AI Is Getting Really Good at Cracking Passwords

A new study by Home Security Heroes suggests artificial intelligence can figure out 51% of common passwords in under a minute

Security padlock in circuit board background. AI is getting really good at cracking passwords.
Good news: If you follow some common-sense password practices, even AI will be stumped
Yuichiro Chino / Getty

We’re cautiously optimistic about how artificial intelligence will change our lives, but there are bound to be some issues where the increased capabilities of AI outstrip our current ability to reign in the technology. Today’s bad news: AI is really, really good at cracking passwords.

The online security company Home Security Heroes ran an AI password cracker called PassGAN through 15,600,000 common passwords to find out how long it would take the program to crack a password.

If you’re using any sort of four-digit password, the answer is “instantly.” And that quick code-cracking continues until you reach a combination of 11 characters and start throwing in uppercase and lowercase letters, plus symbols.

Is This App the Future of Password Management?
Uno is a password manager that emphasizes design and ease of use along with security.

Overall, 51% of common passwords can be cracked in less than a minute, and 71% in a day. And it takes PassGEN under seven minutes to figure out a seven-character password even if it features symbols.

The “good” news: “Passwords > 18 characters are generally safe against AI password crackers, as it takes PassGAN at least 10 months to crack number-only passwords and 6 quintillion years to crack passwords that contain symbols, numbers, lower-case letters, and upper-case letters.”

So what’s PassGAN? The AI autonomously learns the distribution of real passwords from password leaks, eliminating the need for manual password analysis. Which is why it’s so quick.

HSH recommends some common-sense password practices to combat this threat: Use at least 15 characters in your password (!); have at least two letters (upper and lower-case), numbers and symbols in the password; and avoid “obvious” password patterns, no matter what characters you’re using. Also, change those ridiculously-long passwords every three-to-six months.

9to5Mac, when noting this news, also added their own protection suggestions, including auto-generated passwords and two- or multi-factor authentication (plus, avoiding public wifi).

If that all sounds like a bit much, it’s not too far removed from other password suggestions experts have been making for years. It’s also a good time to invest in a password manager, which can nullify your need to remember more than one passcode and generate ridiculously long and hard-to-crack sign-ins for you.

The InsideHook Newsletter.

News, advice and insights for the most interesting person in the room.