« previous next »
Pages: [1]

Author Topic: AI Can Now Crack Most Passwords in Less Than a Minute | Extremetech  (Read 1573 times)

rcjordan

  • I'm consulting the authorities on the subject
  • Global Moderator
  • Hero Member
  • *****
  • Posts: 16345
  • Debbie says...
    • View Profile
AI Can Now Crack Most Passwords in Less Than a Minute | Extremetech
« on: April 11, 2023, 02:41:31 PM »
Logged

ergophobe

  • Inner Core
  • Hero Member
  • *
  • Posts: 9294
    • View Profile
Re: AI Can Now Crack Most Passwords in Less Than a Minute | Extremetech
« Reply #1 on: April 12, 2023, 04:23:14 PM »
I'm not sure how to evaluate this claim. I'd like to see what someone like Schneier has to say.

The RockYou DB is now 14 years old. So does an AI trained on leaked passwords work on a new database as well?

Also, they don't say what hashing algo they are cracking against. Presumably they took the RockYou DB and hashed it, but they don't say how. Is this Argon2id or bcrypt or MD5 (presumably not MD5, but just asking the question)?

I couldn't find the article, but IIR a few years back there was a data breach of something like 17,000 passwords and some publication (Ars Technica?) had two security experts and one blackhatter try to crack the passwords and the security expert got something like 70% of them in four hours and the security experts got in the high 90s within a day.

Logged

ergophobe

  • Inner Core
  • Hero Member
  • *
  • Posts: 9294
    • View Profile
Re: AI Can Now Crack Most Passwords in Less Than a Minute | Extremetech
« Reply #2 on: April 12, 2023, 04:30:17 PM »
Here's why this matters and why someone can game this for attention. If they were not gaming it for attention, I would expect them to specify the hash, which I couldn't find in their original article.

https://arstechnica.com/information-technology/2015/08/cracking-all-hacked-ashley-madison-passwords-could-take-a-lifetime/

Quote
"Yes, that's right, 156 hashes per second," Pierce wrote. "To someone who's used to cracking MD5 passwords, this looks pretty disappointing, but it's bcrypt, so I'll take what I can get."
It’s about time... Had Ashley Madison used MD5, for instance, Pierce's server could have completed 11 million guesses per second, a speed that would have allowed him to test all 36 million password hashes in 3.7 years if they were salted and just three seconds if they were unsalted

So if this is Argon2id set to a high level (way more computationally complex than bcrypt), then it is super impressive. If it is SHA256 set to a low byte count or MD5 unsalted, then that's another story.

But unfortunately for Ashley Madison customers, they also in parallel stored passwords in MD5, which made them almost all crackable quickly
https://arstechnica.com/information-technology/2015/09/once-seen-as-bulletproof-11-million-ashley-madison-passwords-already-cracked/
« Last Edit: April 12, 2023, 04:32:21 PM by ergophobe »
Logged
Pages: [1]
« previous next »