Even though ChatGPT may be the AI that everyone is thinking about right now, chatbots aren't the only AI tool that has emerged in recent times. DALL•E 2 and Runway Gen 2 are just two examples of AI picture and video creators. Sadly, some AI password crackers exist as well, such as PassGAN.
PassGAN is actually not that new, at least not in the grand scheme of things. The most recent GitHub update was six years ago, and it made its debut back in 2017. In other words, this isn't a brand-new hacking tool developed in response to the ChatGPT revolution. But when it was recently put to the test by cybersecurity research company Home Security Heroes, the results were startling.
PassGAN can break any — yes, any — seven-character password in six minutes or less, according to the Home Security Heroes study. It can quickly crack passwords of seven characters or fewer, regardless of whether they contain symbols, capital letters, or numbers.
Modus operandi
PassGAN combines Password with the Generative Adversarial Network (GAN), much like ChatGPT combines Chat with the Generative Pre-trained Transformer (GPT). In essence, the deep learning model that the AI is trained on is GAN, similar to GPT.
In this case, the model's objective is to provide password guesses based on real-world passwords that it has been given as input. In order to train PassGAN, a popular tool for studies like these, Home Security Heroes used the RockYou dataset that resulted from the 2009 RockYou data breach. PassGAN was given the data set by the organisation, and it then generated passwords in an effort to properly guess sample passwords.
In the end, it was possible to quickly break a wide range of passwords.
Home Security Heroes then had an AI tool trained on actual passwords that could instantly crack passwords after using PassGAN to train on the RockYou dataset.
Should I be alarmed about PassGAN?
The good news is that, for the time being at least, you don't really need to panic about PassGAN. Security Editor for Ars Technica Dan Goodin claimed in an opinion piece that PassGAN was "mostly hype." This is because while the AI tool can fairly easily crack passwords, it doesn't do it any more quickly than other non-AI password crackers.
In example, Goodin quotes Yahoo Senior Principal Engineer Jeremi Gosney, who claimed that using standard password-cracking methods, they could quickly accomplish similar results and decrypt 80% of passwords used in the RockYou breach. For his part, Gosney characterised the study's findings as "neither impressive nor exciting."
And after taking a closer look at the results, you might not be as impressed as you were when you first heard that "50% of common passwords can be cracked in less than a minute." These passwords rarely include capital letters, lowercase letters, digits, and symbols and are primarily made up of numbers with a character count of seven or less.
This means that all it takes to fool PassGAN is a password of at least 11 characters, made up of a mixture of uppercase and lowercase letters, numbers, and symbols. If you can do that, you can make a password that PassGAN will need 365 years to figure out. If you make that number 11 characters long, it becomes 30,000 years. And the finest password managers make it simple to create these kinds of passwords.
But let's say you don't want to use a password manager because you don't trust that they won't be vulnerable to data breaches, like the LastPass compromise in August 2022. It's a legitimate concern. Fortunately, using a passphrase—a password created by combining several words—will likely still be enough to fool PassGAN. Home Security Heroes estimates that it would still take PassGAN on average 890 years to crack a 15-character password made up entirely of lowercase letters. That timeline could jump to a staggering 47 million years if only one capital letter were added, long after our AI overloads have already dominated the world.
However, always keep it in mind that no password is ever completely secure. Despite your best efforts, data breaches might still leave you exposed, and by pure dumb luck, a password cracker might guess your password earlier than planned. But as long as you follow the best practises for password security, you have nothing to worry about with PassGAN or any other rogue actor.
