When thinking about a new password, there are at least a dozen aspects users need to keep in mind to prevent it from being cracked by cybercriminals: it should be at least 12 characters long, not use the names of their family members or pets, postal codes, house numbers, or birth dates. To come up with a password that meets all these criteria is a hard task, one that we often tend to skip by using the same password over and over again when creating new online accounts. But you shouldn't feel safe even if a variation of an earlier used password is created, because there are tools such as neural networks that can easily guess such passwords.
Neural Networks and Password Guessing
Hackers have various methods of gaining access to online accounts, as the security breaches we read about on an almost daily basis shows. The most widely known is the technique known as a brute-force attack, which essentially means they try every possible password in alphabetical order. But that requires time, so sophisticated approaches use different techniques, such as a brute-force combined with dictionary attacks. And then there is password guessing software, which is also a highly useful utility in the hand of cyber-criminals.
Researchers at the Stevens Institute of Technology in New York and the New York Institute of Technology have taken password cracking to another level by using machine learning. Their technique, called ‘PassGAN’ (Password Generative Adversarial Networks), is a deep-learning, GANs-based password guessing tool that turned out to be more effective than some open source password guessing tools such as John the Ripper and HashCat. GANs are machine learning tools comprised of two deep neural networks: a generative network and a discriminative network.
In a technical paper entitled PassGAN: A Deep Learning Approach for Password Guessing, researchers detail how to release human-generated password rules with theory-grounded password generation based on machine learning.
At the heart of their experiment are guessing tools that expand dictionaries using password generation rules. That's a more sophisticated method than a ‘simple’ dictionary attack, which takes every word of the dictionary and tries a match. The password generation rules define transformations, such as concatenation of words (for example: “password123456”) and leetspeak (for example: “password” becomes “p4s5w0rd”).
Teaching Machines to Guess Your Password
The theory is simple, and it matches what we have seen in other industries: to teach a computer what a flower is, researchers show the software tons of images of a flower. To evaluate the performance of PassGAN when compared to password generator utilities, researchers first trained their GAN, John the Ripper and HashCat using a large set of passwords. The RockYou leak contains 32 million passwords, and the researchers selected all passwords of 10 characters or less and used 80% of them to train each tool. For the testing they used the remaining 20%. In addition, they also used a dataset from the LinkedIn leak, which consists of 60 million unique passwords.
Can Machines Guess Your Password? Yes, They Can!
The training produced incredible results: using the PassGAN technique, the researchers were able to match more than 46% of the passwords in the testing set extracted from the RockYou leak.
In another experiment, UNC researchers obtained the passwords of more than 10,000 defunct accounts belonging to former university students and staff. Since users were required to change their passwords quite often, their initial dataset contained more than 50,000 passwords. After cracking roughly 60% of the passwords using a regular password-hacking approach, the researchers developed a more advanced password cracking approach that formulated guesses based on the previous password selected by the user.
They made an important discovery: users tended to come up with passwords that followed predictable patterns, which they call ‘transformations’, such as using an incremental number, or changing a letter into a similar-looking symbol. These results suggest that attackers who have previously guessed a user's password may be able to guess the user's later passwords fairly easily, especially if the change was initiated by an unexpected password-change prompt.
Best Password Managers of 2019
|Editor's Choice 2019|