By Jacqueline Ane
May 10, 2023
May 10, 2023
For years the security industry has stressed the importance of strong passwords. Some recent research from Home Security Heroes starkly shows the value of that advice.
Using artificial intelligence, the crew at the home security information and reviews website cracked passwords in the four- to seven-character range either instantly or in a matter of minutes — even when the passwords contained a mix of numbers, upper and lower case letters, and symbols.
After feeding more than 15.6 million passwords into an AI-powered password cracker called PassGAN, the researchers concluded that it is possible to crack 51% of common passwords in a minute.
However, the AI software faltered against longer passwords. A numbers-only password of 18 characters would take at least 10 months to crack, and a password that length with numbers, upper and lower case letters, and symbols would take six quintillion years to break.
On the Home Security Heroes website, the researchers explained that PassGAN uses a generative adversarial network (GAN) to autonomously learn the distribution of real passwords from actual password leaks and produce realistic passwords that hackers can exploit.
“The AI algorithms are constantly A/B tested against each other millions of times to stimulate learning, enabling it to seemingly possess the sum of human knowledge with microchips more than 100,000 times faster than the human brain,” explained Domingo Guerra, executive vice president of trust for Incode Technologies, an international identity verification and biometric authentication company.
“Compared to traditional, brute force algorithms with limited capability, AI predicts the most probable next figure based on everything it’s learned,” he told TechNewsWorld. “Rather than seeking knowledge externally, it leans into the patterns it has built during its training to exhibit queried behavior quickly.”
Skeptical of AI
Based on what has been publicly disclosed, AI uses techniques similar to rainbow table attacks rather than simply brute forcing a password, observed Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative. Hackers use rainbow tables to translate hashed passwords into plaintext.
“The rainbow table allows the AI to do simple search and compare operations on a hashed password rather than a slower, brute-force attack,” he told TechNewsWorld.
“Rainbow table attacks have been acknowledged for years and have been shown to crack even 14-character passwords in under five minutes,” he added. “Older hashing algorithms such as MD5 and SHA-1 are also more susceptible to these forms of attacks.”
Most secret word breaking is finished by first finding a hashed secret phrase and afterward making correlations against that, made sense of Robert Hughes, boss data security official at RSA, an online protection organization in Bedford, Mass.
"In principle," he proceeded, "an artificial intelligence could learn more data about a subject and use it to do this in a smart manner, yet that isn't demonstrated practically speaking."
"Security groups have been battling with beast power and rainbow tables throughout recent years," he said. "As a matter of fact, the PassGAN simulated intelligence model doesn't perform fundamentally quicker than others that danger entertainers influence."
Limitations of AI
Roger Grimes, a defense evangelist at KnowBe4, a security awareness training provider in Clearwater, Fla., is also not convinced AI can crack passwords any quicker than traditional methods.
“Possibly it can, and certainly it will be able to in the future,” he told TechNewsWorld, “But no one has shown me a definitive test of any of today’s AI systems breaking passwords faster than non-AI, traditional password guessing and cracking methods.”
“As more and more people use password managers, which create truly random passwords, AI will have zero advantage over any traditional password cracking when the involved passwords are truly random, as they should already be,” he added.
Security experts point out some limitations to using AI to crack passwords. Computing power can be a challenge, for example. “Longer and more complex passwords take significant time to crack — even by AI,” Childs said.
“It’s also not clear how AI would fare against the salting mechanisms used in some hashing algorithms,” he noted.
There’s also a big difference between generating massive numbers of password guesses and being able to input those guesses in a real-world scenario, added John Gunn, CEO of Token, a maker of a biometric-based wearable authentication ring in Rochester, N.Y.
“Most apps and systems have a low number of wrong entries before they lock the hacker out, and AI does not change that,” he told TechNewsWorld.
Long Goodbye to Passwords
Obviously, nobody would need to stress over artificial intelligence breaking passwords assuming there were no passwords to break. That, regardless of yearly forecasts about the finish of passwords, doesn't appear to be conceivable, to some degree in the close to term.
"Over the long run, we are probably going to smooth out the irritation of secret key administration by eliminating the cumbersome manual course of remembering and entering long strands of numerals and letters to get entrance," noticed Darren Guccione, President of Guardian Security, a secret word the executives and online stockpiling organization in Chicago.
"However, given the billions of existing gadgets and frameworks that as of now rely upon secret word security, passwords will in any case accompany us for years to come," he told TechNewsWorld. "We can give more grounded insurances to help their protected use."
Grimes added that there's been a development to dispose of passwords since the last part of the 1980s. "There are great many articles foreseeing the demise of the secret phrase, but many years after the fact, it's as yet a battle," he said.
"Assuming that you put all the non-secret word verification arrangements together, they wouldn't deal with 2% of the world's destinations and administrations," he proceeded. "That is an issue, and that is forestalling boundless reception."
"Optimistically, more individuals utilize a type of non-secret phrase verification to sign on to at least one destinations and administrations today. The rate is higher than at any other time," he noted.
"In any case, as long as the complete level of destinations and administrations stays underneath 2%, the 'tipping point' for mass non-secret phrase confirmation reception will be extreme," he said. "It's a frustratingly hard certifiable chicken and egg issue."
Hughes recognized that heritage frameworks, as well as trust from clients and directors, have eased back the development away from passwords. In any case, he added: "Ultimately, secret word use will be limited, and they will be for the most part utilized where they are fitting or where frameworks couldn't be refreshed to help different strategies, yet it will in any case require a long time to move off of passwords for a great many people and organizations."
Comments
Leave a comment