How cracking passwords can be easier in the age of AI/ML
In the age of AI and machine learning, self-learning models like PassGAN can make cracking passwords easier and quicker than conventional password-cracking tools. Organizations still using passwords are at risk.
What comes to your mind when you hear qwerty, 123456, iloveyou?
If you guessed that these are some of the most common passwords discovered in breaches, you’re right. Password-cracking tools like John the Ripper or Hashcat enable bad actors to check billions of passwords per second against password hashes. These tools enable human thought conditions like concatenation (like adding 123 to password to generate password123) and leet-speak (transforming the word leetspeak to 13375p34k) to create rules that guess passwords. Since most humans are predictable and tend to reuse passwords and are predictable, these new-age password-guessing tools can crack passwords quicker than before.
PassGAN
PassGAN, is a new tool developed by researchers who trained neural networks with datasets from password breaches (example: RockYou) that can generate passwords better than tools like John the Ripper and Hashcat.
Using the Generative Adversarial Network (GAN),PassGAN learns the passwords from actual password leaks and generate superior password guesses without having any prior knowledge of password structures.
It uses two neural networks; one neural network generates data (known as a Generator), and the other neural network provides feedback (known as a Discriminator).
The Generator generates new data with the intent that the Discriminator will not be able to identify it. The Discriminator evaluates if the generated passwords are “real” (present in the trained dataset) or “fake” (newly generated passwords). These neural networks can run through multiple iterations unsupervised until one neural network can create better “fakes” and the other neural network can identify if the data is “real” or not.
A real-world analogy could be bad actors producing counterfeit currency and government intelligence agencies trying to distinguish counterfeit currency from real currency. Bad actors try to improve their craft until counterfeit currency cannot be identified.
How PassGAN is different
With conventional password-guessing tools, the number of unique passwords generated depends on the number of rules defined by human actors, and the size of the breached passwords dataset.
In contrast, PassGAN can generate practically any number of password guesses without human intervention, and the number of password matches steadily increases with the number of passwords generated.
According to the researcher’s experiments, PassGAN can guess between 51% to 73% more unique passwords than the passwords from the Hashcat tool. In addition to this, when PassGAN was trained on specific samples from the RockYou dataset it was able to match 21.9% of passwords from the LinkedIn breach.
Organizations using passwords are at risk
According to the Psychology of Passwords report published by LastPass in 2022, 62% of employees use the same password or variations on personal passwords, and only 33% of users create strong passwords for their work accounts.
Users reusing passwords or variations from personal email or social media accounts can be a huge risk to the organization. This increases the probability of an account being compromised by password guessing tools like PassGAN due to poor password practices.
Bad actors are improving their chances by using multiple password-guessing tools. Adversaries can combine the rule based password guessing tools for faster password generation, along with machine learning based tools, to generate a larger number of guesses, to then maximize the number of passwords guessed and achieve better password matches.
Passwordless solutions to the rescue
In this age of AI and machine learning, password guessing will become easier and quicker through tools like PassGAN. With humans being the weakest link in the organization’s security (with respect to passwords) organizations must focus on deploying passwordless solutions to improve their security posture and remain safe.
Okta FastPassTM is a passwordless solution that enables passwordless authentication and reduces the probability of data breach due to compromised credentials.
Okta FastPass provides users with a passwordless experience and secure access to trusted applications. Okta FastPass uses public key cryptography to authenticate the user, thereby eliminating the use of passwords and the risks associated with them. Okta FastPass can also integrate with device built-in authenticators such as Windows Hello, Apple Touch ID and Apple Face ID to support biometric authentication.
To learn more about Okta FastPass, check out this Okta Fastpass Technical Whitepaper. Visit https://www.okta.com/fastpass for more product information and to contact our Sales team.
Face ID and Touch ID are trademarks of Apple Inc., registered in the U.S. and other countries. Windows Hello is a trademark of the Microsoft group of companies.
