AI Unlocks Passwords in Minutes: Cybersecurity’s New Challenge

AI password cracking
Image: Home Security Heroes

At present, cracking a password is a rather daunting task, as traditional dictionary-based methods prove to be inefficient, and many websites and applications have implemented measures such as cooldown periods or reCAPTCHA verification after multiple failed login attempts to thwart these cracking techniques. According to a report by Tom’s Hardware, a cybersecurity company called Home Security Heros discovered that employing AI enables most common passwords to be cracked within a minute.

The researchers utilized a model called PassGAN, a portmanteau of “password” and “GAN,” with GAN referring to generative adversarial networks. Comprising a generator and a discriminator, generative adversarial networks involve the generator creating data and the discriminator determining whether the generated data is satisfactory, a process akin to two individuals sparring to hone their skills, often employed in the realm of image generation. Unlike rudimentary password generators, PassGAN learns from existing password leaks and generates new passwords.

Image: Home Security Heroes

The researchers provided PassGAN with 15.68 million commonly used passwords as a training set, predominantly ranging from 4 to 18 characters, all of which originated from data leaked by the RockYou dataset years ago. According to the tests, purely numeric passwords with 11 characters or fewer were almost instantly cracked; 9-character passwords containing lowercase letters required merely a minute to crack; passwords with a combination of uppercase and lowercase letters and symbols took 2 weeks for 9 characters, and 7 hours for 8 characters.

While it may initially seem as though AI has left no password unexposed, Home Security Heros’ research suggests that using considerably long and complex passwords can make it significantly more challenging for AI. For instance, cracking a 10-character password composed of uppercase and lowercase letters and symbols would take 5 years, but an 11-character password would require 356 years. Nevertheless, compared to AI, it is advisable to guard against social engineering attacks.