Jumping OFF the AI bandwagon.
It’s not surprising. AI or AI-related technology has exploded in terms of capability in recent months, and only looks to be getting more capable moving forward.
I recently ran across a headline stating “AI can crack 51% of common passwords in under a minute, 71% in under a day, and 81% in under a month.”
OK, that’s… interesting. But it’s really burying the lede.
You don’t have to worry about AI, as long as you’re following some basic principles; principles you already know, and already follow.
Become a Patron of Ask Leo! and go ad-free!
AI and password cracking
AI presents some additional risk when it comes to password security. Hackers don’t need AI to crack weak passwords, but AI can make them more efficient. It’s time to increase your passwords to 16 random characters and (as always) stop using the same password at multiple places.
AI adds risk
A recent article from PC World, AI Can Crack Most Passwords Faster than You Can Read this Article, reports that a new approach to password-cracking using an AI-driven tool has made it even easier for hackers.
For me, though, the key takeaway is in the subtitle to the article: “Artificial intelligence is accelerating the ability to crack weak passwords quickly.”
The key? Weak passwords.
You know where this is headed.
AI not required
AI is unnecessary for cracking weak passwords. Hackers can do the same thing with a few simple but persistent algorithms and a powerful computer.
AI brings two things to the table:
- An increase in speed.
- A broader definition of weak.
It also brings the marketing hype and press that’s being given to anything mentioning AI.1
So, who’s using weak passwords?
Well… you, probably. Let’s look at some of the most common things to avoid.
Avoid common password techniques
I’m going to lump so-called weak (or common) passwords into a few categories. They’re really more like common techniques.
- Obvious. A password of “password” is, clearly, a bad password. It and passwords like it will be cracked in a microsecond — with or without AI.
- Good effort, but no. Passwords like “4skLe0!isC00l” feels like a secure password, but is nowhere near being so. Unless it’s very long, any password using a set of rules (aka an algorithm) and/or common words is ripe for the picking. I know: you think you have an uncrackable algorithm, but I’m here to tell you, hackers are smarter than that, and AI is only increasing their apparent intelligence.
- Great effort, but no. This is what I would refer to as passwords done right — just not right enough. Eight-character completely random passwords are a good example. Completely random is great. Using only eight characters makes all that greatness irrelevant.
- Excellent passwords reused. This is the trap that so many people fall into. They do, indeed, create a great password that meets all our criteria, and then spoil it by using it in multiple places.
Every one of those things (and especially combinations of them) make your passwords weak because each is something that so many people do.
How hackers hack
There are three techniques that hackers use that make all those common techniques less than secure, plus a new arrival.
Brute force. Trying every possible password — every possible combination of letters, numbers, and symbols — is a viable cracking technique for passwords that aren’t long enough. Every possible eight-character password can be tested in minutes using today’s hardware, for example. Length matters.
Algorithms. I mentioned the various rules that people apply to their passwords. Things like substituting numbers for letters, appending their birth year or some kind of mnemonic, using intentionally misspelled words, and so on. Hackers know all the tricks, and it’s easy for them to write computer programs generating millions of variations to be used in place of a true brute-force attack.
Previous discoveries. Many people don’t realize this, but once a password has been discovered anywhere, it’s now in the hackers’ hands, and they’ll include it in their hacking efforts. Rather than trying all passwords with a brute-force attack, they try every previously discovered password. If any of your passwords have ever been discovered — again, anywhere — consider that password “burned” and stop using it anywhere.
AI. The new technique — the application of AI — involves building a neural network that learns how people create passwords based on passwords discovered in the wild. Using this knowledge, the AI tool can try passwords that don’t fall into the categories above.
I’m sure there are other techniques, but those are the three most obvious plus the newcomer. They’re the techniques putting you at greatest risk.
You know where this is headed. The ideal password is:
- Long. 16 characters at a minimum, ideally longer. I like 20. This is new, and a result of AI appearing on the scene.
- Random. literally random characters. Example: “zrm8ntu6vny!mwf-YHM”.
- Unique. used in one and only one place.
That’s it. Three simple rules.
To be fair, you can relax the “random” rule somewhat if you’re willing to go even further on the “length” rule. For example, I have one important password that is a string of five words… but it’s 32 characters long. These kinds of passphrases can be just as secure and somewhat easier to remember.2
What about AI?
So why is AI and password-hacking in the news?
On one hand, it’s hype. AI is getting a lot of attention right now, and as a result, you’re likely to see AI associated with a lot of things that have nothing at all to do with AI. It’s all about getting your attention and your clicks.
On the other hand, a hacker can use machine learning3 to make their brute-force password-cracking approach more efficient, and thus more likely to crack more passwords constructed using the non-random techniques I described above. Truly random passwords remain immune from this, as randomness is immune from analysis,4 AI-based or otherwise.
Don’t get wound up by the hype.
However, do choose and use properly secure passwords. Switch to 16-character (or longer), random, unique passwords. That’s really all you need to know.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Footnotes & References
1: Seriously. I’m waiting for “AI-powered” coffeemakers to hit the streets soon. It raises the question: why?
2: But it’s a pain to type.
3: This is the more correct characterization of what’s currently being hyped as AI.
4: OK, ok, technically not true. Algorithms used to generate “randomness” have been analyzed for decades. It’s an important field. But it’s beyond what folks are applying to crack passwords.