letters anymore :D

Re: pwgen -s 16, bitches.

[sound+vision]

Probably cuts down on the number of support requests which I could see being expensive in a system like this. Most users would not take advantage of case anyway. And you, as a conscious user, can still make a secure password despite the limited character set.

Re:

[hattable]

Even worse, my previous bank maxed passwords out at eight chars. But instead of telling you this when registering or changing passwords, the interface simply made the input field a fixed width at eight em and fixed input length at eight. I only realized this was the case while seriously fat fingering the last few characters and enter, but still logged right in.

Re:

[WinstonWolfIT]

Pointless. 2fa your bank and get on with your life.

Re:

[WinstonWolfIT]

This point is absurd.

Re: pwgen -s 16, bitches.

[sound+vision]

Who will he switch to, Wells Fargo?

Re:

[snookiex]

+1 Been there, done that

Re:

[Buchenskjoll]

But what if the universe runs out of entropy?

Re:

[Maritz]

Hey no problem, fresh entropy every day.

Re:

[pslytely psycho]

God dies.....??

Re:

[Ol Olsoc]

That is all.

Entropy is _everything_ in passwords. Use lots of it.

Oh boy, it's she semi-monthly Slashdot Password thread.

Make certain you use 5 sets of random numbers, and all special characters, and a minimum length of 1200 characters with a new password generated every 5 minutes. And for gawd's sake, never write it down.

Re: Good reason to not have a Slashdot account.

[Anonymous Coward]

I disagree. Having an account aids in the conversation process. Replying to AC posts means that an AC is unlikely to receive a notice and reply.

While slashdot accounts can be hacked, nothing of value is lost. As long as the member can prove their identity via other means.

Signed, testing "Post Anonymously" checkbox.

Re:

[ColdWetDog]

That's nonsense. Slashdot could easily implement a reply notification system that doesn't rely on an explicit, persistent user account here. It's trivial to do using ...

I take it you forgot about the beta debacle.

'Slashdot could easily implement' is really just crazy talk.

Re: Good reason to not have a Slashdot account.

[Monster_user]

Simple solution. Use throwaway passwords on less important sites, and break your standards to create super secure passwords for sites that are more important.

Re:

[AvitarX]

The fact that you can identify bad posters and filter them out is reason enough to have an account IMO.

Re:

[AmiMoJo]

Look at creimer/cdreimer or AmiMoJo or PopeRatzo or the many other registered users here who, in my opinion, routinely post idiotic shit.

Unlike Anonymous Coward, who seems to be suffering from multiple split personalities and politically can best be described as a Nazi communist anarcho-authoritarian ballsack.

Still, nice to know the Pope and I are somewhat (in)famous.

Re:

[arobatino]

An account is only vulnerable if people use weak passwords, or reuse them across multiple sites (some of which are probably storing them in plaintext). People should use a unique randomly generated password for each site, storing them with a password manager (and backing it up), not try to be Rain Man and remembering all of them.

An account can develop a reputation, which helps moderation. And the owner can be anonymous, so not vulnerable to retaliation.

Having said all that, I can't see any good reason for r

Re: Good reason to not have a Slashdot account.

[Monster_user]

I generally don't trust password managers. Too much power in one place. Too much of a risk if it got stolen.

Hence, I use password tiers.

A weak password for sites where it is potentially stored as plain text.

A throw-away password for various sites I'm not concerned about losing my account or access to.

A moderate password for sites I easily expire-able data, such as a credit card number.

And unique and complex passwords designed to not be guessable in any form for accounts which hold sensitive infor

Re:Good reason to not have a Slashdot account.

[Cederic]

registered users here who, in my opinion, routinely post idiotic shit.

Having my posts against my pseudonym makes it easier for people that dislike my idiotic shit to use the Slashdot 'foe' system to auto-mod me out of their sight. I'm fine with that.

Slashdot knowing that my posts are from me means that the site can send me emails when people reply to my posts. That lets me continue a conversation.

There are nothing but drawbacks to having an account here. There are no benefits that I can see.

Slashdot should also go back to how it used to be and get rid of the need for an account when submitting stories.

Well, I've highlighted a couple of benefits. I'm with you on the story submissions though, a story either stands on its own or it doesn't. Much the same as an AC comment.

Re:

[esperto]

The risk associated with the discussion forum account comes from people reusing passwords or having a pattern, if you use password managers with random passwords, the risk is almost non existent, but if you are really paranoid you could just use single use email accounts.

There are benefits to having an account here and in other discussion forums, as pointed out in other answers, and the security risk comes from bad habits, not the account themselves.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Not new, John the Ripper does this, just not "AI"

[aberglas]

Maybe this is a bit better than John (or maybe not), but John also employs "Learning Heuristics" but just calls them clever code.

Rules are made to be broken

[Monster_user]

Teach a person to create passwords according to certain rules, and then teach a machine learning implementation those same rules, its a computer doing what it was designed to do, what it was always going to do. A human just has to teach the computer to think like a human.

Rules create structure, consistency, something which can be automated.

A lack of rules lends itself towards laziness.

So we are the problem, and we must figure out how to outsmart ourselves.

Re:

[Anonymous Coward]

A lack of rules lends itself towards laziness.

Granpa?! Is...is that you? Oh! I always knew I'd find you!

Re:

[ColdWetDog]

The problem is, when you let the website do that, the idiot dev goes "I know, I'll base it off the time stamp - that'll be easy and unique and all"

I'm looking at YOU Experian.

Those are crap passwords

[DontBeAMoran]

Complete words? Please.

Re:

[Cederic]

As your password, or your name?

Re:

[AvitarX]

It's probably enough to stop people from casually using her computer.

If that was indeed the goal, it seems fine to me.

Not exactly cracking

[mbone]

This is a dictionary attack, which is not the same as cracking, assuming that they can't make a few 100 million trials to crack into each account.

Call it Machine Learning

[Xylantiel]

Not AI, since it is actually machine learning. It's really stunning how far the rebranding of machine learning as AI has progressed. Maybe even machine training is more appropriate. AI is just not.

Re:

[AvitarX]

Not that shocking.

Machine learning and artificial intelligence are similar enough linguistically that I could see a translator using one instead of the other (context free).

Re:

[Luthair]

Sad when this used to be one of the sites with the most technical background. Now we're no better than the tech blocks spamming these submissions.

Re:

[Anonymous Coward]

FYI: You're fighting a lost battle.

The old term AI (artificial intelligence) includes stuff like NN (neural networks), GA (genetic algorithms) and ML (machine learning). That will never change. Give up. You've lost.

The new terms are AGI (artificial general intelligence) and ASI (artificial super intelligence).

Re:

[andydouble07]

This. I was studying various machine learning techniques over a decade ago and everyone involved talked about them as being under the umbrella of AI. Any divergence of terms happened so long ago that it's not worth recognizing anymore.

Re:

[lorinc]

From https://aaai.org/ [aaai.org] in the description of next year's conference:

AAAI-18 welcomes submissions reporting research that advances artificial intelligence, broadly conceived. The conference scope includes all subareas of AI and machine learning.

Now, if you think you are such an expert in the field to say that the Association for the Advancement of Artificial Intelligence, which was founded in 1979 as an academic association, is wrong about the definition of artificial intelligence, I'd like to hear what contributions to the field you made that can back up the idea. If you did none, then just let the scientists working in the field define what AI means and contains, and accept it.

Re:

[hey!]

Well, to be fair machine learning addresses the most practical near-term applications of AI: replacing human judgment in classification, and extending that to volumes of data humans can't handle.

It may not be any kind of progress toward building something like Daneel Olivaw, but if that ever happens it probably won't happen because machines that are actually like humans are all that useful. It'll happen because someone wants to know if its possible.

Not Impressed

[pubwvj]

"figured more than a quarter of the passwords from a set of more than 43 million LinkedIn profiles. "

That is not all that impressive given that most people use poor passwords.

It is easy to do good passwords but not common.

Re:Not Impressed

[Kjella]

It's easy to do one good password. But when you have one for your email, your bank, your home machine, your work machine, facebook, linkedin, slashdot and so on you either:

a) Use the same good password with or without a trivial modifier (hint: if your password is 4s!fFNkC_gmail, it doesn't take a genius to figure out every other password)
b) Use a password manager (which means you're always carrying all your keys, you're lost without it etc.)
c) Got an absurdly good memory wasted remembering tons of gibberish.
d) Divide it into tiers and use the same not-so-important password for all the not-so-important accounts.

My email password is unique, because it's the reset for so much else. My online bank password is unique, because it's actual money. The rest goes into buckets like "Wow, you can troll as me on forums... whatever." while LinkedIn go one tier higher like "Can drag my name through the shitter" and above that is "Can run off with my Steam, Spotify account etc." which is not directly cash but valuable none the less. There's just too many passwords to care about all of them.

Re:

[pubwvj]

I have about 2,000 passwords that I use. It is a bother but it is the current tech. We'll all get past this soon. Yes, I fall in category (c) above. I also remember names. It makes for a good game.

I'm gonna have to call bullshit on this

[Snotnose]

First, if your password is someone's birthday/anniversary/death day/pet name/kid name, a hacker targeting you has already tried it. Second, if you simply either A) think of a phrase and use every first letter for a password (my method); or b) think of 3-4 words and string them together (Randall Monroe's method), you ain't gonna get hacked via password guessing. Period.

Um, assuming the website you're using has basic security protocols in place, Which Equifax has just shown ain't the case.

Re:

[Maxo-Texas]

Use words mixed with standard but arbitary punctuation and numbers.

For example
The quick brown fox jumped over the lazy dog.

Tqbfjotld - probably not secure.

T?qbfjotl9D - fairly secure now. Easy to type too.

Re:

[Anonymous Coward]

Only the more common (ie google's datapiles, book texts) phrases will be vulnerable. The pool of phrases is exponentially larger than the current dictionary fashion.

Adding a single dimension of modification to dictionary fashion only bought us some time, and TFS says it's up.

Adding a single dimension of modification to phrases will, by virtue of the larger base, be highly resilient. Even without modification, rrrybgdts is fairly strong in 2017's conditions. With mods (eg your eg)

However, GP's Monroe referen

Re:

[Maxo-Texas]

My particular method (which I did not fully reveal) produces unique derivable passwords per site so writedown is not an issue.

It does develop a problem over a period of several years. I.e. I have some sites that change passwords frequently and that eventually drives me to change my base pattern. No problem at first but after several base phrase changes, now it becomes a question of which base phrase was in use when I return to a site I don't even recall visiting and it knows me and requests a password. I

AI can never match my skill.

[140Mandak262Jamuna]

I guessed all, 100%, every last code of ALL ATM Cards. OMG, I am amazing. I will post my guess of mere 10,000 numeric four digit codes used to secure the ATM cards. It will definitely contain your ATM card code. Am I not amazing.

Yeah, true, my set has the code but does not link the code with any actual card. But, this AI thing also just guessed some possible passwords. That is all, It did not match it with any account. So, at least in that sense, I beat that thing hollow!

Re:

[freeze128]

That's why my ATM PIN has 5 digits.

Re:

[140Mandak262Jamuna]

Is that so? Take my guess of just 100,000 code set. Gotcha!

I don't get how this helps

[Maxo-Texas]

With limited attempts, you can't try that many passwords before the account is blocked.

What secure sites give you unlimited attempts to sign in?

Re:

[AvitarX]

Isn't that how the fappening happened?

Apple didn't have attempt restrictions on its API access?

Passwords at least 14 random chars, nums, symbols.

[kauaidiver]

A good estimator: https://www.grc.com/haystack.h... [grc.com]

For example: abc123ABC!1234

Search Space Depth (Alphabet): 26+26+10+33 = 95
Search Space Length (Characters): 14 characters
Exact Search Space Size (Count):
(count of all possible passwords with this alphabet size and up to this password's length) 4,928,630,108,082,482,617,642,017,120
Search Space Size (as a power of 10): 4.93 x 1027
Time Required to Exhaustively Search this Password's Space:
Online Attack Scenario: (Assuming one thousand guesses per second) 1.57 thousand trillion centuries
Offline Fast Attack Scenario: (Assuming one hundred billion guesses per second) 15.67 million centuries
Massive Cracking Array Scenario:(Assuming one hundred trillion guesses per second) 15.67 thousand centuries

Re:Passwords at least 16 random chars, nums

[Anonymous Coward]

I've been using 16-digit random alphanumeric passwords for about a decade now. I use a script that dds from /dev/urandom, calls base64, strips out the two non-alphanumeric values, and then truncates to 16 digits. It works everywhere except backwater websites that limit you to 8 characters or 4-digit pins.

log2(95^14) = 14 * log2(95) = 91.98 bits of entropy for 14-digit alphanumeric+symbols
log2(62^16) = 16 * log2(62) = 95.27 bits of entropy for 16-digit alphanumeric-only

Trivial to defend against!

[blind biker]

4 attempts: get a timeout of 1 hour. After 7 failed attempts get a timeout of 1 day. After 9 failed attempts get a timeout of 1 year.

My ego is now Trumpsize

[Tablizer]

I called it 3 years ago! [slashdot.org] (Well, okay C2 called it, but I get repost cred. Biggest repost ever, believe me!)

Somewhere out there...

[Yaztromo]

Even failed passwords from PassGAN seemed pretty realistic: saddracula, santazone, coolarse18.

You know, somewhere out there a /.er is frantically trying to change their password now that /. has posted it on the front page.

Yaz

I always use poor passwords

[FeelGood314]

For sites I don't care about. Most people have 3 good passwords, 1 for email, 1 for banking and one they reuse everywhere. Most people use shit passwords for work because the work password rules encourage poor passwords. Sites that actually care about security will use a single sign on service like gmail or facebook.

There has to be a better way

[hyades1]

How about, after an arbitrary number of attempts, say 10, characters entered into the password window would only be accepted at about the typing speed of an average person. For real people, no discernible difference; for a hacking program, frustration.

Re:

[Brandydy]

You should visit this page https://essayclick.net/ [essayclick.net] to find lots of cool articles and topics on related articles

Re:

[xfade551]

How about just an exponential cooldown timer that increases after every failed attempt, that ignores input during the cooldown period. Start the timer after the first failed attempt at 0.5 seconds, then 1, 2, 4, 8... An automated attack might even guess it right during the cooldown period, but getting a negative result, would discard the correct password.

Re:

[hyades1]

That also sounds like an excellent idea. What really, really annoys me is that average people can come up with these in a minute or two. If they wouldn't work right out of the box, they could certainly be adapted by experts quickly enough.

If I'm going to sign into a password-protected site, I'll either have my password or admit fairly quickly I've forgotten it, and have the site initiate whatever reset procedure is appropriate. Under no circumstances will I need a couple of billion tries to access whatev

Re:

[hyades1]

Yeah, that would work.

I've always wondered why any site that feels it necessary to protect your access by demanding a password would allow a program clearly designed for gaining unauthorized access to blast billions of possible passwords at it until one worked.

Clickbait

[GLMDesigns]

Wow. It guessed linkedin passwords.

I hope that most people have an algorithm to remember their passwords and use a simple one for non-essential sites such as LinkedIn.

There is zero chance that an AI can guess my bank or email passwords. A little thing called entropy comes into play that AI doesn't help in breaking.

*cought* *cought* clickbait.

Re:

[ebvwfbw]

Sounds like they're using the old linked pw hash released a few years ago. That was lame. I typed in just words and I was getting hits. Like company names, government agencies... Caps, no caps... It was surprising how people didn't seem to care about their accounts. Easy to hijack and put whatever. Imagine hijacking one and put in the profile - porn star. 1990-1995 - erotic studios, CA. Man oh man, could you imagine the fun you could have with the job description? I wouldn't want to put that here because I

oops

[p0larity]

Even failed passwords from PassGAN seemed pretty realistic: saddracula, santazone, coolarse18.

Dammit! Now I have to change my password. Thanks PassGAN!