AI Cracker Can Guess Over Half of Common Passwords in 60 Seconds

AI Cracker Can Guess Over Half of Common Passwords in 60 Seconds

It should be noted that AI password crackers such as PassGAN are 100% effective if the password in question has been leaked or breached from a database.

April 13, 2023 by Sumeet Wadhwani

With the advent of, and more importantly, rapid and successful adoption of AI tools such as ChatGPT, DALL-E, and Runway, it has become increasingly clear that the value proposition of such tools extends beyond what their developer intended it to be. ChatGPT is already used for malicious tasks like developing malware and generating phishing emails and campaigns.

Passwords are still the most popular authentication method. Naturally, this begs the question: ‘Can an artificial intelligence-driven tool crack user passwords?’

Well, the answer to that question has been around for at least six years, long before the excitement (and, to some extent, worry) of ChatGPT eclipsed other technologies when password generative adversarial networks or PassGAN research paper was released.

PassGAN, a machine learning-based AI password cracker, relies on neural networks to eliminate manual efforts in password analysis for password cracking or guessing. The PassGAN paper mentions that the technique in existing password-guessing tools, HashCat and John the Ripper, “work well in practice, [though] expanding them to model further passwords is a laborious task that requires specialized expertise.”

As such, the PassGAN: A Deep Learning Approach for Password Guessing authors Briland Hitaj, Giuseppe Ateniese (both Stevens Institute of Technology), Paolo Gasti (New York Institute of Technology), and Fernando Perez-Cruz (Swiss Data Science Center) replaced rule-based and simple data-driven techniques-based (such as Markov models) password guessing with ML.

So, the question isn’t ‘Can an artificial intelligence-driven tool crack user passwords?’ It is actually ‘How long will it take for AI-based tools to crack passwords?’

Texas-based cybersecurity startup Home Security Heroes researched to answer this question. The company trained PassGAN on 15,680,000 passwords from the RockYou dataset, which was leaked in 2009. Home Security Heroes (HSH) discovered that:

•51% of common passwords can be cracked by PassGAN in less than one min

•65% of common passwords can be cracked in less than one hour

•71% of common passwords can be cracked in less than one day

•81% of common passwords can be cracked in less than one month

“PassGAN represents a concerning advancement in password-cracking techniques. This latest approach uses Generative Adversarial Network (GAN) to autonomously learn the distribution of real passwords from actual password leaks, eliminating the need for manual password analysis. While this makes password cracking faster and more efficient, it is a serious threat to your online security,” HSH wrote.

HSH’s PassGAN test revealed that any seven-character password with numbers, lower and uppercase letters, and symbols could be cracked in less than six minutes. The password guessing time for PassGAN increases to seven hours and two weeks for an eight- and nine-character password, respectively, with numbers, lower and uppercase letters, and symbols.

This means it is fairly easy to beat the tool. All you need to do is have a stronger password. Refer to the chart below to gauge how strong your password needs to be. For reference, to crack an 18-character password, it would take PassGAN

•Ten months if it is made up of just numbers

•22 million years if it is made up of just lower-case letters

•7.23 billion years if it is made up of lower- and upper-case letters

•96 trillion years if it is made up of numbers, lower- and upper-case letters

Six quintillion years if it comprises numbers, lower and uppercase letters, and symbols.

It should be noted, however, that AI password crackers (or even conventional, data-driven ones, for that matter) such as PassGAN are 100% effective if the password in question has been leaked or breached from a database.

As such, the efficacy of the ‘AI’ component in password cracking, while evident, mostly remains unexplored. For instance, if an AI tool successfully and accurately guessed a user’s password based on their public profile and posts on social media, then THAT would be an achievement.