For years, the security industry has emphasized the importance of strong passwords. Some recent research from Home Security Heroes clearly shows the value of these tips.

Using artificial intelligence, the team at the Home Security Information and Review website cracked four- to seven-character passwords either instantly or within minutes, even when the passwords contained a mix of numbers, upper and lower case letters, and symbols.

After feeding more than 15.6 million passwords into an AI-powered password cracker called PassGAN, researchers concluded that it was possible to crack 51% of common passwords in one minute.

However, the AI ​​software faltered with longer passwords. A password consisting only of 18-character numbers would take at least 10 months to crack, and a password of this length with numbers, upper and lowercase letters, and symbols would take six quintillion years to crack.

On the Home Security Heroes website, researchers explained that PassGAN uses a generative adversarial network (GAN) to autonomously learn the distribution of real passwords from real password leaks and produce realistic passwords. that hackers can exploit.

“AI algorithms are constantly A/B tested against each other millions of times to boost learning, allowing it to seemingly possess the sum of human knowledge with microchips more than 100,000 times faster than the human brain,” explained Domingo Guerra, Executive Vice President. trust for Incode Technologies, a global identity verification and biometric authentication company.

“Compared to traditional brute-force algorithms with limited capabilities, the AI ​​predicts the most likely next number based on everything it has learned,” he told TechNewsWorld. “Rather than seeking outside knowledge, he relies on the patterns he has built during his training to quickly display questioned behavior.”

AI Skeptic

Based on what has been publicly disclosed, the AI ​​uses techniques similar to rainbow table attacks rather than simply brute-forcing a password, observed Dustin Childs, threat awareness manager at Trend Micro’s Zero Day Initiative. Hackers use rainbow tables to translate hashed passwords into plain text.

“The Rainbow Table allows the AI ​​to perform simple lookups and compare operations on a hashed password rather than a slower brute force attack,” he told TechNewsWorld .

“Rainbow table attacks have been recognized for years and have been shown to crack even 14-character passwords in less than five minutes,” he added. “Older hashing algorithms such as MD5 and SHA-1 are also more susceptible to these forms of attacks.”

Most password cracking is done by first finding a hashed password and then making comparisons to it, explained Robert Hughes, chief information security officer at RSA, a cybersecurity company in Bedford, Mass.

“In theory,” he continued, “an AI could learn more information about a subject and use it to do so intelligently, but that’s not proven in practice.”

“Security teams have been dealing with brute force and rainbow tables for years,” he said. “In fact, the PassGAN AI model doesn’t perform much faster than others that threat actors exploit.”

AI limits

Roger Grimes, a defense evangelist at KnowBe4, a security awareness training provider in Clearwater, Florida, is also not convinced that AI can crack passwords any faster than traditional methods.

“Maybe it’s possible, and certainly it can in the future,” he told TechNewsWorld, “But no one has shown me a definitive test of any of the systems. ‘Today’s AI cracking passwords faster than traditional non-AI, password guessing and cracking methods.’

“As more and more people use password managers, which create truly random passwords, AI will have no advantage over any traditional password cracking when the passwords involved are really random, as they should already be,” he added.

Security experts point out some limitations to using AI to crack passwords. Computing power can be a challenge, for example. “Longer, more complex passwords take a long time to crack, even by AI,” Childs said.

“It’s also unclear how the AI ​​would behave relative to the salting mechanisms used in some hashing algorithms,” he noted.

There’s also a big difference between generating a massive number of password guesses and being able to enter those guesses in a real-world scenario, added John Gunn, CEO of Token, a maker of a wearable password-based authentication ring. biometrics in Rochester, NY

“Most apps and systems have a low number of bad entries before locking the hacker out, and AI doesn’t change that,” he told TechNewsWorld.

Long farewell to passwords

Of course, no one would have to worry about AI cracking passwords if there were no passwords to crack. This, despite yearly predictions about the end of passwords, does not seem possible, at least in the short term.

“Over time, we’re likely to streamline the hassle of managing passwords by removing the tedious manual process of memorizing and typing long strands of numbers and letters to access them,” observed Darren Guccione, CEO of Keeper Security, an online password management and storage. company in Chicago.

“But given the billions of existing devices and systems that already rely on password security, passwords will still be with us for the foreseeable future,” he told TechNewsWorld. “We can only provide stronger protections to support their safe use.”

Grimes added that there has been a movement to get rid of passwords since the late 1980s. “There are thousands of papers predicting the death of the password, and yet decades later it’s It’s always a fight,” he said.

“If you put all the passwordless authentication solutions together, they wouldn’t work on 2% of sites and services worldwide,” he continued. “That’s a problem, and it’s preventing widespread adoption.”

“On a good note, more and more people are using some form of passwordless authentication to log in to one or more sites and services today. The percentage is higher than ever,” he noted.

“But as long as the total percentage of sites and services remains below 2%, the ‘tipping point’ for mass adoption of passwordless authentication will be difficult,” he said. “It’s a real and frustrating chicken and egg problem.”

Hughes acknowledged that legacy systems, along with user and administrator trust, have slowed the abandonment of passwords. However, he added: “Eventually the use of passwords will be minimized, and they will be used primarily in places where they are appropriate or where systems could not be updated to support other methods. , but it will still take years to ditch passwords for most people and businesses.