Artificial intelligence (AI) can crack more than half of all common passwords in less than a minute, according to a study published on April 7.
Home Security Heroes used an AI password cracker called PassGAN — which uses deep learning to guess passwords — to scan over 15.6 million passwords. They found that the AI tool can crack most passwords relatively easily.
PassGAN can crack an 11-character password made up of only numbers instantly, the report said. And it takes less than six minutes to crack a seven-character password made up of numbers, letters (uppercase and lowercase), and symbols.
This is particularly concerning as the most common passwords in 2022 were “password” and “123456” — both can be cracked faster than it takes to read this sentence.
There has been widespread interest in AI since the release of OpenAI’s revolutionary generative AI technology, ChatGPT. However, cybersecurity experts have raised concerns that bad actors can leverage AI tools for nefarious purposes like crafting digital scams and creating new breeds of “sophisticated” malware.
This study highlights another way threat actors can harness AI tools for criminal schemes.
What is PassGAN?
Researchers unveiled PassGAN in a research paper published in 2019. It was built to improve upon existing “state-of-the-art password guessing tools, such as Hashcat and John the Ripper,” the researchers said.
PassGAN is “the first password-guessing technique based on generative adversarial networks (GANs)” that does not require user intervention, prior knowledge of passwords, or manual analysis.
While PassGAN can crack most common passwords easily, it takes considerably more time to crack long passwords that contain a combination of numbers, symbols, and letters (uppercase and lowercase). It will take PassGAN millions of years to crack a password with more than 14 characters that contain these same elements:
| Amount of Characters | Numbers Only | Lowercase Letters | Upper & Lowercase Letters | Numbers, Upper & Lowercase Letters | Numbers, Upper & Lowercase Letters, Symbols |
|---|---|---|---|---|---|
| 4 | Instantly | Instantly | Instantly | Instantly | Instantly |
| 5 | Instantly | Instantly | Instantly | Instantly | Instantly |
| 6 | Instantly | Instantly | Instantly | Instantly | 4 Seconds |
| 7 | Instantly | Instantly | 22 Seconds | 42 Seconds | 6 Minutes |
| 8 | Instantly | 3 Seconds | 19 Minutes | 48 Minutes | 7 Hours |
| 9 | Instantly | 1 Minute | 11 Hours | 2 Days | 2 Weeks |
| 10 | Instantly | 1 Hour | 4 Weeks | 6 Months | 5 Years |
| 11 | Instantly | 23 Hours | 4 Years | 38 Years | 356 Years |
| 12 | 25 Seconds | 3 Weeks | 289 Years | 2 Thousand Years | 30 Thousand Years |
| 13 | 3 Minutes | 11 Months | 16 Thousand Years | 91 Thousand Years | 2 Million Years |
| 14 | 36 Minutes | 49 Years | 827 Thousand Years | 9 Million Years | 187 Million Years |
| 15 | 5 Hours | 890 Years | 47 Million Years | 613 Million Years | 14 Billion Years |
| 16 | 2 Days | 23 Thousand Years | 2 Billion Years | 26 Billion Years | 1 Trillion Years |
| 17 | 3 Weeks | 812 Thousand Years | 539.72 Million Years | 2 Trillion Years | 95 Trillion Years |
| 18 | 10 Months | 22 Million Years | 7.23 Billion Years | 96 Trillion Years | 6 Quintillion Years |
Password Security in the Age of AI
Passwords longer than 18 characters “are generally safe against AI password crackers,” the study said. This reinforces the age-old advisory about using long passwords made up of random letters, including numbers, symbols, as well as uppercase and lowercase letters.
AI technology is advancing at a fast pace. While complex, longer passwords may surpass PassGAN’s abilities at the moment, it may not be long before more advanced AI tools come along that can crack these passwords.
For now, we recommend using long, highly complex passwords for all your accounts. Ideally, use a password manager to generate highly secure passwords. A password manager can also store and autofill passwords. Refer to our guide to the best password managers for our top picks.
For more actionable tips on how to improve your password security, check out our article on creating secure passwords.
