Since years, the security industry has stressed that strong passwords are important. Recent research by Home Security Heroes shows how important this advice is.
The team at the website that provides information on home security and reviews cracked passwords from four to seven characters instantly or within minutes, even if the passwords included a mixture of upper and lowercase letters, numbers, and symbols.
Researchers found that after feeding over 15.6 million passwords to an AI-powered password hacker called PassGAN they could crack 51% common passwords within a minute.
The AI software failed to crack longer passwords. It would take 10 months or more to crack a password with only numbers. A password of the same length that includes numbers, upper- and lowercase letters, and symbols, would take 6 quintillions years.
The researchers explained on the Home Security Heroes site that PassGAN is a generative adversarial system (GAN) that uses an algorithm to learn from real password leaks how they are distributed and then creates realistic passwords for hackers to exploit.
The AI algorithms are continually A/B-tested against each other to stimulate learning. This allows it to appear to possess the sum total of human knowledge, with microchips that are more than 100,000 times quicker than the brain. Domingo Guerra is the executive vice president for trust at Incode Technologies.
He told TechNewsWorld that AI is more capable than traditional brute-force algorithms, which are limited in their capabilities. “It predicts the next most likely figure based upon everything it has learned,” he said. “Rather than looking for external knowledge, it relies on the patterns that it has developed during its training in order to display queried behavior quickly.”
Skeptical about AI
Dustin Childs of Trend’s Zero Day Initiative, who is responsible for threat awareness, said that based on the information publicly available, AI employs techniques similar to rainbow tables rather than brute-forcing a password. Hackers use rainbow table to convert hashed passwords back into plaintext.
He told TechNewsWorld that the rainbow table allowed AI to perform simple searches and compare operations using a hashed passcode, rather than a brute-force approach which is slower.
He added that “Rainbow Table attacks have been recognized for years, and it has been shown they can crack passwords as long as 14 characters in less than five minutes.” “Older hashing algorithm such as MD5 or SHA-1 is also more vulnerable to these types of attacks.”
Robert Hughes, Chief Information Security Officer at RSA in Bedford, Mass., a cybersecurity firm, explained that the majority of password cracking involves first finding a hashed version and then comparing it to that.
In theory, he said, “an AI can learn more about a topic and use that information to do so in an intelligent manner, but this has not been proven in practice.”
He said that security teams have been dealing with brute-force and rainbow tables since years. “In reality, the PassGAN AI does not perform faster than other models that threat actors use.”
AI Limitations
Roger Grimes is also not sure that AI can crack passwords faster than traditional methods. He works at LearnBe4 in Clearwater, Florida.
He told TechNewsWorld that “it is possible, and it will certainly be able to do so in the future.” “But nobody has shown me any definitive tests of AI systems today breaking passwords quicker than traditional, non-AI password guessing or cracking methods.”
He added that “as more people use password manager software, which generates truly random passwords,” AI will not have an advantage over traditional password cracking, if the passwords involved are truly random.
Experts in security point out that using AI for password cracking has some limitations. For example, computing power can be an issue. Childs stated that even AI takes a long time to crack longer and more complex passwords.
He noted that it was not yet clear how AI would perform against some of the salting algorithms used by hashing algorithms.
John Gunn is the CEO of Token in Rochester, New York, which makes a biometric wearable authentication ring.
He told TechNewsWorld that “most apps and systems only allow a small number of incorrect entries before locking out the hacker.” AI will not change this.
Passwords are no more.
No one would need to worry about AI cracking the passwords, if there weren’t any passwords. This, despite the annual predictions of the end to passwords, does not seem feasible, at least for the near future.
“We will likely streamline the annoyance associated with password management over time by removing the cumbersome manual process of memorizing long strings of letters and numbers to gain access,” noted Darren Guccione CEO of Keeper Security in Chicago, a company that provides password management software and online storage.
He told that passwords would be around for a long time to come, given the millions of devices and systems in existence today which rely on password security. “We can only strengthen the protections in order to ensure their safe usage.”
Grimes said that since the 1980s, there has been a push to eliminate passwords. He said that despite thousands of articles declaring the end of passwords, the struggle continues decades after.
He continued, “If you combined all the non password authentication solutions together they would not work on 2% or the sites and services in the world.” “That’s the problem and it is stopping widespread adoption.”
It is a positive note that more people are using non-password authentication today to access one or more websites and services. He noted that the percentage was higher than ever.
He said that as long as “the total percentage of websites and services remains below 2%”, the ‘tipping-point’ for mass adoption of non-password authentication will be difficult to reach. It’s a real-world, frustrating chicken-and egg problem.
Hughes admitted that trust between users and administrators as well as legacy systems have slowed down the move away from passwords. He added that passwords will eventually be used less and only in situations where they are necessary or when systems cannot be updated to accommodate other methods. However, it will take many years for the majority of people and businesses to abandon passwords.
