AI Can Guess Your Password

How can you guess a password in an efficient way? A new application of artificial intelligence and deep learning in the field of information security focuses on passwords.

Researchers from the Stevens Institute of Technology and the New York Institute of Technology have recently published results from their work using Generative Adversarial Networks (GANs) to generate password guesses at a better rate, they said, than existing tools.

By opting for these powerful analytical tools, the researchers said they can use machines to learn from existing data, such as any of the millions of passwords leaked in the last 18 months, and develop new password rules that not only improve the efficiency of the pen-testing tools, but also could someday be the primary tool used to recover or guess passwords.

“Let’s say tomorrow there is another password leak; if you’re building rules manually and you want to take advantage of that knowledge from the leak, you have to get people to go through it and see what is not matched. It’s a manual work,” said Paolo Gasti of NYIT, one of the researchers involved.

“What we are doing instead is we take the password dump, give it to the tool and let it run for a day, a week or a month and you’re done. You’ve already learned as much as the tool can learn from this new dataset.”

PassGAN technology “represents a substantial improvement on rule-based password generation tools because it infers password distribution information autonomously from password data rather than via manual analysis,” the researchers wrote. “As a result, it can effortlessly take advantage of new password leaks to generate richer password distributions.”

According to threatpost.com, GANs are deep-learning tools that are made up of two deep neural networks: generative and discriminative. The deep learning is used in many applications to generate something new from a dataset (i.e., scanning thousands of images of faces or rooms to create a new, unique image).

Gasti said this may be the first application of GANs in security, and their intent was to teach the deep neural networks what user-chosen passwords look like without providing the network any context, such as personal information like dates of birth or pet names which users often combine when forming what they believe are complex passwords.

“We are not providing any information, just blindly giving a set of passwords to the machine, and the machine is figuring out what a password is.

“The idea is that this machine will go through these passwords hundreds of thousands of times and every time it runs through them, it learns something new, some new relationship between components of a password,” Gasti said. “The hundred-thousandth pass might be ‘I’ve identified this word and numbers and know the relationship between them and the probability that binds them.’

Ideally, a fast cluster of machines could analyse millions of passwords for a month, for example, and extract rules that a manual process could never generate, he said.

I-HLS

You Might Also Read

Keeping Passwords Safe From Cracking:

Will Biometrics Take Over From Passwords?:

« Insurance Will Reduce Cyber Losses
Israeli Spies Hacked Kaspersky »

Directory of Suppliers

VMworld

VMworld

VMworld is a global conference for virtualization and cloud computing, including associated security issues.

CMS Wire

CMS Wire

CMSWire.com is a web magazine. Areas of focus include Enterprise Information Management which also covers cyber security.

Latham & Watkins LLP

Latham & Watkins LLP

Latham & Watkins is an international law firm. Practice areas include Data Privacy, Security and Cybercrime.

Clifford Chance

Clifford Chance

Clifford Chance are one of the world's pre-eminent law firms with resources across five continents. Practice areas include Cyber Security & Information Protection

Senetas

Senetas

Senetas is a leading developer and manufacturer of certified high-assurance encryption solutions, dedicated to protecting network transmitted data without compromising performance.

Strategic Security

Strategic Security

Strategic Security is an IT Security consulting firm that provides in-depth technical security assessments of networks, web applications, and regulatory compliance gap analysis.

Titania

Titania

Titania provide network security and compliance software. Find your Network Security gaps before hackers do with our security & compliance tools.

PureVPN

PureVPN

PureVPN provides unrestricted browsing experience with protection against all online threats. We offer 300+ servers in 44 countries.

Hiscox

Hiscox

Hiscox offers cyber and data risks insurance to protect your business against the risks of holding data and using computer systems..

XenArmor

XenArmor

XenArmor products include NetCertScanner, an enterprise software to scan & manage expired SSL Certificates on your local network or internet.

Nethemba

Nethemba

Nethemba provide pentesting and security audits for networks and web applications. Other services include digital forensics, training and consultancy.

CLUSIL

CLUSIL

CLUSIL is an association for the information security industry in Luxembourg.

Secusmart

Secusmart

Secusmart provide highly secure and encrypted speech and data communication solutions.

Qubitekk

Qubitekk

Qubitekk has developed quantum cryptography solutions for the machine-to-machine (M2M) communications market.

Sift Security

Sift Security

Sift Security utilizes relational graph data structures, novel data science, and intuitive visualization to simplify threat detection and response for cloud infrastructure.