Here's How Quickly AI Can Crack Your Passwords, According To New Study

Passwords are not always the best security measures in today's webscape. They're difficult to create and manage, and all too easy to compromise. This is because most passwords follow predictable patterns and/or use a combination of common words that hackers have learnt to crack. reported that password management company NordPas says the average person has at least 100 passwords across all their online accounts. It's difficult for most people to keep track of that many, so they resort to using keys that are easy to guess, or a few solid combinations that they reuse across all their accounts. Neither approach is safe against hackers and other malicious agents online.

But there's an even bigger threat in town: Artificial Intelligence. The rise of AI has been all over recent news, and there are several ongoing debates about what the new technology could mean for different areas of life: art, health, education, even nightmares. Now, it turns out that AI has serious implications for online security as well.

Most passwords are unsafe against AI crackers

According to a report by cybersecurity firm, HomeSecurityHeroes, an AI password cracker tool called PassGAN (Password Generative Adversarial Network) can breach 51% of all common passwords in less than one minute, 65% in less than an hour, 71% in less than a day, and 81% in less than a month. The company used the tool to analyze over 15 million credentials from the Rockyou dataset of leaked passwords, and the findings shed more light on what makes a password weak or strong.

Per the study, it takes PassGAN less than six minutes, on average, to crack any kind of password with less than eight characters, whether it contains symbols or not. Numeric passwords offer better security — it takes at least 10 months for PassGAN to crack number-only passwords, but only if they have more than 18 characters. If a password contains a combination of symbols, numbers, lower-case letters, and upper-case letters (which is the recommended blend of characters), it'll take PassGAN six quintillion years to crack.

Of course, the takeaway here is to ensure that the passwords you're choosing for your accounts meet the criteria for what is considered "uncrackable," but that does not make this development less worrying in the long run. This is because AI password crackers like PassGAN will make cyberattacks easier than ever for hackers and crackers. Here's how.

How AI password crackers work

In conventional password cracking, hackers would compare a list of words with the results from a database of leaked or common passwords, then attempt to guess other possible passwords based on variants of those ones. 

With AI password crackers, that process is autonomous. In a fraction of the time required by human hackers, machine learning algorithms like the one used by PassGAN can quickly "learn the distribution of real passwords from actual password leaks".  For example, if a password like "password" appears in a leak, AI password crackers can then generate variations of that credential such as "Passw0rd" or "p@ssw0rd" as possible passwords for hacking into other accounts. Because AI learns with use, it will produce these password combinations en masse, and it can get more precise the more predictions it produces.

While this is concerning, it also means that AI password crackers are only fully effective when they have access to leaked passwords or those that have been breached from a database. It's machine "learning," so the system always needs existing data on which it would base it predictions, and that's reassuring. It means that you're safe as long as you take steps to protect your online accounts from breaches or leaks. Let's look at a few ways you can do that.

How to create passwords that are safe from AI

One way to ensure that your passwords are hack-proof is to use at least 15 characters, with a mix of upper and lowercase letters, numbers and symbols. It's unlikely that you'll be able to come up with such a combination for all your accounts, so we advise using auto-generated passwords. This is why you'd want to use a password manager — it will generate strong passwords for your accounts, then save and autofill them when necessary.

Make sure that you're not reusing passwords across several accounts. Reused passwords are easily compromised because hackers can get access to all your other accounts if one is breached. Again, password managers are your best friend if you're worried you might not remember multiple unique strings of characters. It also helps to use browsers like Safari that send cautionary notifications about reused and compromised passwords so that you can improve upon them.

Third, update your passwords regularly. McAfee recommends changing them every three months, or sooner if any of your accounts were involved in a data breach.

Fourth, add an extra layer of security with two-factor or multi-factor authentication. Stay away from SMS based methods, though — they're easily compromised. Lastly, avoid using public WiFi, especially when you're opening your banking apps. While we all await a more effective way of safeguarding our online accounts, these tips should keep you safe from cyberattacks, whether by humans or AI.