Report 2962

AI Can Now Crack Most Passwords in Less Than a Minute · 2023

We've been warned for years to use strong passwords online, but not everyone heeds those warnings. Thanks to the increasing power of AI, even those who exercise reasonable caution may find their passwords insufficient. Cybersecurity firm Home Security Heroes fed millions of actual passwords into an artificial intelligence to see how long it would take to crack them. The answer is "not as long as you'd expect." The system was able to crack most passwords in less than a minute.

Home Security Heroes ran this test with the PassGAN password generator. Unlike most password generators, PassGAN uses a Generative Adversarial Network (GAN) to learn from real passwords to create new ones. A GAN in this context consists of two opposing neural networks, a generator and a discriminator. The generator network created fake data, and the discriminator is tasked with picking out real data in a sea of fakes. Over time, the generator and discriminator become better at what they do, making the overall model more effective.

PassGAN was provided with 15,680,000 common passwords from the RockYou data set in this test. For the unaware, RockYou was a social widget hacked years ago, revealing millions of unencrypted passwords. It has since been a commonly utilized data set in security research. The test excluded passwords longer than 18 characters and shorter than four. Home Security Heroes says the AI cracked 51% of those passwords in less than one minute. Some people always heed warnings to use secure passwords, and their data was harder to crack. PassGAN decoded 65% of passwords in an hour or less, hitting 71% in about a day. It took another month to boost that to 81%.

So, the good news is the most robust passwords are still functionally impossible to crack, but a password you might think is strong could be a breeze for today's AI. The firm reports a 10-character password with numbers and lower-case letters would be cracked in the sub-1-hour group with 65% of all tested passwords. However, adding another layer of complexity with upper case letters or special characters boosts the cracking time to an estimated five years.

If you want to ensure your passwords are in the currently uncrackable group, Home Security Heroes recommends ensuring it's at least 15 characters long. You should use a combination of letters (upper and lower case), numbers, and special characters. The firm also recommends changing passwords frequently. If you swap important passwords every few months, there won't be time for an AI to crack it before you're on to something else. The cat-and-mouse game will never end, though. Eventually, AI may even be able to figure out these more complex passwords, which is why some major tech heavyweights are working to do away with passwords entirely.