PassGAN AI can crack your passwords in seconds — here’s how to protect yourself

Holographic login above laptop keyboard
(Image credit: Song_about_summer / Shutterstock)

ChatGPT may be the AI on everyone’s mind right now, but chatbots aren’t the only AI tool we’ve seen recently. There are AI image generators like DALL•E 2, AI video generators such as Runway Gen 2 and more. Unfortunately, there are also AI password crackers — like PassGAN

Oddly enough, PassGAN isn’t all that new, at least relatively. It debuted back in 2017 and the most recent GitHub update was six years ago. In short, this isn’t some new hacking tool created in the wake of the ChatGPT revolution. However, cybersecurity research firm Home Security Heroes recently put it to the test and the results were alarming.

According to the Home Security Heroes study, PassGAN can crack any — yes, any — seven-character password in approximately six minutes or less. It doesn’t matter if it has symbols, uppercase letters or numbers, if it’s seven characters or less, PassGAN can crack it easily.

But before we get into how that affects you, and what you need to do, let’s quickly go over how PassGAN works.

How does PassGAN work?

PassGAN

(Image credit: Home Security Heros)

PassGAN is a combination of Password and Generative Adversarial Network (GAN), much like how ChatGPT is a combination of Chat and Generative Pre-trained Transformer (GPT). GAN, like GPT, is essentially the deep learning model that the AI is trained on.

In this instance, the goal of the model is to generate password guesses based on real-world passwords that the model has been fed. For its study, Home Security Heroes used the RockYou dataset that arose from the 2009 RockYou data breach to train PassGAN, which is a widely used tool for studies such as these. The company fed PassGAN the data set and then got it to generate passwords in an attempt to correctly guess sample passwords. In the end, a wide variety of passwords were able to be cracked in mere seconds.

So after training PassGAN on the RockYou dataset, Home Security Heroes had an AI tool trained on real passwords that could now crack passwords instantly. But if it’s this simple, why shouldn’t everyone be panicking?

Do I need to panic over PassGAN?

The good news is that, no, you don’t really need to panic over PassGAN — at least not for now. In an op-ed, Ars Technica Security Editor Dan Goodin said that PassGAN was “mostly hype.” This is because while the AI tool can crack passwords with relative ease, it doesn’t crack them any faster than other non-AI password crackers. 

In particular, Goodin cites Senior Principal Engineer at Yahoo Jeremi Gosney’s comments where he told Goodin that through conventional password-cracking tools, they could easily achieve similar results, cracking 80% of passwords similar to those in the RockYou breach within a few hours. For his part, Gosney said that the results from the Home Security Heroes study were “neither impressive nor exciting.”

And upon closer look at the results, you may find yourself less impressed than the initial claim of “50% of common passwords can be cracked in less than a minute.” These passwords are largely numbers only, seven characters or less, and rarely combine uppercase letters, lowercase letters, numbers and symbols.

PassGAN

(Image credit: Home Security Heroes)

That means to stump PassGAN, all you need to do is create a password of 11 characters or more that includes a combination of uppercase and lowercase letters, numbers and symbols. If you manage that, you can create a password that will take PassGAN 365 years to crack. Increase that to 11 characters and that number becomes 30,000 years. And you can create these types of passwords easily with the best password managers.

But let’s say you don’t want to use a password manager because you don’t trust that they aren’t susceptible to data breaches — like the LastPass hack in August 2022. It’s not an unreasonable fear. Luckily, all you need to do is use a passphrase (multiple words combined to create a password) and you can still probably stump PassGAN. According to Home Security Heros, a 15-character password using just lowercase letters would still take PassGAN on average 890 years to solve. Add in just one capital letter, and that timeline could increase to a whopping 47 million years, long after our AI overloads have already conquered us.

Granted, no password is ever perfect. Data breaches can still leave you vulnerable despite your best efforts and a password cracker could get your password right earlier than expected through sheer dumb luck. But as long as you use the best practices for password security, you have nothing more to fear from PassGAN than any other bad actor.

More from Tom's Guide

TOPICS
Malcolm McMillan
Senior Streaming Writer

Malcolm McMillan is a senior writer for Tom's Guide, covering all the latest in streaming TV shows and movies. That means news, analysis, recommendations, reviews and more for just about anything you can watch, including sports! If it can be seen on a screen, he can write about it. Previously, Malcolm had been a staff writer for Tom's Guide for over a year, with a focus on artificial intelligence (AI), A/V tech and VR headsets.

Before writing for Tom's Guide, Malcolm worked as a fantasy football analyst writing for several sites and also had a brief stint working for Microsoft selling laptops, Xbox products and even the ill-fated Windows phone. He is passionate about video games and sports, though both cause him to yell at the TV frequently. He proudly sports many tattoos, including an Arsenal tattoo, in honor of the team that causes him to yell at the TV the most.

  • WayneR2000
    Sticky Password is my choice; your master PW is never transmitted, it remains local. It gives you access to all your data /PWs, but no one else can see them. It creates PWs, and those are in the "you'll-be-dead-before-you-crack-this" category.
    Reply
  • gaamer
    WayneR2000 said:
    Sticky Password is my choice; your master PW is never transmitted, it remains local. It gives you access to all your data /PWs, but no one else can see them. It creates PWs, and those are in the "you'll-be-dead-before-you-crack-this" category.

    Sticky password is cheap, especially if you find a deal on stack social. However it has an awful interface. I bought a license and tested it and immediately stopped using it.
    Reply
  • Bettencourt
    by no means it can crack my password in minutes because it takes 3-5 strikes in most websites to activate second factor authentication.
    Reply
  • pbergonzi
    admin said:
    PassGAN is an AI password generation tool that can be used to crack passwords and a recent study showed it can crack most passwords in minutes.

    PassGAN AI can crack your passwords in seconds — here’s how to protect yourself : Read more

    Thanks Malcolm McMillan, for putting that into perspective for me.
    Reply
  • fmast3r
    Nice article, good to know that AI isn't any smarter than the conventional tools :D

    By the way, the phrase "Increase that to 11 characters " in your article needs to be "Increase that to 12 characters " ... search it up :-)

    Thanks!
    Reply
  • cnua
    admin said:
    PassGAN is an AI password generation tool that can be used to crack passwords and a recent study showed it can crack most passwords in minutes.

    PassGAN AI can crack your passwords in seconds — here’s how to protect yourself : Read more
    yourself the author stand in error unredeemable from start to finish; why? because generating passwords and cracking it's use in an authentication system are two very different things; capability to search a database for a character set or produce a given character through generating a match does not translate into a password specific to an authentication system, talk less of the application to such a system that is unlikely to admit unlimited attempts before consideration of time per attempt, even allowing for the unlikely automated interaction.
    Reply