The hype on AI-based products is growing stronger by the minute. The widespread adoption of GPT engines has inspired developers to build all kinds of technology entourages. We've seen AI generated reports, used GPT to write some of our recent blogs here on MHE's website, and we'll be telling you soon about the ChatGPT-generated malware! But the folks at Home Security Heroes (A Texas-based cybersecurity startup) had a different thought: "can we use AI to guess passwords?" a question that would later be affirmed with the release of PassGAN, and this is how it went:
Password Heist:
In 2021, the cybersecurity domain was shaken by the news of one of the largest password leaks in history. 8.4 Billion passwords were posted in an online forum as a 100GB .txt file. With users utilizing the same passwords across multiple accounts, the number of compromised accounts is believed to be much larger than that of the passwords. The .txt file might have made it to the wrong hands, MHE strongly advises you to reach out to check whether your password was included in the breach or not using our dark web monitoring tools.
PassGAN - The research paper
A research paper named PassGAN (Generative Adversarial Network) was released more than six years ago, shedding light on a Machine Learning-based AI password cracker. The model relies on neural networks to eliminate manual efforts in password analysis for for guessing or cracking. The paper also mentions the technique of some current password guessing tools such as John the Ripper, saying that while the techniques of such tools work well in practice, expanding them to model further passwords is a hard task that requires experts to work on it.
Researchers from Stevens Institute of Technology, New York Institute of Technology and Swiss Data Science Center studied the techniques and recreated the model to test a deep machine learning password cracker algorithm that replaces the rule-based and simple data-driven techniques-based password guessing models (Like Markov's) with Machine Learning. The question of "Can AI guess my password?" has then been replaced with "How fast can AI guess my password) and the answer comes from the attempt carried out by Home Security Heroes (A Texas-based cybersecurity startup) that used a historic leak from 2009 to train the ML model.
While the data in the leaked pool of 2009 (Also a RockYou leak, like the one mentioned earlier) is not as large, 15.8 Million passwords from the 2009 leak were used to train the ML model of the upgraded PassGAN resulting in astounding password-guessing times. HSH claims that PassGAN can guess 7-characters long passwords in under 6 minutes! With the duration extending to seven hours for 8-characters long, and two weeks for 9-characters long passwords with all containing upper/lower case letters, numbers and symbols.
How good is this deep machine learning password cracker at guessing passwords?
51% of common passwords can be cracked by PassGAN in less than one min.
65% of common passwords can be cracked in less than one hour.
71% of common passwords can be cracked in less than one day.
81% of common passwords can be cracked in less than one month.
How long will it take PassGAN to guess an 18-character long complex password?
Ten months if it is made up of just numbers.
22 million years if it is made up of just lower-case letters.
7.23 billion years if it is made up of lower- and upper-case letters.
96 trillion years if it is made up of numbers, lower- and upper-case letters.
Six quintillion years if it comprises numbers, lower and uppercase letters, and symbols.
Conclusion and endnote:
As you can see, despite the sophistication of the tool, it can still be beaten with a long, robust password. When cybersecurity professionals urge team-members to create strong passwords, it is not a flex or a show of strength, it is an objectively effective solution for securing an account. It is also worth noting that the accuracy of the guess made by tools such as PassGAN depends primarily on such data being previously leaked. We agree that such information is comforting but it also begs for the tips we would like to leave you with:
For individuals:
Use a 14+ character long password that contains upper/lower case letters, numbers and symbols.
Use 2-factor authentication whenever possible.
Change your passwords frequently.
Use a different password for each of your accounts.
For corporates:
Consider a dark-web monitoring tool to report on compromised accounts promptly.
Raise your team's security awareness by conducting periodic sessions, and delivering live training sessions.
Simulate phishing attacks to make your team more vigilant and aware.
Sources: