As the title suggests, they weren't all that impressed.
From the article:
As with so many things involving AI, the claims are served with a generous portion of smoke and mirrors. PassGAN, as the tool is dubbed, performs no better than more conventional cracking methods. In short, anything PassGAN can do, these more tried and true tools do as well or better. And like so many of the non-AI password checkers Ars has criticized in the past—e.g., here, here, and here—the researchers behind PassGAN draw password advice from their experiment that undermines real security.
PassGAN is a shortened combination of the words "Password" and "generative adversarial networks." PassGAN is an approach that debuted in 2017. It uses machine learning algorithms running on a neural network in place of conventional methods devised by humans. These GANs generate password guesses after autonomously learning the distribution of passwords by processing the spoils of previous real-world breaches. These guesses are used in offline attacks made possible when a database of password hashes leaks as a result of a security breach.
Conventional password guessing uses lists of words numbering in the billions taken from previous breaches. Popular password-cracking applications like Hashcat and John the Ripper then apply "mangling rules" to these lists to enable variations on the fly.
[...] PassGAN uses none of these methods. Instead, it creates a neural network, a type of data structure loosely inspired by networks of biological neurons. This neural network attempts to train machines to interpret and analyze data in a way that's similar to how a human mind would. These networks are organized in layers, with inputs from one layer connected to outputs from the next layer.
PassGAN was an exciting experiment that helped usher in the use of AI-based password candidate generators, but its time in the sun has come and gone, password-cracking expert and Senior Principal Engineer at Yahoo Jeremi Gosney said. Gosney added that a different neural networking method for guessing passwords, introduced in 2016, performs slightly better than PassGAN.
(Score: 2) by looorg on Friday April 14 2023, @02:13PM (1 child)
I'm not sure I understand what it actually does. That is new that is. If I understand this correctly all it does is to create curated password lists. Trying to "think like a human", or a stupid human that is trying to create a password following all the rules systems set out these day (length, characters, special characters, a number or two etc). Which is something that has been done for ages, as noted by Ars. Just in a different way without the "Neural Network". After all more common things goes to the top of the list to be checked first and then it becomes more obscure and just ordinary dictionary stuff later. So what AI has to do with anything here I don't know. Unless it's just to slap AI one it to sound more hitech and cooler then it actually is. Are they (author) looking for venture capital and funding? Then I would understand the desire to include some AI into it all.
(Score: 3, Interesting) by NotSanguine on Friday April 14 2023, @05:44PM
PassGAN apparently uses machine learning and lots of processing power to do almost as well as what current tools already do.
The Editors (and rightly so, in fact I kind of expected it -- fair use does have limits) cut down my original submission significantly as I (in an attempt to catch as much meaning in TFS as I could) included much more of TFA in my submission [soylentnews.org]
Unfortunately (from one POV), TFA spread the useful information out, making it difficult to provide the important details in just a few paragraphs from it. Significantly more information is in my original submission [soylentnews.org], including the password checker [homesecurityheroes.com] and adaptation of code (see below) links.
I'll clarify a few points here:
1. PassGAN is an approach to cracking passwords first discussed in a2017 research paper [arxiv.org] and implemented in Python [github.com];
2. It does use multiple cracking methods (I omitted that paragraph, but other information was also removed by the Eds -- note: not blaming the eds here. It was hard to get the info into the colossus that was my original submission and was still too long;
3. Importantly, TFA reviews a third-party's adaptation of the code [homesecurityheroes.com] and finds it seriously wanting;
4. There's more, so check out both my original submission [soylentnews.org] and (gasp!) TFA [arstechnica.com].
tl;dr: Some (at least I'd never heard of them) random "security" company took code (not written by them) and adapted it for their web-based "password cracker" and proclaimed it the AI that can crack all your passwords. But that ain't the truth. Apparently, it can crack short (7 characters or less) in minutes (almost as fast as existing tools. Hooray!) but is just as bad (or worse) at cracking strong passwords. Even worse, their "checker" (also -- I think -- based on PassGAN) is really poor at identifying the actual strength of a password. Check it out in the link in (3) above.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 1, Insightful) by Anonymous Coward on Friday April 14 2023, @02:50PM
Isn't this addage true for all AI stuffs these days?