Researchers created a machine learning program that is able to generate realistic passwords based on human behavior. The program, which is an AI platform called PassGAN, was able to guess about 25 percent of a set of tens of millions of leaked LinkedIn passwords when combined with an existing password-cracking tool.
According to Paolo Gasti, an assistant professor of computer science at New York Institute of Technology who co-created PassGAN with researchers from Stevens Institute of Technology, the new platform is composed of two neural networks. (GAN stands for Generative Adversarial Networks, a relatively new machine learning technology.)
One neural network generates fake passwords after being fed a dataset of real leaked passwords. The program creates a new set of computer-generated passwords that mimic the real passwords. In other words, the AI learns how humans create passwords, from example, take a pet's name and add the year they graduated high school or college, and create new ones.
The other neural network is what Gasti called "discriminative," which means as the first network generates fake passwords from the dataset, the second network tries to distinguish the new fake passwords from the real passwords. Once the second neural network cannot distinguish a password generated by the first network from the dataset of human-generated passwords, the task is complete. The result is a new dataset of millions of realistic passwords that the platform can use to try to log into other people's accounts.
Gasti and the researchers say the tool "enhances password guessing" tools available today, which run through variables and combinations by using the dictionary and datasets of leaked passwords.
But the PassGAN platform creates "likely passwords," says Gasti, without running through combinations of the same password (other programs will test iloveyou, il0v3y0u, and iloveyou1234, and on and on). The AI is learning how humans create a password instead of running through endless combinations or words and numbers.
To teach the algorithm, the researchers fed it with two datasets of real passwords that were leaked online, Gasti says. To see how effective the algorithm is, the researchers fed 80 percent of a set of 43 million passwords from LinkedIn and compared the generated passwords with the remaining 20 percent of passwords. The result? PassGAN generated almost 12 percent of the passwords in the LinkedIn set. Older password-cracking tools, including Jack the Ripper and hashCat, generated about 6 percent and 23 percent, respectively. When PassGAN and hashCat were used together, the tools generated 27 percent of the passwords in the LinkedIn set.
This might not seem ground-breaking, but Gasti says the finding are important and the new technology could have major implications on cyber security. He says law enforcement and criminals will eventually adopt this technology, although he says this tech can be used by companies for penetration testing and to make sure their employees's passwords are strong.
But as PassGAN gets better at guessing real passwords, Gasti says it's more evidence that shows passwords are ineffective security protocols.
"On paper, you can create strong passwords but this is one more tool to break them," says Gasti. "The future of the password is limited."