Password protection in the age of AI

It’s time to talk about passwords.

Since the internet started making its way into homes about 30 years ago, we have consistently been advised to create a good password and keep it private to protect our access. But, people are still using common words as passwords, such as simple strings of numbers — including the classic 123456789 — and special dates, such as birthdays or anniversaries. These passwords were weak before, but now that computing power is cheaper and more easily available, cyber criminals can crack weak passwords in an instant using brute-force attacks. The answer, we’ve been told, is longer, more complex passwords.

Now there’s a new threat that should push individuals and organisations alike to up their password game: artificial intelligence (AI).

The use of AI allows cybercriminals to combine their ability to innovate with the power and speed of a brute-force attack. AI-based password cracking tools can learn as they go. They can even crack passwords based on the sound of keystrokes. A compromised device could allow an attacker to use such tools to listen in on an office using the device’s microphone and capture passwords being typed in during a video call.

Start strong and build on the basics

There’s no doubt that AI is a game-changing tool in cyber security. Just as attackers are trying to use AI to crack passwords and get into your organisation’s systems, we’re using AI to help us detect and defeat threats. But even AI-based threat detection and countermeasures need a strong foundation, and that comes down to strong password policies throughout your organization.

In a recent blog post, we looked at how good password hygiene can help battle bot attacks. The advice on how to integrate strong protection into the organization is still relevant:

• Use a unique password for each separate account
• Use a password manager to help you keep track of your passwords
• Monitor known breaches for your information with sites like haveibeenpwned.com
• Do not use common passwords, like ‘qwerty or ‘password’
• Avoid using personal information like birthdays
• Do not share your password with other people

You need to train staff on good password practices and enforce those practices. At the same time, though, you have to work with staff to make it easier to be compliant, with methods such as providing password management tools. Adding multifactor authentication (MFA) provides protection if a password is compromised.

The spread of AI-powered password cracking tools does represent an increased threat, but not one that is insurmountable. Maintaining good cyber security practices built on strong fundamentals, and building on those as new tools become available, can help keep your organisation safe. If you’d like to know more about how you can up your password game, please contact us.