Researchers utilize Deep Learning for Password Guessing – How safe are your passwords ?
The fact that manually created passwords are subject to certain patterns is not something that can be seen as a new discovery. Most of us select their passwords based on some information that is somehow attached to our lives. Birth dates or names of family members are just some of the examples. Programs such as “John the Ripper” or “Hashcat” have made use of this for a long time and generate the most probable passwords on the basis of heuristic rules, which can then be used when trying to hack into third-party accounts. Scientists from the Stevens Institute of Technology and New York Institute of Technology, have now gone a step further and have used an artificial intelligence (AI) called PassGAN to guess passwords. Their paper can be found under the following link: https://arxiv.org/pdf/1709.00440.pdf
The results were quite convincing: after the scientists had fed their AI with more than 32,000 real passwords, which were taken public in 2010. The software succeeded in correctly guessing one out of ten passwords, which had been taken from Linkedin users in 2016 – although passwords that were found in both databases were already removed. However Hashcat could guess 17.67 percent of the passwords. The researchers then combined the results of their neural network with those of Hashcat and were able to significantly increase the recognition rate
To be more precise researchers used their so-called Generative Adversarial Networks (GAN) for their AI. This can be understood as the use of two artificial neural networks, which co-operate without interaction from outside – they are unsupervised. To make it a little bit more comprehensive – this works like this: The first network tries to give the second network “wrong” passwords, while the latter tries to prevent this. Both of them are getting better and better until the “cheating values” of the first network are so good that the second network can no longer distinguish them from the originals.
Meanwhile, thousands of real passwords can be found freely accessible on the net. As the researchers have shown, it is possible to generate significantly more passwords from those freely accessible ones, which are then being used by users or maybe chosen in the future. This shows us how unsafe passwords are as means of access restriction. Additional security features such as the two-factor authentication, which is used by large Tech giants such as Google and Amazon can diminish password breaches. Otherwise users should whenever possible rely on complex software-generated passwords in combination with password managers.