Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

AI Can Crack Most Passwords in Less Than One Minute

April 20, 2023

As though you needed something else to worry about, right? As I say all the time, AI offers us much that is valuable, but it does the same for cybercriminals (and nation-states intent on gathering data).

TechRadar recently reported that AI can crack most passwords in less than a minute.

Cybersecurity researchers from Home Security Heroes recently fed millions of passwords from RockYou into the PassGAN AI platform to see how fast it could crack them. The results were alarming.

RockYou was a very popular widget for MySpace, and later Facebook, in the early days of social media. However, it was hacked in 2009, and 32 million passwords, stored in plaintext, leaked to the dark web. From that dataset, the researchers used 15.6 million and fed them into PassGAN, where the passwords are now often used to train AI tools.

PassGAN is a password generator based on Generative Adversarial Network (GAN), which works by creating fake passwords that mimic real ones found in the wild.

It is comprised of two neural networks, a generator and discriminator. The generator builds passwords which the discriminator then scans and reports back to the generator. This constant back-and-forth helps both networks improve their results.

After excluding passwords shorter than 4 characters and longer than 18, the researchers found that 51% of “common” passwords could be cracked in less than a minute. It took less than an hour to crack two-thirds (65%), under a day to track 71%, and less than a month to crack 81%.

Seven-character passwords were cracked in under six minutes, even if they had numbers, upper and lowercase letters, and symbols. I know that will surprise a lot of people. Seven characters is just too short today.

Researchers suggest people use passwords with at least 15 characters, with lower and upper-case letters, numbers, and symbols being mandatory. Such a password would currently take 14 billion years to decode.

Here’s advice from our foxhole: Obviously, don’t reuse passwords, especially those used to get into your work network. Don’t share passwords. Change your work password every 90 days (this should be required by network administrators) – that is the advice most frequently given by cybersecurity experts in 2023.

Sharon D. Nelson, Esq., PresidentSensei Enterprises, Inc.
3975 University Drive, Suite 225Fairfax, VA 22030
Email:   Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology