Jumping OFF the AI bandwagon.
It’s not surprising. AI or AI-related technology has exploded in terms of capability in recent months, and only looks to be getting more capable moving forward.
I recently ran across a headline stating “AI can crack 51% of common passwords in under a minute, 71% in under a day, and 81% in under a month.”
OK, that’s… interesting. But it’s really burying the lede.
You don’t have to worry about AI, as long as you’re following some basic principles; principles you already know, and already follow.
Become a Patron of Ask Leo! and go ad-free!
AI and password cracking
AI presents some additional risk when it comes to password security. Hackers don’t need AI to crack weak passwords, but AI can make them more efficient. It’s time to increase your passwords to 16 random characters and (as always) stop using the same password at multiple places.
AI adds risk
A recent article from PC World, AI Can Crack Most Passwords Faster than You Can Read this Article, reports that a new approach to password-cracking using an AI-driven tool has made it even easier for hackers.
For me, though, the key takeaway is in the subtitle to the article: “Artificial intelligence is accelerating the ability to crack weak passwords quickly.”
The key? Weak passwords.
You know where this is headed.
AI not required
AI is unnecessary for cracking weak passwords. Hackers can do the same thing with a few simple but persistent algorithms and a powerful computer.
AI brings two things to the table:
- An increase in speed.
- A broader definition of weak.
It also brings the marketing hype and press that’s being given to anything mentioning AI.1
So, who’s using weak passwords?
Well… you, probably. Let’s look at some of the most common things to avoid.
Avoid common password techniques
I’m going to lump so-called weak (or common) passwords into a few categories. They’re really more like common techniques.
- Obvious. A password of “password” is, clearly, a bad password. It and passwords like it will be cracked in a microsecond — with or without AI.
- Good effort, but no. Passwords like “4skLe0!isC00l” feels like a secure password, but is nowhere near being so. Unless it’s very long, any password using a set of rules (aka an algorithm) and/or common words is ripe for the picking. I know: you think you have an uncrackable algorithm, but I’m here to tell you, hackers are smarter than that, and AI is only increasing their apparent intelligence.
- Great effort, but no. This is what I would refer to as passwords done right — just not right enough. Eight-character completely random passwords are a good example. Completely random is great. Using only eight characters makes all that greatness irrelevant.
- Excellent passwords reused. This is the trap that so many people fall into. They do, indeed, create a great password that meets all our criteria, and then spoil it by using it in multiple places.
Every one of those things (and especially combinations of them) make your passwords weak because each is something that so many people do.
How hackers hack
There are three techniques that hackers use that make all those common techniques less than secure, plus a new arrival.
Brute force. Trying every possible password — every possible combination of letters, numbers, and symbols — is a viable cracking technique for passwords that aren’t long enough. Every possible eight-character password can be tested in minutes using today’s hardware, for example. Length matters.
Algorithms. I mentioned the various rules that people apply to their passwords. Things like substituting numbers for letters, appending their birth year or some kind of mnemonic, using intentionally misspelled words, and so on. Hackers know all the tricks, and it’s easy for them to write computer programs generating millions of variations to be used in place of a true brute-force attack.
Previous discoveries. Many people don’t realize this, but once a password has been discovered anywhere, it’s now in the hackers’ hands, and they’ll include it in their hacking efforts. Rather than trying all passwords with a brute-force attack, they try every previously discovered password. If any of your passwords have ever been discovered — again, anywhere — consider that password “burned” and stop using it anywhere.
AI. The new technique — the application of AI — involves building a neural network that learns how people create passwords based on passwords discovered in the wild. Using this knowledge, the AI tool can try passwords that don’t fall into the categories above.
I’m sure there are other techniques, but those are the three most obvious plus the newcomer. They’re the techniques putting you at greatest risk.
The solution
You know where this is headed. The ideal password is:
- Long. 16 characters at a minimum, ideally longer. I like 20. This is new, and a result of AI appearing on the scene.
- Random. literally random characters. Example: “zrm8ntu6vny!mwf-YHM”.
- Unique. used in one and only one place.
That’s it. Three simple rules.
To be fair, you can relax the “random” rule somewhat if you’re willing to go even further on the “length” rule. For example, I have one important password that is a string of five words… but it’s 32 characters long. These kinds of passphrases can be just as secure and somewhat easier to remember.2
What about AI?
So why is AI and password-hacking in the news?
Two reasons.
On one hand, it’s hype. AI is getting a lot of attention right now, and as a result, you’re likely to see AI associated with a lot of things that have nothing at all to do with AI. It’s all about getting your attention and your clicks.
On the other hand, a hacker can use machine learning3 to make their brute-force password-cracking approach more efficient, and thus more likely to crack more passwords constructed using the non-random techniques I described above. Truly random passwords remain immune from this, as randomness is immune from analysis,4 AI-based or otherwise.
Do this
Don’t get wound up by the hype.
However, do choose and use properly secure passwords. Switch to 16-character (or longer), random, unique passwords. That’s really all you need to know.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Podcast audio
Footnotes & References
1: Seriously. I’m waiting for “AI-powered” coffeemakers to hit the streets soon. It raises the question: why?
2: But it’s a pain to type.
3: This is the more correct characterization of what’s currently being hyped as AI.
4: OK, ok, technically not true. Algorithms used to generate “randomness” have been analyzed for decades. It’s an important field. But it’s beyond what folks are applying to crack passwords.
Just a quick comment, I have some web sites/programs that only allow 10-12 characters passwords. I guess not all sites have gotten on the band wagon for better security.
Indeed, and that’s quite frustrating.
Leo wrote “once a password has been discovered anywhere, it’s now in the hackers’ hands”
We users are in the hands of the websites whose owners neglect to inform that they have been hacked until way later. One reason to change passwords occasionally, which I used to never do, but now see the importance of doing so.
It’s more of a sign that you should be using different passwords for every single site. Honestly, it’s EXTREMELY rare for a breach exposing passwords to go completely unreported. But even if it happens, as long as you’re using different passwords everywhere, your direct exposure is limited only to that one site.
Leo,
Would one solution be for websites to time-out after a certain number of failed attempts? If a hacker using AI would be timed-out for 5 minutes after, let’s say, ten unsuccessful attempts, with an increasing time out interval for every subsequent ten failed attempts (10 min time-out after the 2nd ten failed attempts, 15 min after the 3rd, etc) wouldn’t they just move on?
Yes. Many websites already do that to protect against brute force bot attacks. That’s definitely one good layer of protection, but unfortunately, not all websites do that. It also won’t protect against a brute force attack on a hacked database. A long random password is your best protection against that.
AI and hackers don’t attack websites directly. They typically work on to stolen databases of encrypted passwords. Please see: How Can a Hacker Try All Possible Passwords If Systems Block Failed Login Attempts?
“Seriously. I’m waiting for “AI-powered” coffeemakers to hit the streets soon. It raises the question: why?”
I have an Internet capable refrigerator. I still can’t figure out why I would want to change the temperature of my fridge when I’m away from home.
i read an askleo article that claimed it would take 20 years for a hacker to figure out a password of 20 random characters, the numbers are just off the top of my head, then what`s the point of changing them every month?
The idea is that if the password is stolen via some other means — say a keylogger. In my experience that becomes evident quickly, so periodic password changes really don’t add value and honestly cause people to choose weaker passwords if forced.
is a passkey a better idea?
https://www.cnn.com/2023/05/03/tech/google-passkeys/index.html
Too soon to say “better”, but it is a very interesting idea.
Dear Leoji, Namaste, you mean WHEN “Long. 16 characters at a minimum, ideally longer, like 20. Random. literally random characters. Example: “zrm8ntu6vny!mwf-YHM”.” such passwords are to be used, one has to have REMOTE Hard? and soft copies (to be copy-pasted from, say a word document) of these passwords stored and updated isn’t it? Not at all Memorisable
A password vault does the job.
So, how secure is a ‘password managing service’? Won’t name it, hasn’t happened, but suppose your service gets hacked and gets access to millions of user passwords? Likely happen or are folks in this industry ‘too smart’ to let that happen? And would they be obligated to announce the hack to all their customers?
Password managers are more secure than any alternative I’ve ever seen proposed. Even with the LastPass hack last year, passwords were not exposed.
What about Password Generating Software?
I’d need more context. What “password generating software” do you mean? If it’s something that generates truly random passwords for you to use, then that’s ideal.
Relax everyone. “AI” cannot crack your password for a specific site. Unfortunately we’re now passing through a phase of computing history when every bit of software is called “AI” – because it’s chic and has marketing value. This happens every 10 years or so. To believe what I just said you need to first understand what the term “AI” refers to, how it’s created and how it’s used. An AI (in the true academic or technical sense) cannot, in real time, crack your specific password for a specific site. At least not yet, and not for a long time to come. I did a Google search for AI password cracking and read through many articles. What I found is that they are all referring to brute force methods of guessing (predicting) likely passwords based on a list of known (stolen) passwords. So, if by “AI” we mean using neural networks to find patterns in how people create passwords then, yes, AI can be trained to guess new likely passwords. But that’s just a static list of passwords. It is completely dissociated from real time password usage. Certainly a hacker can use an AI generated list as a rainbow table to attack a specific victim, but that’s no different than using any such list of likely passwords.
If anything the technique is more like generating a lengthier list of common passwords based not on what passwords were found, but the AI’s learning the techniques people use to create (and obfuscate) passwords.
Some websites won’t allow one to paste in passwords and so having a 16 or 20 random character with UC and LC letters, numbers symbols, etc. password is almost impossible for me to type in correctly.
I agree that there should be about a few seconds delay before a second password could be pasted in and then a long delay after some failed attempts as suggested by Bob Straub should be added also.
I’m not to savvy on these matters.
I do have what I consider pretty strong passwords. One of my email a/c’s has an 18 digit password, the negative is that they are not all random, there are two words in the middle of that password.
My question is, how can AI or a hacker attempt so many entries to an a/c without the default security double checks kicking in?
For example, on one of my run of the mill email a/c’s I had forgotten the password and after 4 or 5 failed attempts it forced me to enter the code number it sent to my back up email and then I had to change my password again.
So how to hackers manage this with multiple attempts every micro second?
I have probably misunderstood the way it is done but thanks for any answers.
Please see: How Can a Hacker Try All Possible Passwords If Systems Block Failed Login Attempts?
Doesn’t a hacker have to try a password to know it’s right? A half-second delay in response is going to add up but not bother a user much. Second thing is to vary the length of your password (more than 18 is going to out-perform exactly 20)
Please see: How Can a Hacker Try All Possible Passwords If Systems Block Failed Login Attempts?
Bob, it bothers me a lot when sites don’t let me paste in a password. I’m forced to be less secure on those sites.
The Food and Drug Administration, with UCSF-Stanford, puts on a monthly series on cybersecurity. There was a great and amusing one by a Carnegie Mellon professor who researches passwords entitled, “Security and Privacy for Humans,” presented by Lorrie Faith Cranor. It was fascinating: https://www.youtube.com/watch?v=1JDEiL-uMZ4
would a long random user name used in conjunction with a long random password add more protection
Not really.
Back in 2013 KoreLogic did some research for DARPA that identified password patterns that people use frequently. There’s a summary here: https://www.huffpost.com/entry/the-big-password-mistake_b_5995208
I imagine that the results of this study would be quite similar to the results of password analysis by AI. They found some of the most common mistakes people make:
• Starting with an upper case letter followed by lower case letters
• When a password isn’t long enough, adding a letter or two to the base word
• Putting digits, especially two or four of them, before or after the letters
• When a special character is required, using “!” and putting it at the end
• Not using two special characters in the same password
When talking to people about passwords, I like to tell them to avoid these predictable patterns in addition to the rules listed by Leo in this great article.
“Reply” still not working for me, so I’m going to add this to the end:
I also hate when websites disable pasting into the password field. This is so stupid! As a workaround, I change the settings in my KeePass autofill to auto-type just my password – this fills the field as though you were typing it in yourself.
And the more secure you make your passwords, especially if using a password manager, the more important it is to give your partner or other trusted relative your master password, so if you are indisposed for any reason (including death) your relatives can get access to your bank and other accounts. This is going to be a problem if you use a fingerprint or facial recognition though.
Facial recognition or fingerprint access isn’t an issue. I’ve never seen a website or app that didn’t have the option of signing in with a password. In fact, my Android phones use fingerprint authentication and occasionally, it forces me to enter the PIN.
I never use facial recognition. Probably because I watch too many action movies where the bad guys or the police hold the phone or tablet up to someone’s face to unlock it. Definitely, paranoia, but I’ve been conditioned. ;-)
Sure glad I caught this article. What a mess. I was finally able to put together “strong” passwords of about 10 characters. At least that’s what the web site was telling me. My neighbor does all her banking by mail or in person. It helps that she is retired. Have to up my game with a password manager. It would seem that the 2 factor ID will help some of this too. Thanks for the warning.
@ Silas Longshot ; that’s why I never use a password manager that stores passwords online as then it makes it outright impossible for someone to hack a database to gain access. offline password managers are clearly the more secure option, but some like the convenience of syncing up their passwords with multiple devices etc with the online ones. personally I would rather have the added security over the “convenience” of syncing.
but personally I just manually make backup copies of the password database file my password manager creates and the copy them to other computers I use manually. I have been using a password manager (i.e. ‘pwsafe.org’ “Designed by renowned security technologist Bruce Schneier”) that’s offline only as the database created on there works on both Windows/Linux (there is a android version but it’s maintained by Jeff Harris where as the standard Windows/Linux one is maintained by Rony Shapiro. I don’t use smart phones with anything important in general, so I have only used the Windows and Linux versions)
p.s. but like Karena said, the ‘reply’ is not working.