Q&A with Paolo Gasti: Password Not Protected

Passwords have become a part of daily life. We use them to log into everything—from our computers and cellphones to our email and bank accounts to so much more. While we hope they are secure and protected, Paolo Gasti, Ph.D., assistant professor at NYIT School of Engineering and Computing Sciences, warns that is not the case. Gasti, who spoke about passwords at NYIT’s Annual Cybersecurity Conference, along with a team of researchers at Stevens Institute have developed a technique called PassGAN to show that the password isn’t nearly as strong as we’ve been led to believe. The research leverages Generative Adversarial Networks (GAN), which enables a machine to generate new things based on what it’s learned. The result: a machine is able to guess passwords more effectively, making it easier for cybercriminals to hack into anything from your Amazon account to your credit report.

Gasti sat down with The Box to talk about the research, how PassGAN will be used, and whether it’s possible to choose a secure password.

Can you explain your research?
PassGAN is designed to help guess passwords. There are many circumstances where you may want to get into someone’s account or open a password encrypted file. And there are many techniques out there to do that. One way is to just use passwords that have been leaked or stolen. This is a good place to start—just try old passwords—but that doesn’t always work because people may change their passwords slightly.

There are also tools, such as HashCat and John the Ripper, that are built to crack passwords. They combine passwords and try and guess what people do. This is very successful, but there are a few problems with this approach. First of all, you need a person to do the job—someone who can codify the patterns. This works well, however a person may not be able to guess them all. For instance, if there is a new leak tomorrow, a person has to go through thousands of passwords and evaluate patterns. It’s a lot of work.

But with all of the advances in technology and artificial intelligence, my team and I thought ‘Why don’t we have a machine look at patterns and try to understand and codify them?’ The more the machine understands passwords, the more successful it will be.

What do you hope to do with PassGAN?
We hope to do a couple of things. It can be used defensively and offensively. The most obvious is law enforcement. If, for instance, a terrorist’s computer is confiscated, PassGAN can be used to crack the passwords. Also, system administrators can learn if their system is vulnerable. It could test passwords and see which ones are weak.

How does PassGAN work?
PassGAN learns how a password is supposed to look. As you train the tool, it will begin to see trends and patterns on its own. The difference between PassGAN and HashCat or John the Ripper is that humans have to come up with these trends and patterns. There are patterns that are too complicated for a human, but a machine might be able to learn these patterns. Through this research we are really changing the definition of what a secure password looks like. Now we have new knowledge of how to use a password-based system.

How successful is PassGAN when cracking passwords?
We used 70 million leaked passwords for this research. We let the machine run for several days and it was able to generate 10 billion passwords. However, we decided to stop at 10 billion for the set of experiments. We got to a point where we thought the machine had learned enough, so we stopped training it. We then inputted a few million new passwords that the machine didn’t look at initially. It was able to guess about half of those passwords.

This sounds frightening! Should we be worried about the security of our passwords?
We should already be worried. We thought security was bad before, but it’s actually worse. Through this research, we discovered that passwords are not as good as we thought they were. It is either time to replace them or adopt better tools to protect them.

What kinds of tools?
One example is a two-factor identification, where a person is given a code in addition to their password. This works well. But another solution is to replace passwords altogether. My team and I are working on behavioral biometric tools which monitor how you use your computer and determine if it’s actually you. This seems to be very promising.

Now that the research is out there, are you worried that it will get in the wrong hands?
If we didn’t come out with this now, hackers eventually would have. We don’t know if this tool is being used in the wild. But no one will be surprised if criminals use it.

Do you have any tips for creating passwords?
Unfortunately there isn’t any good strategy. Everybody is accessing a dozen or so passwords. I would suggest a password manager which picks random and very long passwords and doesn’t require anyone to remember them.

This interview has been edited and condensed.