top of page
Writer's pictureKen Ecott

A.I. will be the End of Passwords as We Know Them


High-profile hack attacks of Sony, Target, the IRS, and others have put a sharp focus on the global crisis of cyber-security and the vulnerability of personal and business data. On another level, the popularity of the award-winning television program Mr. Robot, about a cyber-security engineer by day who becomes a vigilante hacker at night, shows how the need for—and threats to—cyber-security are part of popular culture.

Researchers have discovered that artificial intelligence could make it easier than ever for malicious actors to figure out your password and access your online accounts. And, even worse, they expect hackers will be using this method in the coming years — if they aren’t already.

The creation of Bashlight and Mirai malware resulted in a shifted paradigm that created an environment for next-generation Cyber-security using AI. Hackers are becoming more sophisticated increasing their attack vectors, and, “the number of reported cyber attacks and the magnitude of breaches keep rising.

“We just raised the bar in terms of what a secure password should be,” New York Institute of Technology cyber-security researcher Paolo Gasti tells Inverse.

In a preprint paper shared on arXiv, researchers at Stevens Institute and the New York Institute of Technology explain how A.I. can outdo even the most powerful known password-guessing tools like HashCat and John the Ripper, which just use relatively basic algorithms. Their A.I.-enabled network, called PassGan, was significantly stronger than either of the traditional methods was by itself in guessing passwords from a leaked database of old LinkedIn passwords.

The reason artificial intelligence is such a powerful password-cracking tool is that its fundamental purpose is to simulate how humans think — and people put varying degrees of thought into their passwords. If most people pick easy-to-remember passwords and use variants of the same basic passwords for multiple accounts, there are patterns just waiting for an A.I. like PassGan to uncover. When given one real-life leaked database of passwords, PassGan guessed 12 percent of the passwords from the LinkedIn set, and that number reached a whopping 27 percent when working in tandem with HashCat and John the Ripper.

“Passwords tend to follow rules,” says Gasti. “What we’re finding is that deep neural networks might be able to learn these rules implicitly. If you show them tens of millions of passwords, they’ll eventually realize very complicated functions that describe how different sets of users are generating passwords. We don’t tell the deep learning network what these rules are, they can look at the data and learn that themselves.”

It’s because of this that many experts, including Gasti, recommend using unique passwords comprised of long random sequences of letters and numbers, like those generated by password management software. Some argue it’s time for us to get rid of the traditional password altogether.

Now that the research of Gasti and his associates is out there — albeit with some crucial details withheld — he says he hopes that it will be used by systems administrators in penetration testing to see if current passwords people are using are strong enough.

There’s also the unsettling possibility that hackers might also come to make use of the methods outlined as well.

There are many frontiers where harnessing the predictive power of AI might give the upper hand to security vendors.” This predictive power is what is causing the shift allowing security measures to not longer be only retroactive but also proactive preventing breaches before anything happens.

“A team with the right expertise could replicate these results,” he said. “How it’s going to be used next is not really up to us. One of the reasons we did this research is because we assume that if malicious actors don’t have these tools now, they will have them within the next few years.”

 
33 views0 comments
bottom of page