Image: Darwin Laganzon / Pixabay
If you didn’t already believe that weak passwords could be cracked easily, artificial intelligence is here to prove the point definitively. An AI-driven tool cracked over half the passwords fed to it in under a minute—and 65 percent in under an hour.
The experiment, which was run by cybersecurity firm Home Security Heroes, involved PassGAN, a new kind of password cracker. Unlike typical password cracking tools, which lean on fixed data sets, PassGAN is driven by two neural networks: one taught to generate passwords, and the other taught to distinguish between the the first’s “fake” passwords and passwords taken from real data breaches. As it’s trained, this kind of generative adaptive network learns to offer more sophisticated password predictions, allowing for faster and widespread cracking.
For Home Security Heroes’ test, PassGAN was fed over 15 million passwords from the 2009 RockYou breach, a data set often used to train password cracking tools. Passwords under four and over 18 characters were excluded. In no surprise to anyone, passwords with low character count and little character variation were cracked instantly. But even slightly more complex passwords could be determined much quicker. If simple enough, an 11 character password also fell immediately. Overall, the tool was able to crack 51 percent of common passwords in under a minute, 65 percent in under an hour, 71 percent in a day, and 81 percent in a month.
This chart shows how the mix of numbers, letters, and symbols affects cracking time.Home Security Heroes
Based on their findings, Home Security Heroes offers several pieces of advice, two of which are repeats often said by security experts (and those who report on security, ahem). First, don’t reuse passwords. Second, change your passwords every so often, especially for hacked websites. Finally, use passwords at least 15 characters in length, with a mix of at least two letters (upper and lower case), numbers, and symbols in the string—and don’t follow any obvious or predictable password patterns.
You can read more about Home Security Heroes’s findings in their blog post, but the biggest takeaway just may be how much randomness in a password can affect cracking time. We at PCWorld have said for years (and will keep saying!) to use long, random, and unique passwords for each site, but this experiment drives the point home. Home Security Heroes says that a password with 18 lower and upper case letters, symbols, and numbers would take 6 quintillion years to guess. (A quintillion is one-billion billions, so in other words, that’s a six followed by a heck of a lot of zeros.)
However, that’s right now. An 18-character password likely won’t solve our security needs forever. AI models learn rapidly—you’ve probably seen how other applications that use artificial intelligence (i.e., AI-generated art, AI chat bots) are growing in leaps and bounds. Just imagine that applied to data from never-ending hacks. The only way to stay secure is by employing the strongest passwords you can manage—and there’s help for that in the form of password managers. Not only can they generate random, unique passwords for you, but they’ll help change your credentials when it’s time to yet again step up your password strength. Be sure to turn on two-factor authentication wherever you can, too, just in case your password does go down.
Author: Alaina Yee, Senior Editor
Alaina Yee is PCWorld’s resident bargain hunter—when she’s not covering PC building, computer components, mini-PCs, and more, she’s scouring for the best tech deals. Previously her work has appeared in PC Gamer, IGN, Maximum PC, and Official Xbox Magazine. You can find her on Twitter at @morphingball.