For years the security industry has stressed the importance of strong passwords. Some recent research from Home Security Heroes starkly shows the value of that advice.
Using artificial intelligence, the crew at the home security information and reviews website cracked passwords in the four- to seven-character range either instantly or in a matter of minutes — even when the passwords contained a mix of numbers, upper and lower case letters, and symbols.
After feeding more than 15.6 million passwords into an AI-powered password cracker called PassGAN, the researchers concluded that it is possible to crack 51% of common passwords in a minute.
However, the AI software faltered against longer passwords. A numbers-only password of 18 characters would take at least 10 months to crack, and a password that length with numbers, upper and lower case letters, and symbols would take six quintillion years to break.
On the Home Security Heroes website, the researchers explained that PassGAN uses a generative adversarial network (GAN) to autonomously learn the distribution of real passwords from actual password leaks and produce realistic passwords that hackers can exploit.
“The AI algorithms are constantly A/B tested against each other millions of times to stimulate learning, enabling it to seemingly possess the sum of human knowledge with microchips more than 100,000 times faster than the human brain,” explained Domingo Guerra, executive vice president of trust for Incode Technologies, an international identity verification and biometric authentication company.
“Compared to traditional, brute force algorithms with limited capability, AI predicts the most probable next figure based on everything it’s learned,” he told TechNewsWorld. “Rather than seeking knowledge externally, it leans into the patterns it has built during its training to exhibit queried behavior quickly.”
Skeptical of AI
Based on what has been publicly disclosed, AI uses techniques similar to rainbow table attacks rather than simply brute forcing a password, observed Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative. Hackers use rainbow tables to translate hashed passwords into plaintext.
“The rainbow table allows the AI to do simple search and compare operations on a hashed password rather than a slower, brute-force attack,” he told TechNewsWorld.
“Rainbow table attacks have been acknowledged for years and have been shown to crack even 14-character passwords in under five minutes,” he added. “Older hashing algorithms such as MD5 and SHA-1 are also more susceptible to these forms of attacks.”
Most password cracking is done by first finding a hashed password and then making comparisons against that, explained Robert Hughes, chief information security officer at RSA, a cybersecurity company in Bedford, Mass.
“In theory,” he continued, “an AI could learn more information about a subject and use it to do this in an intelligent way, but that is not proven in practice.”
“Security teams have been contending with brute force and rainbow tables for years now,” he said. “In fact, the PassGAN AI model does not perform significantly faster than others that threat actors leverage.”
Limitations of AI
Roger Grimes, a defense evangelist at KnowBe4, a security awareness training provider in Clearwater, Fla., is also not convinced AI can crack passwords any quicker than traditional methods.
“Possibly it can, and certainly it will be able to in the future,” he told TechNewsWorld, “But no one has shown me a definitive test of any of today’s AI systems breaking passwords faster than non-AI, traditional password guessing and cracking methods.”
“As more and more people use password managers, which create truly random passwords, AI will have zero advantage over any traditional password cracking when the involved passwords are truly random, as they should already be,” he added.
Security experts point out some limitations to using AI to crack passwords. Computing power can be a challenge, for example. “Longer and more complex passwords take significant time to crack — even by AI,” Childs said.
“It’s also not clear how AI would fare against the salting mechanisms used in some hashing algorithms,” he noted.
There’s also a big difference between generating massive numbers of password guesses and being able to input those guesses in a real-world scenario, added John Gunn, CEO of Token, a maker of a biometric-based wearable authentication ring in Rochester, N.Y.
“Most apps and systems have a low number of wrong entries before they lock the hacker out, and AI does not change that,” he told TechNewsWorld.
Long Goodbye to Passwords
Of course, no one would have to worry about AI cracking passwords if there were no passwords to crack. That, despite annual predictions about the end of passwords, doesn’t seem possible, at least in the near term.
“Over time, we are likely to streamline the annoyance of password management by removing the clunky manual process of memorizing and entering long strands of numerals and letters to gain access,” observed Darren Guccione, CEO of Keeper Security, a password management and online storage company in Chicago.
“But given the billions of existing devices and systems that already depend on password security, passwords will still be with us for the foreseeable future,” he told TechNewsWorld. “We can only provide stronger protections to support their safe use.”
Grimes added that there’s been a movement to get rid of passwords since the late 1980s. “There are thousands of articles predicting the death of the password, and yet decades later, it’s still a struggle,” he said.
“If you put all the non-password authentication solutions together, they wouldn’t work on 2% of the world’s sites and services,” he continued. “That’s a problem, and that is preventing widespread adoption.”
“On a good note, more people use some form of non-password authentication to log on to one or more sites and services today. The percentage is higher than ever,” he noted.
“But as long as the total percentage of sites and services stays below 2%, the ‘tipping point’ for mass non-password authentication adoption is going to be tough,” he said. “It’s a frustratingly tough real-world chicken and egg problem.”
Hughes acknowledged that legacy systems, as well as trust from users and administrators, have slowed the movement away from passwords. However, he added: “Eventually, password use will be minimized, and they will be mostly used in places where they are appropriate or where systems could not be updated to support other methods, but it will still take years to move off of passwords for most people and companies.”