AI Cracker Can Guess Over Half of Common Passwords in 60 Seconds
It should be noted that AI password crackers such as PassGAN are 100% effective if the password in question has been leaked or breached from a database.
April
13, 2023 by Sumeet Wadhwani
With the advent of, and more importantly, rapid and successful adoption of AI tools such as ChatGPT, DALL-E, and Runway, it has become increasingly clear that the value proposition of such tools extends beyond what their developer intended it to be. ChatGPT is already used for malicious tasks like developing malware and generating phishing emails and campaigns.
Passwords are still the most popular authentication method. Naturally, this begs the question: ‘Can an artificial intelligence-driven tool crack user passwords?’
Well, the answer to that question has been around for at least six years, long before the excitement (and, to some extent, worry) of ChatGPT eclipsed other technologies when password generative adversarial networks or PassGAN research paper was released.
PassGAN, a machine learning-based AI password cracker, relies on neural networks to eliminate manual efforts in password analysis for password cracking or guessing. The PassGAN paper mentions that the technique in existing password-guessing tools, HashCat and John the Ripper, “work well in practice, [though] expanding them to model further passwords is a laborious task that requires specialized expertise.”
As such, the PassGAN: A Deep Learning Approach for Password Guessing authors Briland Hitaj, Giuseppe Ateniese (both Stevens Institute of Technology), Paolo Gasti (New York Institute of Technology), and Fernando Perez-Cruz (Swiss Data Science Center) replaced rule-based and simple data-driven techniques-based (such as Markov models) password guessing with ML.
So, the question isn’t ‘Can an artificial intelligence-driven tool crack user passwords?’ It is actually ‘How long will it take for AI-based tools to crack passwords?’
Texas-based cybersecurity startup Home Security Heroes researched to answer this question. The company trained PassGAN on 15,680,000 passwords from the RockYou dataset, which was leaked in 2009. Home Security Heroes (HSH) discovered that:
•51% of common passwords can be cracked by PassGAN in less than one min
•65% of common passwords can be cracked in less than one hour
•71% of common passwords can be cracked in less than one day
•81% of common passwords can be cracked in less than one month
“PassGAN represents a concerning advancement in password-cracking techniques. This latest approach uses Generative Adversarial Network (GAN) to autonomously learn the distribution of real passwords from actual password leaks, eliminating the need for manual password analysis. While this makes password cracking faster and more efficient, it is a serious threat to your online security,” HSH wrote.
HSH’s PassGAN test revealed that any seven-character password with numbers, lower and uppercase letters, and symbols could be cracked in less than six minutes. The password guessing time for PassGAN increases to seven hours and two weeks for an eight- and nine-character password, respectively, with numbers, lower and uppercase letters, and symbols.
This means it is fairly easy to beat the tool. All you need to do is have a stronger password. Refer to the chart below to gauge how strong your password needs to be. For reference, to crack an 18-character password, it would take PassGAN
•Ten months if it is made up of just numbers
•22 million years if it is made up of just lower-case letters
•7.23 billion years if it is made up of lower- and upper-case letters
•96 trillion years if it is made up of numbers, lower- and upper-case letters
Six quintillion years if it comprises numbers, lower and uppercase letters, and symbols.
It should be noted, however, that AI password crackers (or even conventional, data-driven ones, for that matter) such as PassGAN are 100% effective if the password in question has been leaked or breached from a database.
As such, the efficacy of the ‘AI’ component in password cracking, while evident, mostly remains unexplored. For instance, if an AI tool successfully and accurately guessed a user’s password based on their public profile and posts on social media, then THAT would be an achievement.
Subscribe to my newsletter
Read articles from Ambrut Varshni's Tech Chronicles directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
Ambrut Varshni's Tech Chronicles
Ambrut Varshni's Tech Chronicles
Hi, I’m Ambrut Varshni, a cyber security enthusiast and blogger. I am passionate about learning and sharing everything related to cyber security, from the latest trends and threats to the best practices and solutions. I have a degree in computer science and a certification in cyber security from Guru Nanak Institutions Technical Campus. I have also participated in various cyber security competitions and events, such as Intern In Rachakonda Security Council. I created this blog to share my insights, experiences, and tips on various topics related to cyber security, such as cyber threats, cyber attacks, cyber defence, cyber awareness, cyber laws, and more. My goal is to create a blog that is informative, engaging, and helpful for anyone who is interested in learning more about cybersecurity or pursuing a career in this field. I hope that this blog will educate and empower you to protect yourself and your organization from cyber risks and challenges. Thank you for visiting my blog and I hope you enjoy reading my posts. Feel free to leave your comments and feedback or contact me if you have any questions or suggestion