AI Can Guess Your Password

How can you guess a password in an efficient way? A new application of artificial intelligence and deep learning in the field of information security focuses on passwords.

Researchers from the Stevens Institute of Technology and the New York Institute of Technology have recently published results from their work using Generative Adversarial Networks (GANs) to generate password guesses at a better rate, they said, than existing tools.

By opting for these powerful analytical tools, the researchers said they can use machines to learn from existing data, such as any of the millions of passwords leaked in the last 18 months, and develop new password rules that not only improve the efficiency of the pen-testing tools, but also could someday be the primary tool used to recover or guess passwords.

“Let’s say tomorrow there is another password leak; if you’re building rules manually and you want to take advantage of that knowledge from the leak, you have to get people to go through it and see what is not matched. It’s a manual work,” said Paolo Gasti of NYIT, one of the researchers involved.

“What we are doing instead is we take the password dump, give it to the tool and let it run for a day, a week or a month and you’re done. You’ve already learned as much as the tool can learn from this new dataset.”

PassGAN technology “represents a substantial improvement on rule-based password generation tools because it infers password distribution information autonomously from password data rather than via manual analysis,” the researchers wrote. “As a result, it can effortlessly take advantage of new password leaks to generate richer password distributions.”

According to threatpost.com, GANs are deep-learning tools that are made up of two deep neural networks: generative and discriminative. The deep learning is used in many applications to generate something new from a dataset (i.e., scanning thousands of images of faces or rooms to create a new, unique image).

Gasti said this may be the first application of GANs in security, and their intent was to teach the deep neural networks what user-chosen passwords look like without providing the network any context, such as personal information like dates of birth or pet names which users often combine when forming what they believe are complex passwords.

“We are not providing any information, just blindly giving a set of passwords to the machine, and the machine is figuring out what a password is.

“The idea is that this machine will go through these passwords hundreds of thousands of times and every time it runs through them, it learns something new, some new relationship between components of a password,” Gasti said. “The hundred-thousandth pass might be ‘I’ve identified this word and numbers and know the relationship between them and the probability that binds them.’

Ideally, a fast cluster of machines could analyse millions of passwords for a month, for example, and extract rules that a manual process could never generate, he said.

I-HLS

You Might Also Read

Keeping Passwords Safe From Cracking:

Will Biometrics Take Over From Passwords?:

« Insurance Will Reduce Cyber Losses
Israeli Spies Hacked Kaspersky »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Wizard Computing

Wizard Computing

Wizard Computer Services is a full service IT solutions provider that offers managed services, consultation, installation, and support to small and large businesses in New England.

PCI Pal

PCI Pal

PCI Pal’s secure cloud payment solutions are certified to the highest level of security by the leading card companies.

Executive Women's Forum (EWF)

Executive Women's Forum (EWF)

The Executive Women's Forum is the largest member organization serving emerging leaders and influential female executives in the Information Security, Risk Management and Privacy industries.

Crosscheck Networks

Crosscheck Networks

Crosscheck products allow you to test your APIs across different protocols and message formats with functional automation, performance, and security testing capabilities.

GuidePoint Security

GuidePoint Security

GuidePoint Security provide information security solutions that enable commercial and federal organizations to more successfully achieve their security and business goals.

Dermalog Identification Systems

Dermalog Identification Systems

Dermalog Identification Systems is a pioneer in biometry and the largest German manufacturer of biometric devices and systems.

FRSecure

FRSecure

FRSecure is a full-service information security management company that protects sensitive, confidential business information from unauthorized access, disclosure, distribution and destruction.

Liongard

Liongard

Liongard automates the management and protection of modern IT environments at scale for IT MSPs - Managed Service Providers and Enterprise IT Operations.

AUREA Technology

AUREA Technology

The photon counter SPD_OEM_NIR from AUREA Technology is designed for quantum key distribution at telecom wavelengths.

N8 Identity

N8 Identity

N8 Identity helps organizations realize the vision of Autonomous Identity Governance™ with AI-driven Identity solutions.

Integrity

Integrity

Integrity is a PCI QSA and ISO 27001 certified company specialized in Information Security and IT Consulting.

Center for Information Security Awareness (CFISA)

Center for Information Security Awareness (CFISA)

CFISA was formed by a group of academics, security and fraud experts to explore ways to increase security awareness among audiences, including consumers, employees, businesses and law enforcement.

Sekur Private Data

Sekur Private Data

Sekur Private Data Ltd. is a Cybersecurity and Internet privacy provider of Swiss hosted solutions for secure communications and secure data management.

Millennium Corporation

Millennium Corporation

For nearly two decades, Millennium Corporation has been operating on the leading edge of cybersecurity.

Identifid

Identifid

Identifid offers a suite of fraud prevention and identity authentication solutions to businesses and governments using the latest advances in AI, vision processing, and biometric recognition.

SentryMark

SentryMark

Stay a Step Ahead of Emerging Threats. Deviate from the traditional siloed defenses and get the proactive and responsive cybersecurity solutions and services you deserve with SentryMark today.