top of page
Writer's pictureBen Card

AI Cracks Your “Strong” Password in 7 Hours

You thought you were using a strong password. You hoped it would be years before any computer could crack it in a reasonable amount of time.

red eye evil robot

Enter new research by Home Security Heroes, which shows how quickly and easily artificial intelligence (AI) can crack even what most would consider a strong password. The research team demonstrated that 51% of passwords commonly used today can be cracked in less than one minute.

51% of passwords commonly used today can be cracked in less than one minute.

The team used a password generator named PassGAN which is based on a Generative Adversarial Network (GAN)—a machine learning (ML) model. PassGAN differs from traditional password generators because it does not depend on any manual password analysis at all. The PassGAN model leverages the GAN approach to learn from passwords that were found in actual leaks and compromises, generating realistic passwords.

enter your master password

The password generator component of the ML produces fake data to fool the discriminating component, creating a cat-and-mouse game where both ML components benefit from the constant dispute to create ever better fake data.


Home Security Heroes’ approach was to feed a PassGAN with 15,680,000 common passwords from the RockYou dataset—one of the most popular among attackers—to train the model. The team left out all passwords shorter than 4 characters and longer than 18.

The findings reveal that PassGAN can crack 51% of common passwords in less than a minute, as was previously mentioned. The AI took slightly longer to chew through more challenging passwords, cracking 65% of the total in less than an hour, 71% within one day, and 81% in less than a month. See the chart below for one sobering result: a very complex 8 character password can be cracked in only 7 hours.

# of Characters

Numbers Only

Lower-Case Letters

Upper-case, Lower-case Letters

Upper-case, Lower-case Letters, Numbers

Upper-case, Lower-case Letters, Numbers, Symbols

4

INSTANTLY

INSTANTLY

INSTANTLY

INSTANTLY

INSTANTLY

5

INSTANTLY

INSTANTLY

INSTANTLY

INSTANTLY

INSTANTLY

6

INSTANTLY

INSTANTLY

INSTANTLY

INSTANTLY

4 SECONDS

7

INSTANTLY

INSTANTLY

22 SECONDS

42 SECONDS

6 MINUTES

8

INSTANTLY

3 SECONDS

19 MINUTES

48 MINUTES

7 HOURS

9

INSTANTLY

1 MINUTES

11 HOURS

2 DAYS

2 WEEKS

10

INSTANTLY

1 HOURS

4 WEEKS

6 MONTHS

5 YEARS

11

INSTANTLY

23 HOURS

4 YEARS

38 YEARS

356 YEARS

12

25 SECONDS

3 WEEKS

289 YEARS

2K YEARS

30K YEARS

13

3 MINUTES

11 MONTHS

16K YEARS

91K YEARS

2M YEARS

14

36 MINUTES

49 YEARS

827K YEARS

9M YEARS

187M YEARS

15

5 HOURS

890 YEARS

47M YEARS

613M YEARS

14B YEARS

16

2 DAYS

23K YEARS

2B YEARS

26B YEARS

1T YEARS

17

3 WEEKS

812K YEARS

539M+ YEARS

2T YEARS

95T YEARS

18

10 MONTHS

22M YEARS

7.23B YEARS

96T YEARS

6Q YEARS

Pulling in research from Statista, passwords with lengths between 8 and 11 characters are used by six out of ten Americans. Less than one-third of the surveyed individuals use passwords having 12+ characters. Most security standards only require organizations to set policies for users to employ 8 character passwords with high complexity—crackable by AI with relative ease.


The PCI DSS standard—used by most Western financial institutions—still only requires a 7 character minimum password length through 31 March 2025. PassGAN cracks seven-character passwords in less than six minutes, no matter the complexity.

numbers letters in type set

The AI can also reveal a ten-character password which contains only numbers and lower-case letters in just one hour. Adding numbers, symbols, and upper-case letters increases decryption time to five years.


Home Security Heroes shared guidelines for organizations to set safer password policies given today’s threats. The firm recommends using

  • A minimum length of 15 characters, and

  • High complexity requirements, combining a minimum of two upper- and lower-case letters with symbols and numbers


Passwords with 11 characters would still require current AI technologies 365 years to decipher, but that can change rapidly. A 15-character password would require 14 billion years of processing to decode, meaning it is a much safer alternative.

girl and Robot

AI technology will only improve over time and it is projected to bring all manner of benefits to mankind, but threat actors—especially those hostile to the Western World—will also continually be searching out ways to use the advances for nefarious purposes like password cracking. Keeping your organization at least a few steps ahead is highly recommended, no matter your industry or company composition.


Contact us today to discuss this and other security needs to learn how our highly experienced team of security experts can assist you with your objectives.


178 views0 comments

Recent Posts

See All

Comments


bottom of page