PassGAN AI can crack 51% of passwords in a minute, but should you really care?

However, while articles on the web may lead you to believe that PassGAN is some new scary tool that employs ChatGPT-like powers to guess passwords, that could not be further from the truth. Read on to know more.

How does PassGAN work?

Unlike conventional methods of password cracking such as a combinator attack and the brute force method, PassGAN creates a neural network that attempts to train machines to analyse and interpret data similar to how a human brain would.

It works by first learning the distribution of real passwords from actual password leaks, and then generating new passwords that are similar to the ones it has learned. By doing so, it can quickly crack passwords that are common or predictable.

A recent study by cybersecurity firm Home Security Heroes tested PassGAN’s abilities on a list of over 15 million passwords. The results were alarming: PassGAN could crack 51% of common passwords in under a minute, 61% in an hour, 71% in a day, and 81% in a month.

Key findings of the Home Security Heroes report (Image: Home Security Heroes)

The study also found that passwords with up to 7 characters, even if they have symbols and numbers, can be cracked in under 6 minutes. An interactive calculator on the site also helps readers determine the strength of their password against AI.

However, with each subsequent increase in password length, PassGAN grows exponentially slower. For example, passwords with more than 18 characters would take the AI tool billions of years to crack.

Is PassGAN actually a breakthrough in password-cracking?

It is important to note here that PassGAN was introduced back in 2017. This means that while it’s relatively new and appears to use cutting-edge password-cracking technology, it isn’t really a groundbreaking tool created in the wake of the generative AI era.

According to an Ars Technica op-ed that cited Senior Principal Engineer at Yahoo Jeremi Gosney, the AI tool doesn’t work any more efficiently than other non-AI password crackers. He stated that cracking 80% of the passwords similar to those in the RockYou wordlist using conventional password cracking tools shouldn’t take any longer than a few hours.

He added that existing statistical tools including candidate generators like Markov, probabilistic candidate generators like PCFGs, wordlists with mangling rules, and even brute force perform better than PassGAN.

So should users be worried?

Tools like PassGAN can only work to figure out passwords when there’s a data breach and a database of password hashes leaks. When a website is hacked, hackers don’t immediately gain access to your passwords. Instead, they just get access to the encrypted “hash” of your passwords. Therefore, PassGAN cannot really hack into your, say, Facebook account directly. For it to work, Facebook servers would have to be breached and that isn’t something that happens often.

Regardless, it’s important to exercise caution and set unique passwords for each account. That way if one of your accounts is hacked, it won’t immediately grant hackers a free pass to every other account of yours. It’s also important to ensure that your new password is completely unrelated to the old one because once an attacker knows a password, they are often able to guess the user’s next password fairly easily.