For years, the security industry has emphasized the importance of strong passwords. A recent study by Home Security Heroes underscores the value of that advice.
Using artificial intelligence, the Home Security Information and Reviews website crew can instantly or in minutes passwords ranging from 4 to 7 characters, even if passwords contain mixed numbers, uppercase and lowercase letters. cracked. and symbols.
After entering over 15.6 million passwords into an AI-powered password cracker called PassGAN, the researchers concluded that they could crack 51% of common passwords in one minute.
However, the AI software failed for longer passwords. An 18-character numeric-only password would take at least 10 months to crack, and a lengthy password containing numbers, uppercase and lowercase letters, and symbols would take him 600 quadrillion years to crack.
About Home Security Hero websiteThe researchers explained that PassGAN uses a generative adversarial network (GAN) to autonomously learn the distribution of real passwords from real password leaks and generate realistic passwords that hackers can exploit.
“AI algorithms are continuously A/B testing each other millions of times to stimulate learning, and are more than 100,000 times faster than the human brain using microchips. You seem to own the sum total of knowledge,” explains Vice President Domingo Guerra.trusted Incord Technologiesis an international identity verification and biometrics company.
“Compared to traditional brute force algorithms with limited capabilities, AI predicts the next most likely number based on all the information it learns,” he told TechNewsWorld. “Instead of looking for knowledge externally, it leans into the patterns it builds during training to quickly demonstrate queried behavior.”
Skeptical of AI
Based on publicly available information, the AI is using techniques similar to rainbow table attacks rather than simply brute-forcing passwords, says Dustin Childs’ head of threat awareness. trend microzero-day initiative. Hackers use rainbow tables to convert hashed passwords into plaintext.
“Rainbow tables allow AI to perform simple search and compare operations on hashed passwords instead of time-consuming brute force attacks,” he told TechNewsWorld.
“Rainbow table attacks have been around for years and have been shown to crack even 14-character passwords in less than five minutes,” he added. “Older hashing algorithms such as MD5 and SHA-1 are also susceptible to these forms of attack.”
Chief Information Security Officer Robert Hughes explains that most password cracking is done by first finding and then comparing hashed passwords. RSAa cybersecurity company in Bedford, Massachusetts.
“Theoretically, AI could learn more information about a subject and use it to do this in an intelligent way, but this has not been proven in practice.”
“Security teams have been battling brute force and rainbow tables for years,” he says. “In fact, the PassGAN AI model is not significantly faster than other models utilized by attackers.”
Limits of AI
Roger Grimes, Defense Evangelist KnowBe4Provides security awareness training in Clearwater, Florida.
“Probably possible and certainly possible in the future,” he told TechNewsWorld. method.
“As more and more people use password managers that create truly random passwords, AI will have no advantage over traditional password cracking if the associated passwords are truly random,” he added. rice field.
Security experts point out that using AI to crack passwords has some limitations. For example, computing power can be a challenge. “Long and complex passwords take a long time to crack, even AI,” Childs said.
“It’s also not clear how the AI will deal with the salting mechanism used by some hashing algorithms,” he said.
There’s also a big difference between generating a huge number of password guesses and being able to enter those guesses in a real-life scenario, added CEO John Gunn. tokena manufacturer of biometric-based wearable authentication rings located in Rochester, NY
“Most apps and systems have a low number of false entries before they lock out hackers, and AI won’t change that,” he told TechNewsWorld.
Goodbye long passwords
Of course, if you don’t have a password to crack, you don’t have to worry about AI cracking your password. Despite yearly predictions about the demise of passwords, it seems impossible, at least in the short term.
“Over time, it has the potential to streamline password management hassles by removing the cumbersome manual process of remembering and entering long numbers and letters for access.” keeper securityis a Chicago password management and online storage company.
“But given the billions of existing devices and systems that already rely on password security, passwords are with us for the foreseeable future,” he told TechNewsWorld. “We can only offer stronger protections to support safe use.”
Grimes added that there has been a move to do away with passwords since the late 1980s. “Thousands of articles have predicted the demise of passwords, but decades later it’s still a struggle,” he said.
“All non-password authentication solutions combined will not work for 2% of the world’s sites and services,” he continued. “This is a problem, and it’s preventing widespread adoption.”
“Fortunately, more people are now using some form of non-password authentication to log on to one or more sites or services. he pointed out.
“But as long as the combined percentage of sites and services remains below 2%, the ‘tipping point’ for mass adoption of non-password authentication will be tough,” he said. “This is a frustratingly difficult chicken-and-egg problem in the real world.”
Hughes acknowledges that legacy systems and trust from users and administrators are slowing the move away from passwords. However, he added: most people and businesses. ”