These Powerful New Password Crackers Challenge Our Notions of 'Secure'
New Stevens research demonstrates AI technology that can successfully attack passwords with remarkable speed and skill
With hackers, crackers and intelligence services on the loose, building better passwords is a constant challenge for everyone from the casual social media user to national governments. Most users' passwords suffer from a number of weaknesses, including predictability, redundant use and excessive brevity.
Now a new Stevens Institute of Technology study led by computer science professor Giuseppe Ateniese demonstrates how artificial intelligence (AI) techniques can be harvested to crack passwords with even greater ease.
Curiously, the technology works by discovering all the usual human password tricks — then throwing that book aside to make up new rules at light speed.
Breaking terrorist messages, cracking phone passwords
New guidance suggests that traditional prescriptions for varying passwords, such as introducing and mixing in "special" characters, numbers and capital letters, don't help your privacy as much as believed. That's because algorithmic password-cracking programs can pretty quickly cycle through most of the obvious permutations.
"If it's anything shorter than twelve characters long, your password is probably going to be cracked, sooner or later," notes Ateniese. "Hackers or intelligence agencies can run existing tools in minutes to figure out most of the regular passwords."
Solutions have evolved, including the creation of longer or completely random passwords and the use of software tools to confound crackers.
To test whether these truly work, Ateniese and his team — which included graduate student Briland Hitaj, faculty member Fernando Perez-Cruz and New York Institute of Technology professor Paolo Gasti — tried a different approach.
"This was a collective effort," notes Ateniese, "and I assembled the best team possible: Fernando is unmatched in machine learning, Briland is the AI code magician, and Paolo is the person I trust most when a system must be built properly and quickly."
The team first trained a GAN (generative adversarial network) to rapidly learn all the most common human password strategies — dictionary words, numerical sequences and the like — from databases of tens of millions of known, leaked common and complex passwords and simple variations of them. Then the researchers advanced the project a notch higher: they freed up the network to create its own rules and patterns, if it chose, from that training data.
And that's precisely what the AI did.
"The machine is already generating a good set of passwords even in this early version," says Ateniese. "In some cases, our network could guess nearly half of the passwords in the test set, but even when it could not, the guesses looked remarkably like real user passwords."
The machine learning tool, which the Stevens team is calling PassGAN, is more likely than existing hacking tools to crack existing passwords that have not yet been leaked or broken, Ateniese notes. That means it holds tremendous potential for intelligence agencies, for example, operating during emergencies.
"Let's say you have a group of terrorists communicating, and you need to crack a message or get into their encrypted files in a hurry," he explains. "This tool is going to be of great help in that sort of case."
It will also become incrementally better at guessing private passwords as additional sets of passwords are discovered through data breaches or other means and learned over time.
While our human rules for creating passwords are more or less fixed and known, the neural network can run forever, and devise new rules forever," Ateniese concludes. "There is just tremendous power in that ability. This is only the first step, it is not perfect yet, but we will improve this tool gradually, and it's very exciting to have established that AI has a clear edge in this type of task."