At first glance, it looks quite impressive: Within six minutes, the PassGAN AI should be able to crack any password with less than seven characters, and in less than an hour it has hacked 65 percent of all passwords tested on it. However, what is likely to trigger a knee-jerk threat from AI in many people shows one thing above all: Most people keep making the same mistakes when choosing a password. Although it’s easy to do better.
The AI even takes advantage of this. In order to be able to guess the passwords so quickly, the artificial intelligence has been trained on databases of real passwords. Based on the patterns recognized there, PassGAN now assembles new ones. That works fine though. But mainly because the majority of passwords are simply bad.
Many password specifications are also to blame for this. For years, people have been told that passwords are complicated and need to be changed regularly. In general, however, this led to the opposite. Because people simply cannot remember such passwords, they use shorter ones built according to specific schemes. And then use them multiple times. The problem: This makes it easier for machines to guess.
And not just for AI. PassGAN does not perform particularly well compared to other approaches. “These values are neither impressive nor exciting,” said expert Jeremi Gosney to “Ars Technica” about the AI approaches. Attacks that simply stoically try out letter and number combinations while considering the likelihood of placements and letter combinations often perform as well or better. Together with gigantic lists of known words, passwords already used and so-called “mangling”, in which popular variants are tried out, passwords can be cracked just as quickly or even faster without the help of AI.
The ideal way of dealing with passwords is therefore to make guessing as difficult as possible for the machines. And there is one rule above all: there is no such thing as a password that is too long. On modern computers, which can try billions of combinations per second, any password with less than five characters can be cracked almost immediately. No matter how complex it is. A 13-digit password consisting only of random lower-case letters, on the other hand, can be calculated on average after two months. If even one capital letter is added, it’s already 1000 years. Each additional variable such as numbers or special characters increases this time. But more letters also help: a password consisting of 18 lower-case letters would take two million years to calculate. A string of several non-contiguous words – called a passphrase – is therefore more secure than any short, but no matter how complex, password.
So that people can also remember the passwords, security experts have long agreed to give up one of the most pointless requirements: Constantly changing the password only ensures that you choose an easy one. The clear recommendation is now: You should only change a password if there are signs that it has been leaked or stolen. However, you should avoid using passwords more than once. A password manager is recommended to keep things organized. The passwords can also be created and saved automatically. Then you only have to remember the password for the manager. But that should be safe.
Quellen:Home Security Heroes, Ars Technica, BSI, Hive Systems
