AI has infiltrated an increasing number of industries, and with it, our daily lives. We’ve been hearing a lot more about it due to things like OpenAI’s ChatGPT, Google Bard, and the like. If you haven’t done so on purpose, you may have interacted with AI unknowingly—it's used in website chatbots and by companies like Google, Apple, and Uber to make decisions about map data.

A security startup has used an AI tool to crack passwords, and it can do this blisteringly quickly. That is, if your password isn’t too complicated. Here’s what you should know.

What Is PassGAN AI?

The team at Home Security Heroes (HSH) used a sort of AI neural network, called the password generative adversarial network (or PassGAN), to guess passwords. To train their AI, they used a data set that comprised of leaked passwords from gaming site, RockYou.

So how does the PassGAN AI work? A “Generative Network” comes up with passwords that are likely to be used by everyday folk. Then a “Discriminator Network” compares the password generated against real passwords from the leaked data.

The discriminator network effectively trains the generative network to come up with better, more accurate passwords. It’s a kind of negative feedback that tends towards passwords that people, in general, might use—a sort of generality that may not be very useful in the real world.

How Quickly Can PassGAN AI Crack Passwords?

What the Home Security Heroes team found was that passwords four, five, and six characters long were able to be guessed by the AI almost instantaneously, even if they comprised of a combination of letters (upper and lower case), numbers, and symbols.

Even a seven-digit password with upper and lowercase letters and numbers (but no symbols) could be cracked, according to this model, in under a minute; while the most structurally complex eight- and nine-digit passwords can be cracked in seven hours and two weeks, respectively. If your passwords match these undesirable criteria, it’s time to upgrade.

This table shows just how quickly HSH’s PassGAN test could crack passwords based on their length and complexity.

Password-cracking AI can guess yours
Image Credit: Home Security Heroes

Should You Be Worried About AI Cracking Your Passwords?

While this might sound scary, tools like this have been around for a while and our passwords and logins still remain secure. This is, in part, due to the fact that password crackers, even AI ones that train themselves, are only as good as the dataset at their disposal.

In fact, this is not the first time we’ve heard about PassGAN. In 2017, Science.org, the news site of the journal Science, reported on the then novel way to crack passwords, i.e. using a generative adversarial network. Then, PassGAN was used in conjunction with a password guessing program, hashCat, and still only managed to guess 27 percent of passwords from a leaked set—not a small figure, but not overly alarming either.

Exactly how the folks at Home Security Heroes measure the vulnerability of a particular password is not very well-explained. Whether AI like PassGAN can pick out your needle in the haystack continuum of passwords isn’t clear.

Since tools like PassGAN have been around for a little while now and our passwords haven’t all been figured out by AI (yet), it would appear that you needn’t worry about AI guessing your password; at least not anytime soon... if your password is relatively complex.

How Secure Are Your Passwords?

You can test just how strong your password is via HSH. Though they say that the test passwords you enter are completely private and never saved, we nonetheless advise cuation handing over any real passwords. There are plenty of other tools you can use to test your passwords.

You could, perhaps, try something similar, that follows the same logic as your password—a capital letter here, a symbol there—to find out how your password stands up against AI that is built on generative adversarial network-type architecture.

Security in a digital age

So what can you do about AI like PassGAN? Not much. These AI models are out there and will continue to get more refined (though not necessarily “smarter”) with each password leak and compromised dataset event. The chief defense you have is a seriously strong password. You need to know how to create a strong password that you won’t forget. Another way to safeguard yourself against threats like this is to use multi-factor authentication on as many of your accounts as possible.

As things stand currently with AI models and the data available to them, any password that is at least 11 characters long and contains numbers, upper and lowercase letters, as well as symbols is considered beefy enough to withstand cracking. So begin there. Create a password long enough to keep even the most refined AI tools guessing for eons to come.

What’s Next for AI Password-Cracking?

Really, who knows? Artificial intelligence is always striding ahead in leaps and bounds. Leave the cutting edge tech to the folks in the know. But at the same time, don’t turn a blind eye to developments. And lock your front doors.