AI Can Crack Most Common Passwords In Less Than A Minute

News
By Zhiye Liu
published

Your password may not be as safe as you think.

AI
(Image credit: Shutterstock)

If you think you have a strong password, it's time to think again. A new study from Home Security Heroes, a cybersecurity firm, shows how quickly and easily artificial intelligence (AI) can crack your password. Statistics show that 51% of common passwords can be cracked in less than a minute.

The security researchers used PassGAN, a password generator based on a Generative Adversarial Network (GAN). PassGAN and other password generators differ because the former doesn't depend on manual password analysis. In contrast, the PassGAN model, as its name implies, leverages GAN to learn from real password leaks and generate realistic passwords that you may use. A GAN is a machine learning (ML) model that pitches two neural networks (generator and discriminator) against each other to improve the accuracy of the predictions.

In short, the generator produces fake data to fool the discriminator. Meanwhile, the discriminator's job is to identify the real data from the fake data created by the generator. It becomes a cat-and-mouse game where both networks benefit from the constant dispute. The generator continually improves to construct better fake data, and the discriminator gets better at differentiating the real data from the fake.

Home Security Heroes fed PassGAN with 15,680,000 common passwords from the RockYou dataset to train the model. The firm excluded passwords that were shorter than four characters and longer than 18 characters from the experiment. For those who have never heard of RockYou, it was a widget developer for popular social media platforms like MySpace or Facebook. Hackers breached RockYou in 2009, stealing over 32 million users' data because the company was storing data inside an unencrypted database. The RockYou dataset eventually became a popular option for training ML password-cracking models.

Numerous data breaches have occurred over the years with victims, including Facebook and Yahoo. So, plenty of personal datasets are out there to train password generators like PassGAN. More data equals more fodder for cultivating the AI.

Swipe to scroll horizontally
# of CharactersNumbers OnlyLower-Case LettersUpper-case, Lower-case LettersUpper-case, Lower-case Letters, NumbersUpper-case, Lower-case Letters, Numbers, Symbols
4InstantlyInstantlyInstantlyInstantlyInstantly
5InstantlyInstantlyInstantlyInstantlyInstantly
6InstantlyInstantlyInstantlyInstantly4 Seconds
7InstantlyInstantly22 Seconds42 Seconds6 Minutes
8Instantly3 Seconds19 Minutes48 Minutes7 Hours
9Instantly1 Minutes11 Hours2 Days2 Weeks
10Instantly1 Hours4 Weeks6 Months5 Years
11Instantly23 Hours4 Years38 Years356 Years
1225 Seconds3 Weeks289 Years2K Years30K Years
133 Minutes11 Months16K Years91K Years2M Years
1436 Minutes49 Years827K Years9M Years187M Years
155 Hours890 Years47M Years613M Years14Bn Years
162 Days23K Years2Bn Years26Bn Years1Tn Years
173 Weeks812K Years539.72M Years2Tn Years95Tn Years
1810 Months22M Years7.23Bn Years96Tn Years6Qn Years

Home Security Heroes' findings revealed that PassGAN cracked 51% of common passwords in less than a minute. However, the AI took a bit more time with the more challenging passwords. For example, PassGAN cracked 65% in less than an hour, 71% under a day, and up to 81% in less than a month.

According to Statista, six out of ten Americans have a password with a length between eight to 11 characters. However, less than one-third of the population utilizes a password with over 12 characters. It's comprehensible since shorter and simple passwords are easier to remember but more susceptible to attacks.

It took PassGAN less than six minutes to crack a seven-character password, even if it includes numbers, upper and lower case letters, and symbols. For instance, PassGAN can unravel a ten-character password with only numbers and lower-case letters in an hour. However, adding upper-case letters, numbers, and symbols to the mix increases the decryption time by up to five years. Therefore, it's not just having a long password but one with a challenging pattern, so the AI can't solve it quickly.

Home Security Heroes provided some guidelines for safeguarding your passwords' integrity. For starters, the cybersecurity firm recommends you create a password with at least 15 characters with a strong pattern, combining two upper- and lower-case letters at the minimum with numbers and symbols. 

PassGAN can figure out a password with eight or nine characters in around seven hours and two weeks, respectively, even if you follow the best practices. Passwords with 10 or 11 characters would take the AI approximately five and 365 years to decipher. A 15-character password, however, takes 14 billion years to decode. So changing your password periodically, between three to six months, is also essential. And for good measure, avoid using the same password for different accounts.

AI is here to stay, and the hardware that powers AI will improve over time. It's undeniable that AI brings many benefits to our daily lives, but nothing prevents evil parties from leveraging it for malicious purposes, such as cracking passwords to steal your data.

Zhiye Liu
Zhiye Liu
RAM Reviewer and News Editor

Zhiye Liu is a Freelance News Writer at Tom’s Hardware US. Although he loves everything that’s hardware, he has a soft spot for CPUs, GPUs, and RAM.

37 Comments Comment from the forums
  • zecoeco
    Well if I'm being honest, most of my passwords includes Upper-case, Lower-case Letters, Numbers, Symbols, 12 characters in total
    Plus, I often change it every 3 years.
    Good luck AI ;)
    Reply
  • drivinfast247
    paSsWOrd123!
    Reply
  • InvalidError
    You can only "instantly" break password when allowed an infinite number of attempts without time restrictions or lock-outs. If I was in charge of security, I wouldn't allow more than one attempt per 10 seconds and would lock an IP out for 5min after three consecutive failed attempts.
    Reply
  • Megangel1
    Another good reason to use 2FA.

    But:
    the table doesn't mean much without knowing what the metric is. Time is just not good enough, is it maximum time, average time, worst case ??? What compute power has been dedicated to the task? One 8086 processor versus Oak Ridge's Frontier ? ... Or have I missed something?
    Also:
    are the attempts against real world apps or against an obtained password in it's encrypted form (with the encryption method known)?
    And:
    It's also normally faster to crack 'any one' password within in a group of accounts/encrypted passwords than it is to crack a given password. (aardvark could possibly be faster to find than lemons ... marginally )

    Many systems lockout accounts if a number of wrong attempts are made.

    This AI appears to be worse than the table quoted in these articles

    This is how long it takes hackers to crack your passwords - TechnobaboyHow long will it take to hack your password - Pure Cloud Solutions
    and even from Tom's own article, forget AI and just get eight RTX4090s to do it faster

    One RTX 4090 Is Faster at Password Cracking Than Three 6900XTs, Eight 1080s | Tom's Hardware (tomshardware.com)
    Reply
  • USAFRet
    InvalidError said:
    You can only "instantly" break password when allowed an infinite number of attempts without time restrictions or lock-outs. If I was in charge of security, I wouldn't allow more than one attempt per 10 seconds and would lock an IP out for 5min after three consecutive failed attempts.
    The sad thing is...there are far too many clueless people in charge of those policies. And clueless people above them, approving it.
    Reply
  • Kenneth Hans
    InvalidError said:
    You can only "instantly" break password when allowed an infinite number of attempts without time restrictions or lock-outs. If I was in charge of security, I wouldn't allow more than one attempt per 10 seconds and would lock an IP out for 5min after three consecutive failed attempts.

    Not if you start with a hash you've stolen or captured. Then you've got unlimited attempts to break it.
    Reply
  • InvalidError
    Kenneth Hans said:
    Not if you start with a hash you've stolen or captured. Then you've got unlimited attempts to break it.
    If someone managed to get your servers' password file, you probably have more urgent things to worry about since the attacker already has elevated privileged access of some sort.
    Reply
  • PlaneInTheSky

    Another good reason to use 2FA.
    2FA is completely useless. It is far too vulnerable to phishing. 2FA vulnerabilities have been pointed out so many times.

    Phishing is the main way unauthorized access happens, for individuals and in the corporate world. 2FA being so vulnerable to phishing should make it a non-starter.

    2FA is never implemented because of security reasons (it is useless at that), but it is implemented because it allows the likes of Google, Microsoft and Apple to link your smartphone/email to you, 2FA is enforced onto users to gather private data on users.
    Reply
  • USAFRet
    PlaneInTheSky said:
    2FA is completely useless. It is far too vulnerable to phishing. 2FA vulnerabilities have been pointed out so many times.

    Phishing is the main way unauthorized access happens, for individuals and in the corporate world. 2FA being so vulnerable to phishing should make it a non-starter.

    2FA is never implemented because of security reasons (it is useless at that), but it is implemented because it allows the likes of Google, Microsoft and Apple to link your smartphone/email to you, 2FA is enforced onto users to gather private data on users.
    So what do you suggest instead?
    Reply
  • PlaneInTheSky
    USAFRet said:
    So what do you suggest instead?

    Not using 2FA? It's a security risk, especially when it comes to phishing, there doesn't need to be an alternative to it.
    Reply