Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
AI Privacy Security Software Technology

AI Just Made Guessing Your Password a Whole Lot Easier (sciencemag.org) 136

sciencehabit shares a report from Science Magazine: The Equifax breach is reason for concern, of course, but if a hacker wants to access your online data by simply guessing your password, you're probably toast in less than an hour. Now, there's more bad news: Scientists have harnessed the power of artificial intelligence (AI) to create a program that, combined with existing tools, figured more than a quarter of the passwords from a set of more than 43 million LinkedIn profiles.

Researchers at Stevens Institute of Technology in Hoboken, New Jersey, started with a so-called generative adversarial network, or GAN, which comprises two artificial neural networks. A "generator" attempts to produce artificial outputs (like images) that resemble real examples (actual photos), while a "discriminator" tries to detect real from fake. They help refine each other until the generator becomes a skilled counterfeiter. The Stevens team created a GAN it called PassGAN and compared it with two versions of hashCat and one version of John the Ripper. The scientists fed each tool tens of millions of leaked passwords from a gaming site called RockYou, and asked them to generate hundreds of millions of new passwords on their own. Then they counted how many of these new passwords matched a set of leaked passwords from LinkedIn, as a measure of how successful they'd be at cracking them. On its own, PassGAN generated 12% of the passwords in the LinkedIn set, whereas its three competitors generated between 6% and 23%. But the best performance came from combining PassGAN and hashCat. Together, they were able to crack 27% of passwords in the LinkedIn set, the researchers reported this month in a draft paper posted on arXiv. Even failed passwords from PassGAN seemed pretty realistic: saddracula, santazone, coolarse18.

This discussion has been archived. No new comments can be posted.

AI Just Made Guessing Your Password a Whole Lot Easier

Comments Filter:
  • by Anonymous Coward on Monday September 18, 2017 @08:36PM (#55223107)

    That is all.

    Entropy is _everything_ in passwords. Use lots of it.

    • There are actually sites out there that won't eat any password over 12 characters if you can believe that.
      • Even worse, my previous bank maxed passwords out at eight chars. But instead of telling you this when registering or changing passwords, the interface simply made the input field a fixed width at eight em and fixed input length at eight. I only realized this was the case while seriously fat fingering the last few characters and enter, but still logged right in.
    • But what if the universe runs out of entropy?
    • That is all.

      Entropy is _everything_ in passwords. Use lots of it.

      Oh boy, it's she semi-monthly Slashdot Password thread.

      Make certain you use 5 sets of random numbers, and all special characters, and a minimum length of 1200 characters with a new password generated every 5 minutes. And for gawd's sake, never write it down.

  • by aberglas ( 991072 ) on Monday September 18, 2017 @08:45PM (#55223151)

    Maybe this is a bit better than John (or maybe not), but John also employs "Learning Heuristics" but just calls them clever code.

  • Teach a person to create passwords according to certain rules, and then teach a machine learning implementation those same rules, its a computer doing what it was designed to do, what it was always going to do. A human just has to teach the computer to think like a human.

    Rules create structure, consistency, something which can be automated.

    A lack of rules lends itself towards laziness.

    So we are the problem, and we must figure out how to outsmart ourselves.
    • by Anonymous Coward

      A lack of rules lends itself towards laziness.

      Granpa?! Is...is that you? Oh! I always knew I'd find you!

  • Complete words? Please.

  • by mbone ( 558574 ) on Monday September 18, 2017 @09:01PM (#55223207)

    This is a dictionary attack, which is not the same as cracking, assuming that they can't make a few 100 million trials to crack into each account.

  • by Xylantiel ( 177496 ) on Monday September 18, 2017 @09:01PM (#55223209)
    Not AI, since it is actually machine learning. It's really stunning how far the rebranding of machine learning as AI has progressed. Maybe even machine training is more appropriate. AI is just not.
    • by AvitarX ( 172628 )

      Not that shocking.

      Machine learning and artificial intelligence are similar enough linguistically that I could see a translator using one instead of the other (context free).

    • by Luthair ( 847766 )
      Sad when this used to be one of the sites with the most technical background. Now we're no better than the tech blocks spamming these submissions.
    • by Anonymous Coward

      FYI: You're fighting a lost battle.

      The old term AI (artificial intelligence) includes stuff like NN (neural networks), GA (genetic algorithms) and ML (machine learning). That will never change. Give up. You've lost.

      The new terms are AGI (artificial general intelligence) and ASI (artificial super intelligence).

      • This. I was studying various machine learning techniques over a decade ago and everyone involved talked about them as being under the umbrella of AI. Any divergence of terms happened so long ago that it's not worth recognizing anymore.
    • by lorinc ( 2470890 )

      From https://aaai.org/ [aaai.org] in the description of next year's conference:

      AAAI-18 welcomes submissions reporting research that advances artificial intelligence, broadly conceived. The conference scope includes all subareas of AI and machine learning.

      Now, if you think you are such an expert in the field to say that the Association for the Advancement of Artificial Intelligence, which was founded in 1979 as an academic association, is wrong about the definition of artificial intelligence, I'd like to hear what contributions to the field you made that can back up the idea. If you did none, then just let the scientists working in the field define what AI means and contains, and accept it.

    • by hey! ( 33014 )

      Well, to be fair machine learning addresses the most practical near-term applications of AI: replacing human judgment in classification, and extending that to volumes of data humans can't handle.

      It may not be any kind of progress toward building something like Daneel Olivaw, but if that ever happens it probably won't happen because machines that are actually like humans are all that useful. It'll happen because someone wants to know if its possible.

  • by pubwvj ( 1045960 ) on Monday September 18, 2017 @09:07PM (#55223237)

    "figured more than a quarter of the passwords from a set of more than 43 million LinkedIn profiles. "

    That is not all that impressive given that most people use poor passwords.

    It is easy to do good passwords but not common.

    • Re:Not Impressed (Score:5, Insightful)

      by Kjella ( 173770 ) on Tuesday September 19, 2017 @04:04AM (#55224193) Homepage

      It's easy to do one good password. But when you have one for your email, your bank, your home machine, your work machine, facebook, linkedin, slashdot and so on you either:

      a) Use the same good password with or without a trivial modifier (hint: if your password is 4s!fFNkC_gmail, it doesn't take a genius to figure out every other password)
      b) Use a password manager (which means you're always carrying all your keys, you're lost without it etc.)
      c) Got an absurdly good memory wasted remembering tons of gibberish.
      d) Divide it into tiers and use the same not-so-important password for all the not-so-important accounts.

      My email password is unique, because it's the reset for so much else. My online bank password is unique, because it's actual money. The rest goes into buckets like "Wow, you can troll as me on forums... whatever." while LinkedIn go one tier higher like "Can drag my name through the shitter" and above that is "Can run off with my Steam, Spotify account etc." which is not directly cash but valuable none the less. There's just too many passwords to care about all of them.

      • by pubwvj ( 1045960 )

        I have about 2,000 passwords that I use. It is a bother but it is the current tech. We'll all get past this soon. Yes, I fall in category (c) above. I also remember names. It makes for a good game.

  • First, if your password is someone's birthday/anniversary/death day/pet name/kid name, a hacker targeting you has already tried it. Second, if you simply either A) think of a phrase and use every first letter for a password (my method); or b) think of 3-4 words and string them together (Randall Monroe's method), you ain't gonna get hacked via password guessing. Period.

    Um, assuming the website you're using has basic security protocols in place, Which Equifax has just shown ain't the case.
    • Use words mixed with standard but arbitary punctuation and numbers.

      For example
      The quick brown fox jumped over the lazy dog.

      Tqbfjotld - probably not secure.

      T?qbfjotl9D - fairly secure now. Easy to type too.

      • by Anonymous Coward

        Only the more common (ie google's datapiles, book texts) phrases will be vulnerable. The pool of phrases is exponentially larger than the current dictionary fashion.

        Adding a single dimension of modification to dictionary fashion only bought us some time, and TFS says it's up.

        Adding a single dimension of modification to phrases will, by virtue of the larger base, be highly resilient. Even without modification, rrrybgdts is fairly strong in 2017's conditions. With mods (eg your eg)

        However, GP's Monroe referen

        • My particular method (which I did not fully reveal) produces unique derivable passwords per site so writedown is not an issue.

          It does develop a problem over a period of several years. I.e. I have some sites that change passwords frequently and that eventually drives me to change my base pattern. No problem at first but after several base phrase changes, now it becomes a question of which base phrase was in use when I return to a site I don't even recall visiting and it knows me and requests a password. I

  • by 140Mandak262Jamuna ( 970587 ) on Monday September 18, 2017 @09:32PM (#55223293) Journal
    I guessed all, 100%, every last code of ALL ATM Cards. OMG, I am amazing. I will post my guess of mere 10,000 numeric four digit codes used to secure the ATM cards. It will definitely contain your ATM card code. Am I not amazing.

    Yeah, true, my set has the code but does not link the code with any actual card. But, this AI thing also just guessed some possible passwords. That is all, It did not match it with any account. So, at least in that sense, I beat that thing hollow!

  • With limited attempts, you can't try that many passwords before the account is blocked.

    What secure sites give you unlimited attempts to sign in?

    • by AvitarX ( 172628 )

      Isn't that how the fappening happened?

      Apple didn't have attempt restrictions on its API access?

  • by kauaidiver ( 779239 ) on Monday September 18, 2017 @11:22PM (#55223571)

    A good estimator: https://www.grc.com/haystack.h... [grc.com]

    For example: abc123ABC!1234

    Search Space Depth (Alphabet): 26+26+10+33 = 95
    Search Space Length (Characters): 14 characters
    Exact Search Space Size (Count):
    (count of all possible passwords with this alphabet size and up to this password's length) 4,928,630,108,082,482,617,642,017,120
    Search Space Size (as a power of 10): 4.93 x 1027
    Time Required to Exhaustively Search this Password's Space:
    Online Attack Scenario: (Assuming one thousand guesses per second) 1.57 thousand trillion centuries
    Offline Fast Attack Scenario: (Assuming one hundred billion guesses per second) 15.67 million centuries
    Massive Cracking Array Scenario:(Assuming one hundred trillion guesses per second) 15.67 thousand centuries

    • I've been using 16-digit random alphanumeric passwords for about a decade now. I use a script that dds from /dev/urandom, calls base64, strips out the two non-alphanumeric values, and then truncates to 16 digits. It works everywhere except backwater websites that limit you to 8 characters or 4-digit pins.

      log2(95^14) = 14 * log2(95) = 91.98 bits of entropy for 14-digit alphanumeric+symbols
      log2(62^16) = 16 * log2(62) = 95.27 bits of entropy for 16-digit alphanumeric-only

  • 4 attempts: get a timeout of 1 hour. After 7 failed attempts get a timeout of 1 day. After 9 failed attempts get a timeout of 1 year.

  • by Tablizer ( 95088 ) on Tuesday September 19, 2017 @12:09AM (#55223701) Journal

    I called it 3 years ago! [slashdot.org] (Well, okay C2 called it, but I get repost cred. Biggest repost ever, believe me!)

  • Even failed passwords from PassGAN seemed pretty realistic: saddracula, santazone, coolarse18.

    You know, somewhere out there a /.er is frantically trying to change their password now that /. has posted it on the front page.

    Yaz

  • For sites I don't care about. Most people have 3 good passwords, 1 for email, 1 for banking and one they reuse everywhere. Most people use shit passwords for work because the work password rules encourage poor passwords. Sites that actually care about security will use a single sign on service like gmail or facebook.
  • by hyades1 ( 1149581 ) <hyades1@hotmail.com> on Tuesday September 19, 2017 @06:17AM (#55224401)

    How about, after an arbitrary number of attempts, say 10, characters entered into the password window would only be accepted at about the typing speed of an average person. For real people, no discernible difference; for a hacking program, frustration.

    • You should visit this page https://essayclick.net/ [essayclick.net] to find lots of cool articles and topics on related articles
    • How about just an exponential cooldown timer that increases after every failed attempt, that ignores input during the cooldown period. Start the timer after the first failed attempt at 0.5 seconds, then 1, 2, 4, 8... An automated attack might even guess it right during the cooldown period, but getting a negative result, would discard the correct password.
      • That also sounds like an excellent idea. What really, really annoys me is that average people can come up with these in a minute or two. If they wouldn't work right out of the box, they could certainly be adapted by experts quickly enough.

        If I'm going to sign into a password-protected site, I'll either have my password or admit fairly quickly I've forgotten it, and have the site initiate whatever reset procedure is appropriate. Under no circumstances will I need a couple of billion tries to access whatev

  • Wow. It guessed linkedin passwords.

    I hope that most people have an algorithm to remember their passwords and use a simple one for non-essential sites such as LinkedIn.

    There is zero chance that an AI can guess my bank or email passwords. A little thing called entropy comes into play that AI doesn't help in breaking.

    *cought* *cought* clickbait.
    • by ebvwfbw ( 864834 )

      Sounds like they're using the old linked pw hash released a few years ago. That was lame. I typed in just words and I was getting hits. Like company names, government agencies... Caps, no caps... It was surprising how people didn't seem to care about their accounts. Easy to hijack and put whatever. Imagine hijacking one and put in the profile - porn star. 1990-1995 - erotic studios, CA. Man oh man, could you imagine the fun you could have with the job description? I wouldn't want to put that here because I

  • Even failed passwords from PassGAN seemed pretty realistic: saddracula, santazone, coolarse18.

    Dammit! Now I have to change my password. Thanks PassGAN!

You are always doing something marginal when the boss drops by your desk.

Working...