AI may be able to do lots of cool things like write computer code, tell you a story, and explain the theory of relativity. But it can also do at least one thing that’s not so cool: Figure out your passwords.
A new report released by security experts at Home Security Heroes shows how a savvy AI tool can be used to crack common passwords in minutes or seconds.
To determine how long it would take to crack 15,600,000 common passwords via artificial intelligence, Home Security Heroes enlisted an AI tool known as PassGAN. A combination of the terms “password” and GAN (Generative Adversarial Network), PassGAN is able to master the art of password cracking not through the usual manual processes but by analyzing real passwords from actual leaks. Such an automated method threatens to help the bad guys crack passwords faster and more efficiently.
Looking at all the common passwords, Home Security Heroes found that 81% of them could be cracked in less than a month, 71% in less than a day, 65% in less than an hour, and 51% in less than a minute.
Both the length and the complexity of a password factored into their susceptibility toward cracking. PassGAN took a mere six minutes to figure out a password with seven characters, even if it contained uppercase and lowercase letters, numbers, and symbols. And it took just three minutes to determine a 13-character password with only numbers.
As expected, passwords that combined both length and complexity were the most secure. A nine-character password with all the different types of characters would take five years to crack, while an 18-character one with just numbers would take 10 months to crack. One with 18 characters and all the different types of characters would take six quintillion years.
How and why is PassGAN so adept at figuring out passwords? Most password-cracking tools apply simple data models to run manual password guesses, use password generation rules like concatenation, and make certain assumptions about password patterns. In contrast, PassGAN relies on the GAN part to run on a neural network, which is able to analyze and learn from data to get smarter and smarter.
With this type of threat looming over our passwords, do we just give up and welcome our new AI overlords? No, not when we can fight back by practicing the right type of password hygiene. And that requires following a few rules and requirements, as suggested by Home Security Heroes.
Use strong password patterns: The longer and stronger your password, the more resistant it will be against cracking. This means using at least 15 characters, having at least two letters (uppercase and lowercase) as well as numbers and symbols, and avoiding obvious patterns such as real words.
Change your password regularly: Maybe you’re concerned that someone has accessed one of your accounts. Or perhaps you shared your password with the wrong person. Whatever the reason, you’ll want to change a password periodically to guard against its use and abuse.
Don’t use the same password across multiple accounts: If you repeat the same password across different sites, and a hacker obtains it for one site, what will happen? That hacker can use that cracked password to compromise your other accounts.
Beyond the advice from Home Security Heroes, here’s one more recommendation. Use a password manager. Creating, remembering, and applying a long and complex password for each account is virtually impossible without assistance.
Until passwordless options become universal, a password manager is still your best bet for juggling all the unique passwords for all your accounts.