Experts are warning that now is a good time to update your passwords to something more complex and longer, as AI systems are becoming increasingly proficient at cracking almost all passwords with ease. Cybersecurity researchers at Home Security Heroes recently used the PassGAN AI platform to test how quickly it could crack millions of passwords from RockYou, and the results were shocking.
RockYou was a popular widget for MySpace and Facebook in the early days of social media. However, it was hacked in 2009, and 32 million passwords, stored in plaintext, were leaked to the dark web. The researchers used 15.6 million of these passwords to train the PassGAN AI platform, which is a password generator based on Generative Adversarial Network (GAN).
PassGAN works by creating fake passwords that mimic real ones found in the wild. It consists of two neural networks, a generator and discriminator, with the generator building passwords and the discriminator scanning and reporting back to the generator. This constant back-and-forth helps both networks improve their results.
After removing passwords shorter than four characters and longer than 18, the researchers found that 51% of “common” passwords could be cracked in less than a minute. Two-thirds (65%) could be cracked in less than an hour, 71% could be cracked in under a day, and 81% could be cracked in less than a month. Even seven-character passwords with numbers, upper and lowercase letters, and symbols could be cracked in under six minutes.
To stay safe, researchers recommend using passwords with at least 15 characters, including lower and upper-case letters, numbers, and symbols, as mandatory. Such a password would take 14 billion years to decode. It is also recommended to frequently change passwords and make sure each service has a unique password.
