Admittedly, it should be clear to everyone by now that “1234” is too weak a password – hopefully. But there are enough other passwords that are far too insecure and are still used.
And as is currently the case in so many areas of technology, the topic of passwords is also being influenced by the current AI boom.
A new Research by cybersecurity firm Home Security Heroes makes that particularly clear. Around 51 percent of the “conventional” passwords in the training data could be cracked in less than a minute.
How it’s done: PassGAN and RockYou
The security experts used the PassGAN password generator, which is based on the »Generative Adversarial Network« (GAN) based. The network is used to learn from real leaks and create passwords that are as realistic as possible.
TO WIN is a machine learning modelwhich pits two neural networks (generator and discriminator) against each other to improve the accuracy of predictions.
The difference between PassGAN and other generators is that the former does not require manual password analysis.
The data comes from a well-known leak from the RockYou company, which was attacked by hackers in 2009. She developed widgets for MySpace and Facebook and lost in the attack 32 million user dataas these were stored in an unencrypted database.
However, “only” 15.6 million passwords were used, as those with fewer than 4 or more than 18 characters were excluded. Unfortunately, the report does not show how large the respective share was.
That’s how (in)secure our passwords are
As mentioned, PassGAN needed for 51 percent of the data, so 8.1 million passwordsnot even a minute. In less than an hour it was 65 percent, after just under a day 71 percent and after a month 81 percent.
Of course, the data is from 2009 and we hope that a lot has happened in terms of password security since then, yes according to stats Germans still use very short passwords. 49 percent use one with 10 characters or fewer.
A graphic from the Home Security Heroes shows how unsafe this can be:
Accordingly, for example, passwords with seven characters, upper and lower case, special characters and numbers in 6 minutes cracked. The graphic also shows how much more security an additional component gives the password.
For example, adding uppercase and lowercase to a simple 10-character password jumps the time it takes to crack it from 1 hour to 4 weeks. With the same number of characters and all possible safeguards, it’s five years.
How secure should my password be?
According to the Home Security Heroes, a password should have at least 15 characters. Below that should be two uppercase and two lowercase letters, a number and a special character – at least. The more variety the better.
Given the current state of technology, a password with this strength needs around 14 billion yearsto be cracked.
How secure are your passwords? Do you have to reconsider when you see the table? When was the last time you tinkered with your passwords? Do you use password managers? If yes, which? Have you ever had an account hacked? Let us know your opinions and experiences in the comments!