Passwords are commonly used for authenticating with websites and online services. While several years ago a strong password was enough to secure a user’s account, however, now hackers can quickly crack any password using machine learning.
This article shows you the best practices to protect your solution against modern password guessing attacks based on machine learning algorithms. This information might be useful for SaaS providers and web developers who want to secure their applications.
Machine learning is starting to enter the hacker’s arsenal, and there’s a lot of potential for damage. Many of our current measures for protecting authentication procedures fall before sophisticated password guessing attacks. Below, you can find a list of cutting-edge techniques and proof-of-concept attacks that demonstrate what’s possible in terms of password guessing when machine learning is involved.
- Password brute force attacks
Password guessing software like John the Ripper and HashCat allow attackers to check a password against password hashes obtained from the target system. These tools use password generation rules based on password dictionaries. Though these rules are quite effective, in practice they require manual password analysis by experienced people.
To overcome this challenge, researchers at the Stevens Institute of Technology and the New York Institute of Technology have introduced PassGAN. Their innovative approach is based on deep learning for creating a Generative Adversarial Network (GAN) that’s able to produce AI-guessed passwords with much higher accuracy and speed.
The researchers tested PassGAN on two large databases of leaked passwords and revealed that their neural network generated passwords better than existing password guessing tools even without having any previous knowledge of password structures. In addition, when they united PassGAN with HashCat, they increased the accuracy of machine learning-powered password guessing by 51 to 73 percent compared to rule-based tools alone.
Another example of a brute force attack with neural networks was recently conducted by a group of researchers who trained a machine learning model on the most common passwords. They used a long short-term memory (LSTM) recurrent neural network and trained it on one million leaked passwords. As a result, the system was able to generate passwords that were not in the training data.
These studies underline the importance of two-factor authentication. However, even two-factor authentication isn’t secure from hackers who abuse machine learning algorithms.
- Keylogger attacks
Two-factor authentication allows users to confirm their identity with a one-time code sent to a dedicated device. However, researchers at Newcastle University have discovered that this code can be stolen by attackers who exploit vulnerabilities in mobile sensors. PINlogger is a new way of guessing passwords by applying a neural network and machine learning algorithms to guess a PIN entered on a mobile device.
Our mobile devices are embedded with various sensors including touchscreens, accelerometers, and gyroscopes. Could machine learning possibly analyze your interactions with your phone in order to guess the code you just entered? The mentioned study has confirmed that it can with a proof-of-concept attack.
- Captcha bypass attacks
Many websites use captchas to prevent bots from accessing them, but with machine learning, hackers can now easily bypass this protection. The first example of solving captcha tests was described in 2012 when researchers used support vector machines to break captchas with high accuracy. Since that time, captchas have become more complicated, but hackers may abuse machine learning by using image recognition algorithms.
For example, a 2016 study described a method of using deep learning to break Simple Captcha with 92% accuracy. During the study, researchers used a dataset of 10,000 captcha samples of five characters with noise effects that were difficult enough even for human eyes.
Captcha with image segmentation is considered one of the strongest ways to protect a website from bots, but another piece of research shows that this protection is vulnerable to image recognition based on deep learning. During the investigation, researchers used a residual neural network to break the captcha on Indian travel website IRCTC with 98% accuracy.
At the 2016 Black Hat Asia conference, researchers from Columbia University presented a paper that described a novel low-cost attack on Google reCAPTCHA based on deep learning technology. They also applied the system to Facebook image captcha and reached a high level of accuracy.
In 2017, Dileep George, co-founder of the AI company Vicarious, predicted that in the near future models based on artificial intelligence would be able to bypass captchas with 100% accuracy.
- Keystroke sound recognition
Apart from guessing passwords using difficult mathematical algorithms, machine learning will also allow hackers to steal your passwords by listening to your keystrokes. In 2017, researchers from the University of California and the University of Padua tested their Skype&Type application for snooping on Skype users.
The program is based on machine learning technology that can guess a password typed over Skype by analyzing the sounds of laptop keys. During the first field test, the prototype proved to be a working concept, though the model needed further training. While the program doesn’t require any intrusion into a user’s computer, it might face difficulties cracking passwords in case of background music or other sounds.
As you can see, there’s a high risk that your user accounts might be compromised one day. So you should be ready to detect and respond to attacks in real time. Here’s a list of the most common signs that your web application is under a password guessing attack:
- An increased number of unsuccessful authentication attempts because hackers try to use alphabetically sequential usernames and passwords
- A user tries to log in from several different IP addresses
- Numerous failed login attempts from a single IP address
- Login attempts with similar popular passwords like qwerty, password, and washere
- A single user session consumes excessive bandwidth
- A large number of passwords have been changed or new user accounts have been created
- An increased number of log entries, which may include multiple errors in a short period of time, suspicious network connections, and unusual tasks at the administrative level
- Changes in web application performance that result in unexpected behavior such as slow loading, increased network traffic, or redirection to a different page or website
When you know that hackers are going to attack with machine learning-powered password guessing, it becomes clear that only innovative methods for web application security can help. Here’s a list of eight best practices for protecting against password guessing attacks.
- Use password composition rules
In 2017, the US National Institute of Standards and Technology (NIST) updated their password recommendations in Special Publication 800-63 Digital Identity Guidelines, taking into account the latest threats. According to these recommendations, NIST advises using passwords that consist of more than eight characters and spaces that in combination create passphrases. Moreover, NIST recommends rejecting passwords that are often used or have been previously compromised. For instance, Facebook and Twitter collect stolen credentials that have been publicly posted and prevent the same combinations of passwords and usernames from being used again.
You can also educate your users about the importance of creating strong passwords and the risks of password reuse.
In addition, NIST guidance on protecting passwords against password guessing attacks also includes using appropriate technical defenses and password managers to reduce the burden on users.
- Protect privileged users
Privileged users are the most vulnerable to password guessing attacks, as they usually have access to huge amounts of sensitive data. Thus, you should provide privileged users with a different login URL, lock down their passwords, lock out accounts in case of attacks, and allow only single sign-ons. It’s also effective to allow access only to whitelisted IP addresses and use progressive delays in case of unsuccessful authentication attempts.
- Deploy multi-factor authentication
Deploy at least two-factor authentication, especially for all remote accounts. Two-factor authentication requires users to enter a unique code sent to a mobile phone or shown on a personalized USB token. Another common authentication approach is one-time passwords, which may also be limited in their lifetimes. While attacks based on machine learning may compromise one-time passwords, it may be worth it to enhance your security with advanced authentication methods.
- Ensure password encryption
Password hashing or one-way encryption is commonly used now, but you should also remember that it’s dangerous to leave password database files unprotected. You can also consider implementing end-to-end password encryption, as this will ensure that your users’ passwords are securely stored and transmitted over the network.
- Use password masking
Best practices for password protection also mean ensuring that your solution never displays passwords in cleartext on any screen. It’s more secure to hide passwords under asterisks (*) on the display. However, you should also remember that some hackers can track keystrokes and thus compromise passwords.
- Restrain from mandatory password changes
There’s a fiery debate over whether it’s effective to force regular password changes. While at first NIST recommended a mandatory policy of password changes, its further publication on The problems with forcing regular password expiry counters this advice, explaining that when forced to change passwords regularly, users tend to choose weak passwords. The latest recommendations from NIST also advise against regular password changes.
- Enhance password complexity with machine learning
Machine learning algorithms can help you check the complexity of passwords for your users and even provide them with more secure ones. This is a highly effective approach for protecting against modern password guessing attacks, but developing such systems requires an experienced team with specialized knowledge and skills.
- Add advanced authentication methods
While technologies are becoming more sophisticated and widespread, many users have come to the conclusion that passwords have many weaknesses and can be easily stolen. According to a survey conducted by LaunchKey, a mobile authentication company, 84 percent of participants report that they would like to do away with passwords, while 74 percent believe that alternative forms of authentication would be more secure than passwords. Advanced authentication mechanisms mark a shift from authentication based on what users know to authentication based on who they are and how they behave.
One innovative approach is the use of biometrics for user authentication. Biometric technologies require no memorization of sophisticated passwords. Instead, users are authenticated by allowing the system to recognize their fingerprints, voices, heartbeats, irises, or faces.
Another approach authenticates users based on how they behave, which is also known as behavior biometrics. In this case, the system monitors a user and then creates a unique profile of how that user types or uses the mouse (keystroke and mouse dynamics).
Password guessing using machine learning technology is a new threat that’s difficult to withstand. This type of attack requires innovative methods of protection and quick response.
Apriorit has more than 10 years of expertise in cybersecurity and encryption techniques, and we would be glad to assist you in protecting your web application against password guessing attacks using artificial intelligence.