Oct 23 2020

3 Ways That AI Can Help Users Avoid Weak Passwords

Remote learning makes it easy for hackers to crack passwords. Use machine learning algorithms to find weak passwords — before the cybercriminals do.

Rampant password reuse has caused a spike in credential stuffing during COVID-19. As the pandemic forces colleges and universities to persist with remote learning, stolen videoconferencing credentials create security risks that can quickly spiral into a web of compromised accounts and applications. So how can cybersecurity pros get their end users to finally stop reusing passwords?

One solution, some experts say, is artificial intelligence. Here are three ways that AI can help find weak passwords — and deter cybercriminals.

LEARN MORE: Get the Defense-in-Depth strategy checklist.

1. Deep Learning: A Way to Outsmart Hackers

A generative adversarial network, or GAN, is a powerful machine learning model that uses deep learning methods to create new data instances resembling the training set.

In 2017, researchers at the Stevens Institute of Technology in New Jersey created a GAN called PassGAN.

After feeding the technology tens of millions of leaked passwords from a gaming site called RockYou, the scientists watched as the AI created hundreds of millions of new passwords.

MORE ON EDTECH: Read our exclusive Q&A with EDUCAUSE Cybersecurity Program Director Brian Kelly.

The researchers then looked at how many of these new passwords matched another set of leaked passwords from LinkedIn. After combining PassGAN with a password-cracking software program called hashcat, the two tools cracked 27 percent of passwords in the LinkedIn data set.

In short, using AI-backed technologies to crack weak passwords in school systems can be an effective way for IT leaders to quickly see which users may need a refresher course on how to create stronger passwords.

2. Latest Iteration of PassGAN Improves Password Guessing

The scientists from Stevens will be giving a talk on the AI program’s latest password-cracking developments at the 42nd IEEE Symposium on Security and Privacy in 2021.

“Since 2017, we have improved PassGAN, and now it uses a form of reinforcement learning very similar to how AlphaZero has learned how to play chess,” says Giuseppe Ateniese, the department chair of the Schaefer School of Engineering & Science at Stevens who co-authored the original paper on PassGAN.

READ MORE: Three ways artificial intelligence can improve campus cybersecurity.

The talk will expand on how deep learning models allow researchers to gain and interpret important intelligence — such as semantic similarities between user passwords — from large password data sets.

“In our work, we show that these neural representations capture many properties of password distributions and enable new password guessing techniques,” the study’s leading researcher, Dario Pasquini, says in a preview of the upcoming IEEE talk. “More prominently, basing on such properties, we construct a guessing strategy that automatically adapts to the attacked set of passwords during the running attack.”

3. An Efficient and User-Friendly Way to Authenticate

Even end users with strong passwords can fall victim to hackers by listing complex passwords on unsecured electronic notepads and spreadsheets.

And AI-backed technologies that allow continuous authentication is one solution that can help prevent this problem.

What is continuous authentication? Unlike password-based authentication and two-factor authentication, continuous authentication compares a user’s behavior during a session with his or her past behaviors. The advantage here is that users do not have to take extra steps to authenticate themselves during a session.

By observing biometric behaviors, such as typing speed and mouse movements, and transactional behaviors, such as the size and number of files shared, the AI flags unusual behaviors that potentially indicate a malicious actor has taken over an account.

The artificial intelligence can also learn contextual awareness, which means the AI is capable of understanding the context of a particular transaction or session. By considering factors such as device, network, time of day and location, the AI adjusts security controls for individual circumstances.

By requiring hackers to navigate multiple layers of behavioral and contextual risk assessments, continuous authentication and awareness can help deter hackers from getting remote learners’ passwords.

Regardless of whether colleges and universities continue with online, hybrid or remote learning classes in the future, AI’s ability to guess passwords will only become more advanced. To be on the defensive, higher education cybersecurity teams should use machine learning algorithms to crack weak passwords — before the hackers do.

ljubaphoto/ Getty Images