Recently, researchers from The New York Institute of Technology and the Stevens Institute of Technology computer science department released a paper about using a relatively new machine learning technique to make computers 18-24 percent better at guessing your passwords than ever before. In this article, we’ll covert:

• The historical context in which this technology lives
• What this technology could be used for by criminals
• How this technology works
• How to use it if you’re a red-teamer
• How to protect yourself as a user
• How to protect yourself as a blue-teamer in charge of an enterprise

First, let’s talk about what we mean when we talk about “guessing passwords,” as that’s a fairly nebulous term. In this case, we’re talking about cracking password hashes offline. That may leave you asking “What are password hashes?” A fair question.

What are Password Hashes?

When you see large data breaches like Dropbox, LinkedIn, Ashley Madison, etc., what was released was a list of (typically) emails and password hashes. The point of a hash in a security context is that its input cannot be determined by its output.

For example, say I give you “5f4dcc3b5aa765d61d8327deb882cf99.” That’s the md5 hash of “password.” You cannot determine that 5f4dcc3b5aa765d61d8327deb882cf99 is the hash of password unless you try hashing “password” and see that the hash to “password” is 5f4d…cf99. There are no shortcuts, and you cannot go backwards.

This is useful in security because it means that a site like Adobe or LinkedIn or Google can have hundreds of millions of user accounts but not store anyone’s actual password. Even so, they can still check if you know your password even if they don’t know it. This is achieved by only storing the hash of a password instead of the password itself. (Read more...)