We can now add easily cracking passwords in a matter of seconds to the list of things that AI can do.
Cybersecurity firm Home Security Heroes recently published a study uncovering how AI tools analyze passwords and then use that data to crack the most common passwords used on the web.
Using the PassGAN tool, the firm was able to figure out common four- to seven-character passwords in seconds. It also didn’t matter if there was variation in uppercase and lowercase letters or if numbers were included. The shorter and more simple passwords were easier for the tool to crack.
PassGAN uses the latest Generative Adversarial Network (GAN) machine learning model that has been fed over 15 million common passwords. These passwords have been derived from the RockYou data set, which has collected information from popular breaches of companies such as MySpace and Facebook. The RockYou data set has become a commonplace source for machine learning password-cracking models, according to Tom’s Hardware.
PassGAN was able to crack passwords with up to six characters instantly until symbols were included — for those, it took at least four seconds. The tool was able to crack passwords with up to seven characters instantly until they included uppercase and lowercase letters; then it took at least 22 seconds.
Overall, the study determined that passwords longer than 12 characters with a combination of uppercase and lowercase letters, numbers, and symbols were the most challenging to crack. For example, a 15-character password with such a mix would take 14 billion years for AI to crack, according to PassGAN.
However, in common practice, most users are still very much at risk for a password breach. Home Security Heroes notes that for most of the common passwords, at least 51% of those tested were cracked in less than a minute. Many that are more challenging can still be figured out with time; 65% of common passwords can be cracked in less than an hour, 71% in less than a day, and 81% in less than a month.
Tom’s Hardware noted via Statista that six out of 10 Americans have a password between eight to 11 characters. While an 11-character password with uppercase and lowercase letters, numbers, and symbols can put you in the safe zone of 356 years to crack, many users might still be at risk with shorter, less unique passwords.
Users should keep in mind common password safety practices such as not keeping the same passwords for multiple accounts, changing passwords regularly, and using trusted password managers.
