Artificial intelligence (AI) is a rapidly-developing technology that's more often associated with automation and friendly robots that will cater to kids' educational needs and emotionally-lost adults. It is also a technology that shows great potential in the realms of cybersecurity. Or, as some researchers have found, be quite the threat to security.
Can AI make it easier for evil doers to figure out your password and access your online accounts? Researchers from the Stevens Institute and the New York Institute of Technology believe AI can outdo effective password-guessing tools like HashCat and John the Ripper. The researchers used an AI-enabled network they dubbed PassGan that proved to be significantly better than either in guessing passwords from a leaked database of old LinkedIn passwords.
Hypothetically, the researchers believe AI is a powerful password-cracking tool because it simulates how humans think. Traditionally, people put basic degrees of thought into choosing passwords, i.e., passwords that are easy to remember, based on common events like birthdays, anniversaries, or names of pets, children, etc. If people pick easy-to-remember passwords and/or permutations of the same for multiple accounts, an AI system like PassGan can pick up on these similar patterns quite easily.
Can You Guess My Password?
Going back to the LinkedIn example, PassGan guessed 12% of the passwords from the LinkedIn set, rising to 27% when working in conjunction with HashCat and John the Ripper. According to one of the researchers, passwords follow rules and deep neural networks can learn these rules. Shown tens of millions of passwords, these neural networks eventually realize complicated functions that describe how different sets of users are generating passwords.
The deep learning network need not be taught the rules. It merely looks at the data and learns it independently of human intervention.
An Old Routine
Okay, so the solution presented by the researchers is an old mantra you've heard before. They recommend using passwords comprised of long random sequences of letters and numbers like those spewed forth by password-generation software. Or one can use the somewhat cumbersome technique of opening a blank page in MS Word, randomly attacking the keyboard until a mash of characters and numbers appears that can be pasted into a password-request box. Of course you must save the Word file for future use and, if you remember, you'll password-protect the Word file, most likely using 1234 as the password.
Maybe the best solution is to use Apple's facial recognition technology in combination with bio-sensing technology, fingerprint recognition, and a DNA check. If that does not secure the castle, we may have to look at other technologies such as colonoscopy results to secure our digital identities.