If you think you have a strong password, it's time to think again. A new study from Home Security Heroes, a cybersecurity firm, shows how quickly and easily artificial intelligence (AI) can crack your password. Statistics show that 51% of common passwords can be cracked in less than a minute.
The security researchers used PassGAN, a password generator based on a Generative Adversarial Network (GAN). PassGAN and other password generators differ because the former doesn't depend on manual password analysis. In contrast, the PassGAN model, as its name implies, leverages GAN to learn from real password leaks and generate realistic passwords that you may use. A GAN is a machine learning (ML) model that pitches two neural networks (generator and discriminator) against each other to improve the accuracy of the predictions.
In short, the generator produces fake data to fool the discriminator. Meanwhile, the discriminator's job is to identify the real data from the fake data created by the generator. It becomes a cat-and-mouse game where both networks benefit from the constant dispute. The generator continually improves to construct better fake data, and the discriminator gets better at differentiating the real data from the fake.
Home Security Heroes fed PassGAN with 15,680,000 common passwords from the RockYou dataset to train the model. The firm excluded passwords that were shorter than four characters and longer than 18 characters from the experiment. For those who have never heard of RockYou, it was a widget developer for popular social media platforms like MySpace or Facebook. Hackers breached RockYou in 2009, stealing over 32 million users' data because the company was storing data inside an unencrypted database. The RockYou dataset eventually became a popular option for training ML password-cracking models.
Numerous data breaches have occurred over the years with victims, including Facebook and Yahoo. So, plenty of personal datasets are out there to train password generators like PassGAN. More data equals more fodder for cultivating the AI.
Home Security Heroes' findings revealed that PassGAN cracked 51% of common passwords in less than a minute. However, the AI took a bit more time with the more challenging passwords. For example, PassGAN cracked 65% in less than an hour, 71% under a day, and up to 81% in less than a month.
According to Statista, six out of ten Americans have a password with a length between eight to 11 characters. However, less than one-third of the population utilizes a password with over 12 characters. It's comprehensible since shorter and simple passwords are easier to remember but more susceptible to attacks.
It took PassGAN less than six minutes to crack a seven-character password, even if it includes numbers, upper and lower case letters, and symbols. For instance, PassGAN can unravel a ten-character password with only numbers and lower-case letters in an hour. However, adding upper-case letters, numbers, and symbols to the mix increases the decryption time by up to five years. Therefore, it's not just having a long password but one with a challenging pattern, so the AI can't solve it quickly.
Home Security Heroes provided some guidelines for safeguarding your passwords' integrity. For starters, the cybersecurity firm recommends you create a password with at least 15 characters with a strong pattern, combining two upper- and lower-case letters at the minimum with numbers and symbols.
PassGAN can figure out a password with eight or nine characters in around seven hours and two weeks, respectively, even if you follow the best practices. Passwords with 10 or 11 characters would take the AI approximately five and 365 years to decipher. A 15-character password, however, takes 14 billion years to decode. So changing your password periodically, between three to six months, is also essential. And for good measure, avoid using the same password for different accounts.
AI is here to stay, and the hardware that powers AI will improve over time. It's undeniable that AI brings many benefits to our daily lives, but nothing prevents evil parties from leveraging it for malicious purposes, such as cracking passwords to steal your data.
