Artificial intelligence (AI) made a larger-than-usual splash recently when word broke of an AI-powered password cracker. I have a bit of AI fatigue, but these stories immediately grabbed my attention — they had me at “passwords.”
If you saw the same headlines and plan to run for the off-the-grid hills — wait. Many of the articles fail to tell the whole truth.
AI absolutely can be used to crack a password. And, no, you shouldn’t worry about it.
I’ll explore the whole truth (and nothing but the truth), and reveal what needs to happen before AI password cracking can truly become new news.
Old news happening to new people
The password cracker mentioned in the recent spate of articles was introduced nearly six years ago in September 2017. But the headlines at the time were dominated by other news so the deep-learning technology didn’t earn much attention.
I’ll summarize the research to save you a deep dive into an academic paper: The tool was marginally successful but never came close to the accuracy of a skilled human hacker.
If you think that’s perhaps a slightly biased view, I’ll provide some context. The researchers used part of an infamous common password list to train the AI-based tool, then tested it on an entirely different set of password hashes (from the 2012 LinkedIn breach, specifically).
These AI tools are just that: tools.
When tested on new data, the password cracking tool had a 24.2% success rate. That figure rose to 34.2% when researchers removed passwords that overlapped both the training and testing datasets.
Human hackers cracked roughly 90% of the same LinkedIn dataset using traditional methods in just 72 hours.
These AI tools are just that: tools. They augment utilities already used by human attackers — they’re not the groundbreaking development some media have made them seem.
Good news is not news
There’s more good news: AI needs to evolve, arguably substantially, before it will represent a legitimately measurable threat to your passwords.
Along with cracked password datasets, AI technologies can be trained with rules. As it cracks passwords with the rules, the technology learns which are more likely to be successful and applies those rules earlier than others. But rule data is limited by the knowledge and ability of human trainers. And while its data is limited, AI capability will be limited.
Now, imagine AI gained access to the type of information held by data brokers and was trained on every piece of data available. That’s something human hackers do already by studying social media profiles and the like, to learn what might influence a person’s passwords.
AI could do it at scale.
That may sound scary, but it would still present a fairly finite threat (as technology stands now). Along with all available information about an individual, the AI would need knowledge of its target’s method of password creation.
While its data is limited, AI capability will be limited.
On that note, I decided to put ChatGPT to the test — primarily for reassurance. That particular AI technology failed pretty comprehensively. The bot provided a number of suggestions that could improve password security but the responses lacked any mention of my password-creation scheme. In fact, when asked pointedly, it returned the response:
As an AI language model, I don’t have any way of knowing what passwords you create for your accounts or anyone else’s for that matter.
It also recommended I rotate my passwords every few months, which is so 90s, but I digress.
ChatGPT’s responses to my questions only solidified that it’s far from where it needs to be to pose a risk. But I’d fail comprehensively if I neglected to address password security at a time when everything about you is freely accessible.
No news is good news
I won’t break new ground here, either: You need random, uniformly generated passwords1. (There’s an app for that!)
When AI is trained on a subset of data and asked to decipher the remainder of the set, it’s “competitively” successful. But when given new data, the technology must attempt every single possible combination because it lacks any source of previous (applicable) knowledge.
AI is helpful only when it can first determine how you choose passwords and, as a result, which passwords are more probable. If all your passwords are created in a truly random manner, each password is just as likely to occur as any other. Even AI will be stumped if tasked with cracking the passwords of an individual without a discernible password-creation pattern.
There’s much more advancement in store.
Yes, this sort of technology can be trained and learn over time, but if each and every password it encounters is unique and entirely random, the rules learned from cracking one password won’t apply to the next.
AI has undoubtedly evolved since the 2017 research paper that spurred this article, and it’s almost definitely safe to say we’ve only scratched the surface; that there’s much more advancement in store. But at this moment, the technology depends on the ever-unpredictable human element.
And its limitations.
This assumes the prevalence of passwords. As we’ve written in the past, it will take time for passwordless authentication (like passkeys) to become the default for every single website, app, and server. Passwords are a reality and will be for a good while. ↩︎
Megan Barker
Security Scribbler
Tweet about this post