By now, you’ve probably heard about a new AI-based password cracker that can compromise your password in seconds by using artificial intelligence instead of more traditional methods. Some outlets have called it "terrifying," "worrying," "alarming," and "savvy." Other publications have fallen over themselves to report that the tool can crack any password with up to seven characters—even if it has symbols and numbers—in under six minutes.
As with so many things involving AI, the claims are served with a generous portion of smoke and mirrors. PassGAN, as the tool is dubbed, performs no better than more conventional cracking methods. In short, anything PassGAN can do, these more tried and true tools do as well or better. And like so many of the non-AI password checkers Ars has criticized in the past—e.g., here, here, and here—the researchers behind PassGAN draw password advice from their experiment that undermines real security.
Teaching a machine to crack
PassGAN is a shortened combination of the words "Password" and "generative adversarial networks." PassGAN is an approach that debuted in 2017. It uses machine learning algorithms running on a neural network in place of conventional methods devised by humans. These GANs generate password guesses after autonomously learning the distribution of passwords by processing the spoils of previous real-world breaches. These guesses are used in offline attacks made possible when a database of password hashes leaks as a result of a security breach.