Since years, the security industry has stressed that strong passwords are important. Recent research by Home Security Heroes shows how important this advice is.
The team at the website that provides information on home security and reviews cracked passwords from four to seven characters instantly or within minutes, even if the passwords included a mixture of upper and lowercase letters, numbers, and symbols.
Researchers found that after feeding over 15.6 million passwords to an AI-powered password hacker called PassGAN they could crack 51% common passwords within a minute.
The AI software failed to crack longer passwords. It would take 10 months or more to crack a password with only numbers. A password with upper- and lowercase letters and symbols, would require six quintillions of years.
The researchers explained on the Home Security Heroes site that PassGAN is a generative adversarial system (GAN) that uses an algorithm to learn from real password leaks how they are distributed and then creates realistic passwords for hackers to exploit.
The AI algorithms are continually A/B-tested against each other to stimulate learning. This allows it to appear to possess the sum total of human knowledge, with microchips that are more than 100,000 times quicker than the brain. Domingo Guerra is the executive vice president for trust at Incode Technologies.
He told TechNewsWorld that AI is more capable than traditional brute-force algorithms, which are limited in their capabilities. “It predicts the next most likely figure based upon everything it has learned,” he said. “Rather than looking for external knowledge, it relies on the patterns that it has developed during its training in order to display queried behavior quickly.”
Skeptical about AI
Dustin Childs of Trend’s Zero Day Initiative, who is responsible for threat awareness, said that based on the information publicly available, AI employs techniques similar to rainbow tables rather than brute-forcing a password. Hackers use rainbow table to convert hashed passwords back into plaintext.
He told TechNewsWorld that the rainbow table allowed AI to perform simple searches and compare operations using a hashed passcode, rather than a brute-force approach which is slower.
He added that “Rainbow Table attacks have been recognized for years, and it has been shown they can crack passwords as long as 14 characters in less than five minutes.” “Older hashing algorithm such as MD5 or SHA-1 is also more vulnerable to these types of attacks.”
Robert Hughes, Chief Information Security Officer at RSA in Bedford, Mass., a cybersecurity firm, explained that the majority of password cracking involves first finding a hashed version and then comparing it to that.
In theory, he said, “an AI can learn more about a topic and use that information to do so in an intelligent manner, but this has not been proven in practice.”
He said that security teams have been dealing with brute-force and rainbow tables since years. “In reality, the PassGAN AI does not perform faster than other models that threat actors use.”
AI Limitations
Roger Grimes is not convinced that AI can crack passwords faster than traditional methods. He works at LearnBe4 in Clearwater, Florida.
He told TechNewsWorld that “it is possible, and it will certainly be able to do so in the future, but no one has ever shown me an official test showing any AI system today breaking passwords quicker than traditional, non-AI password guessing or cracking methods.”
He added that “as more people use password manager software, which generates truly random passwords,” AI will not have an advantage over traditional password cracking, if the passwords involved are truly random.
Experts in security point out that using AI for password cracking has some limitations. For example, computing power can be an issue. Childs stated that even AI takes a long time to crack longer and more complex passwords.
He noted that it was not yet clear how AI would perform against some of the salting algorithms used by hashing algorithms.
John Gunn is the CEO of Token in Rochester, New York, which makes a biometric wearable authentication ring.
He told TechNewsWorld that “most apps and systems only allow a small number of incorrect entries before locking out the hacker.” AI will not change this.
Passwords are no more.
No one would need to worry about AI cracking the passwords, if there weren’t any passwords. This, despite the annual predictions of the end to passwords, does not seem feasible, at least for the near future.
“Over time we will likely streamline the annoyance associated with password management, by removing the cumbersome manual process of memorizing long strings of numbers and letters in order to gain access,” noted Darren Guccione CEO of Keeper Security a password storage and management company in Chicago.
He told that passwords would be around for a long time to come, given the millions of devices and systems in existence today which rely on password security. “We can only strengthen the protections in order to ensure their safe usage.”
