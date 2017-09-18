AI Just Made Guessing Your Password a Whole Lot Easier (sciencemag.org) 36
sciencehabit shares a report from Science Magazine: The Equifax breach is reason for concern, of course, but if a hacker wants to access your online data by simply guessing your password, you're probably toast in less than an hour. Now, there's more bad news: Scientists have harnessed the power of artificial intelligence (AI) to create a program that, combined with existing tools, figured more than a quarter of the passwords from a set of more than 43 million LinkedIn profiles.
Researchers at Stevens Institute of Technology in Hoboken, New Jersey, started with a so-called generative adversarial network, or GAN, which comprises two artificial neural networks. A "generator" attempts to produce artificial outputs (like images) that resemble real examples (actual photos), while a "discriminator" tries to detect real from fake. They help refine each other until the generator becomes a skilled counterfeiter. The Stevens team created a GAN it called PassGAN and compared it with two versions of hashCat and one version of John the Ripper. The scientists fed each tool tens of millions of leaked passwords from a gaming site called RockYou, and asked them to generate hundreds of millions of new passwords on their own. Then they counted how many of these new passwords matched a set of leaked passwords from LinkedIn, as a measure of how successful they'd be at cracking them. On its own, PassGAN generated 12% of the passwords in the LinkedIn set, whereas its three competitors generated between 6% and 23%. But the best performance came from combining PassGAN and hashCat. Together, they were able to crack 27% of passwords in the LinkedIn set, the researchers reported this month in a draft paper posted on arXiv. Even failed passwords from PassGAN seemed pretty realistic: saddracula, santazone, coolarse18.
[1]: One caveat is that some diceware dictionary contain words with less than 12.9 bits of entropy such as pairs of numbers (e.g. 21), in a case like that a naive brute force attack could actually outperform one that knows the dictionary in use.
That's not quite right. The entropy in Diceware, or any other system that selects random words from a list, comes for the number of words in the list, not from the individual words. It is of course possible that a random Diceware passphrase could consist entirely of "words" that were numeric, or single characters or the like, and that passphrase could then be vulnerable to a brute force attack, but the odds of that happening are extremely low and it would be easy to spot and just generate another passphrase
The inherent vulnerability of online accounts is a great reason why we shouldn't have Slashdot accounts. Having an account here, or at any other discussion site where identity is totally irrelevant, is just an unnecessarily risky thing to do.
It's not like having an account somehow magically makes somebody's comments better. Look at creimer/cdreimer or AmiMoJo or PopeRatzo or the many other registered users here who, in my opinion, routinely post idiotic shit.
The fact that you can identify bad posters and filter them out is reason enough to have an account IMO.
Maybe this is a bit better than John (or maybe not), but John also employs "Learning Heuristics" but just calls them clever code.
Rules create structure, consistency, something which can be automated.
A lack of rules lends itself towards laziness.
So we are the problem, and we must figure out how to outsmart ourselves.
Complete words? Please.
It's probably enough to stop people from casually using her computer.
If that was indeed the goal, it seems fine to me.
This is a dictionary attack, which is not the same as cracking, assuming that they can't make a few 100 million trials to crack into each account.
Not that shocking.
Machine learning and artificial intelligence are similar enough linguistically that I could see a translator using one instead of the other (context free).
"figured more than a quarter of the passwords from a set of more than 43 million LinkedIn profiles. "
That is not all that impressive given that most people use poor passwords.
It is easy to do good passwords but not common.
Um, assuming the website you're using has basic security protocols in place, Which Equifax has just shown ain't the case.
Use words mixed with standard but arbitary punctuation and numbers.
For example
The quick brown fox jumped over the lazy dog.
Tqbfjotld - probably not secure.
T?qbfjotl9D - fairly secure now. Easy to type too.
Yeah, true, my set has the code but does not link the code with any actual card. But, this AI thing also just guessed some possible passwords. That is all, It did not match it with any account. So, at least in that sense, I beat that thing hollow!
With limited attempts, you can't try that many passwords before the account is blocked.
What secure sites give you unlimited attempts to sign in?
Isn't that how the fappening happened?
Apple didn't have attempt restrictions on its API access?