How to create a password that can’t be quickly cracked by an AI “password guesser”


The question “Can an AI-driven tool crack user passwords?” has now changed to “How long will it take an AI-driven tool to crack passwords” after the publication made by a Texas-based cybersecurity startup, Home Security Heroes (HSH). The company presented a machine learning-based password cracker named PassGAN ( Password Generative Adversarial Networks) which relies on neural networks to eliminate manual efforts in password analysis for password cracking and guessing.

HSH trained PassGAN on 15,680,000 passwords from the RockYou dataset, which was leaked in 2009, and their result is a lot scaring to all internet users. They discovered that:

  • 51% 0f common passwords can be cracked by PassGAN in less than one minute
  • 65% of common passwords can be cracked in less than one hour
  • 71% of common passwords can be cracked in less than one day
  • 81% of common passwords can be cracked in less than one month.

The publication has a good side noteworthy. PassGAN can crack seven-character passwords with numbers, lower and uppercase letters and symbols in six minutes and can crack eight-character passwords of the same arrangement in seven hours. To crack 18-character passwords, it will take PassGAN:

  • Ten months if it is made up of just numbers
  • 22 million years if it is made up of just lower-case letters
  • 7.23 billion years if it is made up of just lower- and upper-case letters
  • 96 trillion years if it is made up of numbers, lower- and upper-case letters
  • Six quintillion years if it comprises numbers, lower- and upper-case letters, and symbols.

With the chart above, you can possibly bypass the AI tool if you:

  • have at least 12 to15 character passwords comprising upper and lower-case letters, numbers and symbols
  • take care not to have any obvious password pattern
  • don’t use the same password across multiple accounts/platform
  • consistently change your password every three to six months
  • make use of password managers and multi-factor authentication.

Other security measures to take include using an auto-generated password if possible, and refraining from using public Wi-Fi, especially for banking and similar accounts.

PassGAN prowess in cracking passwords is more effective if the password in question has been leaked or breached from a database. Irrespective of the dangers associated with AI, the programmers didn't have such an intention, and security experts kept warning internet users to take every security precaution seriously to not fall victim.