If you didn’t already know that weak passwords are easy to break, artificial intelligence will show you for sure. Over half of the passwords it was given to crack took less than a minute, and 65 percent took less than an hour.
A new type of password cracker called PassGAN was used in the experiment, which was run by the cybersecurity company Home Security Heroes. PassGAN is different from most password-cracking tools because it doesn’t rely on fixed data sets.
Instead, it uses two neural networks, one of which is taught to make passwords and the other to tell the difference between “fake” passwords made by the first and passwords taken from real data breaches. As it is trained, this kind of generative adaptive network learns to make more accurate guesses about passwords. This makes cracking faster and easier for more people.
For the Home Security Heroes test, PassGAN was given more than 15 million passwords from the RockYou hack of 2009. This is a data set that is often used to train tools that can break passwords.
Passwords with less than four characters or more than 18 were not allowed. No one was surprised that passwords with a small number of characters and few different ones were broken right away.
But even passwords that were a little harder to guess could be found much faster. If the 11-character password was simple enough, it would also be broken right away. Overall, the tool could break 51% of common passwords in less than a minute, 65% in less than an hour, 71.5% in a day, and 81.5% in a month.
Based on what they found, Home Security Heroes gives several tips, two of which are things that security experts often say (and those who report on security, ahem). First, don’t use the same password twice.
Second, change your passwords often, especially on sites that have been hacked. Lastly, use passwords that are at least 15 characters long and have a mix of at least two letters (both upper and lower case), numbers, and symbols. Don’t use obvious or predictable patterns in your passwords.
You can read more about what Home Security Heroes found in their blog post, but perhaps the most important thing to take away is how much randomness in a password can affect how long it takes to crack it.
PCWorld has been saying for years (and will continue to say) that each site’s password should be long, random, and different, but this experiment proves the point.
Home Security Heroes says that it would take 6 quintillion years to figure out a password with 18 lowercase and uppercase letters, symbols, and numbers. (One quintillion is equal to one billion billions, so that’s a six followed by a lot of zeros.)
But that’s happening right now. Most likely, a password with 18 characters won’t be enough to keep us safe forever. AI models learn quickly. You’ve probably seen how other applications that use AI (like AI-generated art and AI chatbots) are growing by leaps and bounds.
Imagine if that was done to data from all the hacks that happen all the time. The only way to keep yourself safe is to use the strongest passwords you can remember. Password managers can help you do this.
Not only can they make random, unique passwords for you, but they can also help you change your passwords when you need to make them even stronger. Turn on two-factor authentication wherever you can, just in case your password goes down.