AI Cracker Can Guess Over Half of Common Passwords in 60 Seconds

With the advent of, and more importantly, rapid and successful adoption of AI tools such as ChatGPT, DALL-E, and Runway, it has become increasingly clear that the value proposition of such tools extends beyond what their developer intended it to be. ChatGPT is already used for malicious tasks like developing malware and generating phishing emails and campaigns.

Passwords are still the most popular authentication method. Naturally, this begs the question: ‘Can an artificial intelligence-driven tool crack user passwords?’

Well, the answer to that question has been around for at least six years, long before the excitement (and, to some extent, worry) of ChatGPT eclipsed other technologies when password generative adversarial networks or PassGAN research paper was released.

PassGAN, a machine learning-based AI password cracker,  relies on neural networks to eliminate manual efforts in password analysis for password cracking or guessing. The PassGAN paperOpens a new window mentions that the technique in existing password-guessing tools, HashCat and John the Ripper, “work well in practice, [though] expanding them to model further passwords is a laborious task that requires specialized expertise.”

As such, the PassGAN: A Deep Learning Approach for Password Guessing authors Briland Hitaj, Giuseppe Ateniese (both Stevens Institute of Technology), Paolo Gasti (New York Institute of Technology), and Fernando Perez-Cruz (Swiss Data Science Center) replaced rule-based and simple data-driven techniques-based (such as Markov models) password guessing with ML.

So, the question isn’t ‘Can an artificial intelligence-driven tool crack user passwords?’ It is actually ‘How long will it take for AI-based tools to crack passwords?’

Texas-based cybersecurity startup Home Security Heroes researched to answer this question. The company trained PassGAN on 15,680,000 passwords from the RockYou dataset, which was leaked in 2009. Home Security Heroes (HSH) discovered that:

• 51% of common passwords can be cracked by PassGAN in less than one min
• 65% of common passwords can be cracked in less than one hour
• 71% of common passwords can be cracked in less than one day
• 81% of common passwords can be cracked in less than one month

“PassGAN represents a concerning advancement in password-cracking techniques. This latest approach uses Generative Adversarial Network (GAN) to autonomously learn the distribution of real passwords from actual password leaks, eliminating the need for manual password analysis. While this makes password cracking faster and more efficient, it is a serious threat to your online security,” HSH wrote.

HSH’s PassGAN test revealed that any seven-character password with numbers, lower and uppercase letters, and symbols could be cracked in less than six minutes. The password guessing time for PassGAN increases to seven hours and two weeks for an eight- and nine-character password, respectively, with numbers, lower and uppercase letters, and symbols.

This means it is fairly easy to beat the tool. All you need to do is have a stronger password. Refer to the chart below to gauge how strong your password needs to be. For reference, to crack an 18-character password, it would take PassGAN

• Ten months if it is made up of just numbers
• 22 million years if it is made up of just lower-case letters
• 7.23 billion years if it is made up of lower- and upper-case letters
• 96 trillion years if it is made up of numbers, lower- and upper-case letters
• Six quintillion years if it comprises numbers, lower and uppercase letters, and symbols.

It should be noted, however, that AI password crackers (or even conventional, data-driven ones, for that matter) such as PassGAN are 100% effective if the password in question has been leaked or breached from a database.

As such, the efficacy of the ‘AI’ component in password cracking, while evident, mostly remains unexplored. For instance, if an AI tool successfully and accurately guessed a user’s password based on their public profile and posts on social media, then THAT would be an achievement.

See More: Cyber Hygiene: Building Blocks of Protecting Your Attack Surface

How To Ensure AI Tools Can’t Guess Your Password

Refer to the chart below for a better understanding of what a strong password constitutes:

The Time It Takes PassGAN To Guess Different Passwords

Source: Home Security HeroesOpens a new window

• Users should have at least 15 characters, at least two letters (upper and lower-case), numbers, and symbols.
• Take care not to have any obvious password patterns. 
• Users shouldn’t reuse the same password across multiple accounts/platforms.
• More importantly, consistently check if your password has been breached on services like Have I Been Pwned?Opens a new window Another practice is for users to change their passwords every three to six months.
• The use of password managers and multi-factor authentication is also recommended.

Do you have any password protection tips for our readers? Share with us on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!

Image source: Shutterstock

MORE ON PASSWORD HYGIENE

• Password-cracking With High-Performance GPUs: Is There a Way to Prevent It?
• MFA Is Not Enough: Eliminate Passwords to Simplify the Security Stack
• SSO Credentials of 25% of Most Valuable Companies are on Sale on the Dark Web