Alarming Study Reveals How Quickly AI Can Crack All Your Passwords

hero Password Security Image
Time to tighten up your password complexity, dear readers. A deep learning password guessing tool called PassGAN has been found to take less than six minutes to crack your seven-character password, even ones with symbols.

Nefarious hackers are constantly looking for new means of stealing your information, and ironically, in this case, the "new" battleground lies in the one of the oldest and most common security weak link: account passwords. Even with all the good that AI (artificial intelligence) brings, it can just as easily be turned against the user. Thanks to an advisory by cybersecurity testers Home Security Heroes, we are shown how scary an AI-powered password cracking tool can be. 

(Source: Home Security Heroes)

The tool in question is called PassGAN (Password Generative Adversarial Network), which was initially designed to test password integrity. It utilizes theory-grounded machine learning algorithms to autonomously learn the distribution of real passwords from actual password leaks, and to generate high-quality password guesses. It was developed in 2017 and is available on GitHub as of this writing. In the wrong hands, Home Security Heroes show that PassGAN can make cracking passwords faster and more efficient.

According to the post, passwords with 4-5 characters are cracked instantly by PassGAN. Those with seven characters (even with symbols) take under six minutes to crack. Complexity does matter, though. Of the strongest passwords listed (more than 18 characters) a number-only password took the AI tool as little as 10 months to figure out, whereas the use of a mix of symbols, numbers, lower- and upper-case letters took a monstrous six quintillion years to crack.

(Source: Home Security Heroes)

Regardless of whether hackers used an AI tool like PassGAN or older algorithmic techniques, the moral of the story still applies: users can keep password hacks at bay by adhering to some simple (though often ignored) rules:
  • Ensure that passwords are at least 15 characters long, combining a mix of at least two letters (lower- and upper-case), symbols, and numbers. Randomly-generated ones are usually best.
  • Refrain from using the same password across accounts.
  • Change your password once every 3-6 months, sooner if you think your password has been compromised in any way.
  • Avoid obvious password patterns, such as the ever popular "password0123456789" or "ThisIsMyPassword".