SoylentNews

NotSanguine [soylentnews.org] writes:

Dan Goodin over at Ars Technica reviewed [arstechnica.com] an "AI" based password cracker called PassGAN [github.com].

As the title suggests, they weren't all that impressed.

From the article [arstechnica.com]:

By now, you’ve probably heard about a new AI-based password cracker [homesecurityheroes.com] that can compromise your password in seconds by using artificial intelligence instead of more traditional methods. Some outlets have called it "terrifying," [9to5mac.com] "worrying," [mpost.io] "alarming," [hothardware.com] and "savvy." [zdnet.com] Other publications have fallen over themselves to report that the tool can crack any password with up to seven characters—even if it has symbols and numbers—in under six minutes.

As with so many things involving AI, the claims are served with a generous portion of smoke and mirrors. PassGAN, as the tool is dubbed, performs no better than more conventional cracking methods. In short, anything PassGAN can do, these more tried and true tools do as well or better. And like so many of the non-AI password checkers Ars has criticized in the past—e.g., here [arstechnica.com], here [arstechnica.com], and here [arstechnica.com]—the researchers behind PassGAN draw password advice from their experiment that undermines real security.

Teaching a machine to crack
PassGAN is a shortened combination of the words "Password" and "generative adversarial networks." PassGAN is an approach that debuted in 2017 [arxiv.org]. It uses machine learning algorithms running on a neural network in place of conventional methods devised by humans. These GANs generate password guesses after autonomously learning the distribution of passwords by processing the spoils of previous real-world breaches. These guesses are used in offline attacks made possible when a database of password hashes leaks as a result of a security breach.

Conventional password guessing uses lists of words numbering in the billions taken from previous breaches. Popular password-cracking applications like Hashcat [hashcat.net] and John the Ripper [openwall.com] then apply "mangling [openwall.com] rules" to these lists to enable variations on the fly.
[...]
PassGAN uses none of these methods. Instead, it creates a neural network [arstechnica.com], a type of data structure loosely inspired by networks of biological neurons. This neural network attempts to train machines to interpret and analyze data in a way that’s similar to how a human mind would. These networks are organized in layers, with inputs from one layer connected to outputs from the next layer.

PassGAN was an exciting experiment that helped usher in the use of AI-based password candidate generators, but its time in the sun has come and gone, password-cracking expert and Senior Principal Engineer at Yahoo Jeremi Gosney [linkedin.com] said. Gosney added that a different neural networking method for guessing passwords, introduced in 2016 [usenix.org], performs slightly better than PassGAN. A runner-up is this research [github.com] from researcher Matt Weir. It uses a machine-learning model known as PCFGs—short for "probabilistic context-free grammars."

“But even as the leading AI password candidate generator, their cracker is about on par with Markov generators (not a significant improvement),” he wrote of the 2016 work in an online interview. Referring to the overall results of the PassGAN tool implemented by Home Security Heroes, he wrote, “Unfortunately, its performance falls well short of existing techniques, including statistical candidate generators like Markov, probabilistic candidate generators like PCFGs, wordlists with mangling rules, and for short inputs, even dumb brute force.”

All of these nuances are lost on the Home Security Heroes team that demonstrated the PassGAN tool. They trained it on 15.7 million passwords taken solely from the RockYou breach, a tiny and outdated sliver of the overall corpus of available samples today. It can crack 81 percent of them in less than a month, 71 percent in less than a day, and 65 percent in less than an hour. It can also guess any seven-character password in six minutes or less.

It's impressive that a machine can achieve that level of performance, and therein lies the value of the original PassGAN research. But compared to what’s possible through conventional means, these results are hardly remarkable. The chances that PassGAN will ever replace more conventional password cracking are infinitesimally small.
[...]
As a final embarrassment, Home Security Heroes' password strength checker is nothing short of abysmal. Remember "momof3g8kids," one of the many passwords mentioned earlier that was cracked in minutes to hours using traditional methods? The checker says PassGAN would need 14 billion years to guess it. The same checker says it would take only 187 million years to crack the password "2HdmYfcn!H9VhV," which, by all objective measurements, is immeasurably more secure.

So to all the people saying PassGAN represents a new threat to password security… no. PassGAN was an interesting experiment with minimal lasting benefit other than showing it's possible to build a working AI-based password candidate generator that doesn't rely on humans. The only notable or concerning thing about PassGAN these days is the hype and the counterproductive advice it's generating.

Original Submission