Flaws in passwords can be eliminated with artificial intelligence (AI), say researchers. This includes identifying common words that hackers know, too.
The mending is accomplished with AI-garnered analysis of existing insecure passwords, coupled with feedback to the user based on that. It makes password creation more reliable, say scientists from Carnegie Mellon University and the University of Chicago.
+ Also on Network World: Vendors approve of NIST password draft +
The group says it’s no good simply telling users their password isn’t secure when they attempt to create one—like the current password strength meters do using colored graphs. The meter should tell the creator what’s wrong with the secret word and advise how to conjure up a better one.
That’s where AI comes in, the scientists say.
“Instead of having a meter say, ‘Your password is bad,’ we thought it would be useful for the meter to say, ‘Here’s why it's bad, and here's how you could do better,’” says Nicolas Christin of Carnegie Mellon University in a press release.
The team uses a neural network to find hackable characteristics in passwords. That includes any word found in Wikipedia—bad guys use Wikipedia to find common text found in passwords. The neural network learns by examining large numbers of already-created passwords and looking for trends. It then tells the human password creator, in real time, what’s wrong with their concoction.
“If the meter detects a characteristic in a password that it knows attackers may guess, it tells the user,” the release explains. It then suggests an alternative. (You can see a demo of the meter on the CyLab Usable Privacy and Security Laboratory website.)
Current meters don't work that way, but it is, in fact, closer to how a hacker operates.
“The way attackers guess passwords is by exploiting the patterns that they observe in large datasets of breached passwords,” says Blase Ur, lead author on the study, "Design and Evaluation of a Data-Driven Password Meter" (pdf), in the release. In this case, the password meter, too, looks for patterns and flags those structures it knows hackers use. Attackers indeed do attempt to log into sites with the passwords they’ve gotten from data breaches.
Password advice in real time
With that knowledge of hackers’ habits, wisdom can be passed on to the user, and, more important, that know-how can be relayed while the user is actually creating the commonly stolen password. It also passes on other tidbits obtained through the AI analysis. For example, that attackers know the user will put symbols and numerals at the start and conclusion of the password, so the AI-driven password meter suggests mixing them up.
Other advice might also be that one should avoid using repeating sections in a password as the user enters the repeated word. Common phrases and limitations, such as short passwords, can also be caught on the fly by the meter. In those cases, detailed advice and examples can be given in real time, suggesting the user jumble the letters up or increase the length of the passcode.
The scientists say they have moved beyond typical password metering, which they explain usually just counts the number of characters in a password, checks for special characters or checks the password against a very limited blacklist. They say their method includes fixes for probabilities and guess-ability.
"The key result is that providing the data-driven feedback actually makes a huge difference in security compared to just having a password labeled as weak or strong," Ur says.