If you think you have a strong password, it's time to think again. A new study from Home Security Heroes, a cybersecurity firm, shows how quickly and easily artificial intelligence (AI) can crack your password. Statistics show that 51% of common passwords can be cracked in less than a minute.
The security researchers used PassGAN, a password generator based on a Generative Adversarial Network (GAN). PassGAN and other password generators differ because the former doesn't depend on manual password analysis. In contrast, the PassGAN model, as its name implies, leverages GAN to learn from real password leaks and generate realistic passwords that you may use. A GAN is a machine learning (ML) model that pitches two neural networks (generator and discriminator) against each other to improve the accuracy of the predictions.
In short, the generator produces fake data to fool the discriminator. Meanwhile, the discriminator's job is to identify the real data from the fake data created by the generator. It becomes a cat-and-mouse game where both networks benefit from the constant dispute. The generator continually improves to construct better fake data, and the discriminator gets better at differentiating the real data from the fake.
Home Security Heroes fed PassGAN with 15,680,000 common passwords from the RockYou dataset to train the model. The firm excluded passwords that were shorter than four characters and longer than 18 characters from the experiment. For those who have never heard of RockYou, it was a widget developer for popular social media platforms like MySpace or Facebook. Hackers breached RockYou in 2009, stealing over 32 million users' data because the company was storing data inside an unencrypted database. The RockYou dataset eventually became a popular option for training ML password-cracking models.
Numerous data breaches have occurred over the years with victims, including Facebook and Yahoo. So, plenty of personal datasets are out there to train password generators like PassGAN. More data equals more fodder for cultivating the AI.
|# of Characters||Numbers Only||Lower-Case Letters||Upper-case, Lower-case Letters||Upper-case, Lower-case Letters, Numbers||Upper-case, Lower-case Letters, Numbers, Symbols|
|7||Instantly||Instantly||22 Seconds||42 Seconds||6 Minutes|
|8||Instantly||3 Seconds||19 Minutes||48 Minutes||7 Hours|
|9||Instantly||1 Minutes||11 Hours||2 Days||2 Weeks|
|10||Instantly||1 Hours||4 Weeks||6 Months||5 Years|
|11||Instantly||23 Hours||4 Years||38 Years||356 Years|
|12||25 Seconds||3 Weeks||289 Years||2K Years||30K Years|
|13||3 Minutes||11 Months||16K Years||91K Years||2M Years|
|14||36 Minutes||49 Years||827K Years||9M Years||187M Years|
|15||5 Hours||890 Years||47M Years||613M Years||14Bn Years|
|16||2 Days||23K Years||2Bn Years||26Bn Years||1Tn Years|
|17||3 Weeks||812K Years||539.72M Years||2Tn Years||95Tn Years|
|18||10 Months||22M Years||7.23Bn Years||96Tn Years||6Qn Years|
Home Security Heroes' findings revealed that PassGAN cracked 51% of common passwords in less than a minute. However, the AI took a bit more time with the more challenging passwords. For example, PassGAN cracked 65% in less than an hour, 71% under a day, and up to 81% in less than a month.
According to Statista, six out of ten Americans have a password with a length between eight to 11 characters. However, less than one-third of the population utilizes a password with over 12 characters. It's comprehensible since shorter and simple passwords are easier to remember but more susceptible to attacks.
It took PassGAN less than six minutes to crack a seven-character password, even if it includes numbers, upper and lower case letters, and symbols. For instance, PassGAN can unravel a ten-character password with only numbers and lower-case letters in an hour. However, adding upper-case letters, numbers, and symbols to the mix increases the decryption time by up to five years. Therefore, it's not just having a long password but one with a challenging pattern, so the AI can't solve it quickly.
Home Security Heroes provided some guidelines for safeguarding your passwords' integrity. For starters, the cybersecurity firm recommends you create a password with at least 15 characters with a strong pattern, combining two upper- and lower-case letters at the minimum with numbers and symbols.
PassGAN can figure out a password with eight or nine characters in around seven hours and two weeks, respectively, even if you follow the best practices. Passwords with 10 or 11 characters would take the AI approximately five and 365 years to decipher. A 15-character password, however, takes 14 billion years to decode. So changing your password periodically, between three to six months, is also essential. And for good measure, avoid using the same password for different accounts.
AI is here to stay, and the hardware that powers AI will improve over time. It's undeniable that AI brings many benefits to our daily lives, but nothing prevents evil parties from leveraging it for malicious purposes, such as cracking passwords to steal your data.
Plus, I often change it every 3 years.
Good luck AI ;)
the table doesn't mean much without knowing what the metric is. Time is just not good enough, is it maximum time, average time, worst case ??? What compute power has been dedicated to the task? One 8086 processor versus Oak Ridge's Frontier ? ... Or have I missed something?
are the attempts against real world apps or against an obtained password in it's encrypted form (with the encryption method known)?
It's also normally faster to crack 'any one' password within in a group of accounts/encrypted passwords than it is to crack a given password. (aardvark could possibly be faster to find than lemons ... marginally )
Many systems lockout accounts if a number of wrong attempts are made.
This AI appears to be worse than the table quoted in these articles
This is how long it takes hackers to crack your passwords - TechnobaboyHow long will it take to hack your password - Pure Cloud Solutions
and even from Tom's own article, forget AI and just get eight RTX4090s to do it faster
One RTX 4090 Is Faster at Password Cracking Than Three 6900XTs, Eight 1080s | Tom's Hardware (tomshardware.com)
Not if you start with a hash you've stolen or captured. Then you've got unlimited attempts to break it.
Phishing is the main way unauthorized access happens, for individuals and in the corporate world. 2FA being so vulnerable to phishing should make it a non-starter.
2FA is never implemented because of security reasons (it is useless at that), but it is implemented because it allows the likes of Google, Microsoft and Apple to link your smartphone/email to you, 2FA is enforced onto users to gather private data on users.
Not using 2FA? It's a security risk, especially when it comes to phishing, there doesn't need to be an alternative to it.