You thought you were using a strong password. You hoped it would be years before any computer could crack it in a reasonable amount of time.
Enter new research by Home Security Heroes, which shows how quickly and easily artificial intelligence (AI) can crack even what most would consider a strong password. The research team demonstrated that 51% of passwords commonly used today can be cracked in less than one minute.
51% of passwords commonly used today can be cracked in less than one minute.
The team used a password generator named PassGAN which is based on a Generative Adversarial Network (GAN)—a machine learning (ML) model. PassGAN differs from traditional password generators because it does not depend on any manual password analysis at all. The PassGAN model leverages the GAN approach to learn from passwords that were found in actual leaks and compromises, generating realistic passwords.
The password generator component of the ML produces fake data to fool the discriminating component, creating a cat-and-mouse game where both ML components benefit from the constant dispute to create ever better fake data.
Home Security Heroes’ approach was to feed a PassGAN with 15,680,000 common passwords from the RockYou dataset—one of the most popular among attackers—to train the model. The team left out all passwords shorter than 4 characters and longer than 18.
The findings reveal that PassGAN can crack 51% of common passwords in less than a minute, as was previously mentioned. The AI took slightly longer to chew through more challenging passwords, cracking 65% of the total in less than an hour, 71% within one day, and 81% in less than a month. See the chart below for one sobering result: a very complex 8 character password can be cracked in only 7 hours.
# of Characters | Numbers Only | Lower-Case Letters | Upper-case, Lower-case Letters | Upper-case, Lower-case Letters, Numbers | Upper-case, Lower-case Letters, Numbers, Symbols |
4 | INSTANTLY | INSTANTLY | INSTANTLY | INSTANTLY | INSTANTLY |
5 | INSTANTLY | INSTANTLY | INSTANTLY | INSTANTLY | INSTANTLY |
6 | INSTANTLY | INSTANTLY | INSTANTLY | INSTANTLY | 4 SECONDS |
7 | INSTANTLY | INSTANTLY | 22 SECONDS | 42 SECONDS | 6 MINUTES |
8 | INSTANTLY | 3 SECONDS | 19 MINUTES | 48 MINUTES | 7 HOURS |
9 | INSTANTLY | 1 MINUTES | 11 HOURS | 2 DAYS | 2 WEEKS |
10 | INSTANTLY | 1 HOURS | 4 WEEKS | 6 MONTHS | 5 YEARS |
11 | INSTANTLY | 23 HOURS | 4 YEARS | 38 YEARS | 356 YEARS |
12 | 25 SECONDS | 3 WEEKS | 289 YEARS | 2K YEARS | 30K YEARS |
13 | 3 MINUTES | 11 MONTHS | 16K YEARS | 91K YEARS | 2M YEARS |
14 | 36 MINUTES | 49 YEARS | 827K YEARS | 9M YEARS | 187M YEARS |
15 | 5 HOURS | 890 YEARS | 47M YEARS | 613M YEARS | 14B YEARS |
16 | 2 DAYS | 23K YEARS | 2B YEARS | 26B YEARS | 1T YEARS |
17 | 3 WEEKS | 812K YEARS | 539M+ YEARS | 2T YEARS | 95T YEARS |
18 | 10 MONTHS | 22M YEARS | 7.23B YEARS | 96T YEARS | 6Q YEARS |
Pulling in research from Statista, passwords with lengths between 8 and 11 characters are used by six out of ten Americans. Less than one-third of the surveyed individuals use passwords having 12+ characters. Most security standards only require organizations to set policies for users to employ 8 character passwords with high complexity—crackable by AI with relative ease.
The PCI DSS standard—used by most Western financial institutions—still only requires a 7 character minimum password length through 31 March 2025. PassGAN cracks seven-character passwords in less than six minutes, no matter the complexity.
The AI can also reveal a ten-character password which contains only numbers and lower-case letters in just one hour. Adding numbers, symbols, and upper-case letters increases decryption time to five years.
Home Security Heroes shared guidelines for organizations to set safer password policies given today’s threats. The firm recommends using
A minimum length of 15 characters, and
High complexity requirements, combining a minimum of two upper- and lower-case letters with symbols and numbers
Passwords with 11 characters would still require current AI technologies 365 years to decipher, but that can change rapidly. A 15-character password would require 14 billion years of processing to decode, meaning it is a much safer alternative.
AI technology will only improve over time and it is projected to bring all manner of benefits to mankind, but threat actors—especially those hostile to the Western World—will also continually be searching out ways to use the advances for nefarious purposes like password cracking. Keeping your organization at least a few steps ahead is highly recommended, no matter your industry or company composition.
Contact us today to discuss this and other security needs to learn how our highly experienced team of security experts can assist you with your objectives.
Comments