PassGAN AI can crack passwords in seconds, should we panic?

A new password-cracking tool dubbed PassGAN is capable of cracking your passwords in a jiffy, but is it really a threat? While there's a lot of hype surrounding ChatGPT, other AI tools have also been gaining popularity lately. For instance, there are video generators like Runway Gen 2, and AI image generators such as DALL•E 2.

Notably, Microsoft added Bing AI Image Creator to its Edge browser earlier this month. Most of these AI tools are designed to simplify and expedite complicated tasks. However, AI password crackers like PassGAN are developed to steal someone's personal information. Interestingly, PassGAN isn't new compared to other AI tools. It was launched back in 2017, according to a report by Cornell University.

Moreover, GitHub updated it six years ago. So, it is safe to say that PassGAN isn't a new hacking tool created to cash in on ChatGPT's popularity. Cybersecurity research firm Home Security Heroes got alarming results when it put the password cracking tool to test. The Home Security Heroes study claims PassGAN is capable of cracking any seven-character password in about six minutes or less.

Moreover, PassGAN can effortlessly crack a seven-character password even if it comprises numbers, uppercase letters, or symbols. Let's check out how this password-cracking AI works.

How does PassGAN work?

ChatGPT combines Chat and GPT (Generative Pre-trained Transformer), while PassGAN is a combination of Password and GAN (Generative Adversarial Network). Like GPT, GAN is the deep learning model that the developers use to train their AI on. In this case, the model is designed to guess passwords based on the real passwords it has been fed. Home Security Heroes trained PassGAN using the RockYou dataset that appeared as a result of the 2009 RockYou data breach.

After feeding PassGAN the data set, the company got the tool to generate passwords in a bid to correctly guess sample passwords. It took mere seconds for it to guess a wide range of passwords. After using the RockYou dataset to train PassGAN, Home Security Heroes had an AI tool capable of cracking passwords in a snap. So, the burning question is whether you should be panicking.

Is PassGAN really a big deal?

Much to the relief of netizens, there's no need to panic over PassGAN at least for now. Ars Technica Security Editor Dan Goodin pointed out in his latest op-ed that PassGAN was "mostly hype." Apparently, the AI tool takes as much time as other non-AI password crackers to crack passwords. Senior Principal Engineer at Yahoo Jeremi Gosney told Goodin they can achieve similar results using conventional password-cracking tools.

It would take only a few hours to crack 80 percent of passwords similar to those in the aforesaid RockYou breach. So, Gosney believes the Home Security Heroes study results were "neither impressive nor exciting." Most of the cracked passwords comprised numbers only, seven or fewer characters, and lacked combinations of uppercase letters, lowercase letters, symbols, and numbers.

In other words, you can confuse PassGAN simply by creating an 11 (or more) character password with combinations of uppercase and lowercase letters, symbols, and numbers. PassGAN will reportedly take 365 years to crack this password. Likewise, the password-cracking AI tool will take a whopping 30,000 years to crack a password with more characters.

It is worth noting that you can create passwords that would baffle PassGAN with the help of password managers. Alternatively, you can use a passphrase to confuse PassGAN. Home Security Heroes suggests PassGAN will take about 890 years to crack a 15-character password that comprises only lowercase letters. If you add a capital letter to that password, the AI tool will take 47 million years to crack the password.

With cybercriminals using ChatGPT-like tools to create realistic phishing emails, having a strong password can protect your sensitive data from being stolen. However, you do not need to worry about PassGAN and other similar password-cracking tools as long as you follow the best practices to create strong passwords.