Powerful New Password Crackers Challenge Our Notions of “Secure”
Creating strong passwords was already a big challenge. Most are too short or predictable.
“If it’s anything shorter than 12 characters long, your password is probably going to be cracked, sooner or later,” says computer science professor Giuseppe Ateniese. “Hackers or intelligence agencies can run existing tools in minutes to figure out most of the regular passwords.”
Now research led by Ateniese has demonstrated that artificial intelligence might be the next big tool for rogues who want to crack our passwords.
And, interestingly, the technology works by learning all our patterns and tricks — then throwing that book out and making up new rules at light speed to defeat them.
Ateniese’s team — which included graduate student Briland Hitaj, former faculty member Fernando Perez-Cruz and New York Institute of Technology professor Paolo Gasti — developed the machine learning tool, known as PassGAN, to test their own passwords. The team trained a GAN (generative adversarial network) to quickly learn all the most common human password strategies — dictionary words, numerical sequences and the like — from databases of tens of millions of known passwords and simple variations of them.
Then the researchers advanced the project a notch higher: they freed up the GAN to create its own rules and patterns based on what it had learned about us.
That’s precisely what the AI did.
“In some cases, our network could guess nearly half of the passwords in the test set, but even when it could not, the guesses looked remarkably like real user passwords,” Ateniese says.
PassGAN proved more likely than existing hacking tools to crack passwords. That means it holds tremendous potential for intelligence agencies, for example, operating during emergencies.
“Let’s say you have a group of terrorists communicating, and you need to crack a message or get into their encrypted files in a hurry,” Ateniese explains. “This tool is going to be of great help in that sort of case.”