Researchers have discovered that artificial intelligence could make it easier than ever for malicious actors to figure out your password and access your online accounts. And, even worse, they expect hackers will be using this method in the coming years — if they aren’t already.
“We just raised the bar in terms of what a secure password should be,” New York Institute of Technology cybersecurity researcher Paolo Gasti tells Inverse.
In a preprint paper shared on arXiv, researchers at Stevens Institute and the New York Institute of Technology explain how A.I. can outdo even the most powerful known password-guessing tools like HashCat and John the Ripper, which just use relatively basic algorithms. Their A.I.-enabled network, called PassGan, was significantly stronger than either of the traditional methods was by itself in guessing passwords from a leaked database of old LinkedIn passwords.
The reason artificial intelligence is such a powerful password-cracking tool is that its fundamental purpose is to simulate how humans think — and people put varying degrees of thought into their passwords. If most people pick easy-to-remember passwords and use variants of the same basic passwords for multiple accounts, there are patterns just waiting for an A.I. like PassGan to uncover. When given one real-life leaked database of passwords, PassGan guessed 12 percent of the passwords from the LinkedIn set, and that number reached a whopping 27 percent when working in tandem with HashCat and John the Ripper.
“Passwords tend to follow rules,” says Gasti. “What we’re finding is that deep neural networks might be able to learn these rules implicitly. If you show them tens of millions of passwords, they’ll eventually realize very complicated functions that describe how different sets of users are generating passwords. We don’t tell the deep learning network what these rules are, they can look at the data and learn that themselves.”
It’s because of this that many experts, including Gasti, recommend using unique passwords comprised of long random sequences of letters and numbers, like those generated by password management software. Some argue it’s time for us to get rid of the traditional password altogether.
Now that the research of Gasti and his associates is out there — albeit with some crucial details withheld — he says he hopes that it will be used by systems administrators in penetration testing to see if current passwords people are using are strong enough.
There’s also the unsettling possibility that hackers might also come to make use of the methods outlined as well.
“A team with the right expertise could replicate these results,” he said. “How it’s going to be used next is not really up to us. One of the reasons we did this research is because we assume that if malicious actors don’t have these tools now, they will have them within the next few years.”
If you liked this article, check out this video on how A.I. can now predict the future, two seconds at a time.