A recent article in Forbes highlights a new trend in security that all users of technology should be aware of. Although password cracking tools have been widely used by adversaries for many years, AI is making it easier than ever for criminals to guess your passwords. Continue reading to learn more.
What Is Password Cracking?
Almost since the creation of the password, there have been password cracking tools. Traditional password crackers work by brute force, trying all possible and highly probably combinations of letters, numbers and symbols until the password is guessed correctly. When passwords were short and simple, these tools worked extremely well. But as character complexity and length of passwords steadily increased, the bad guys had to get smarter. They added precompiled hash tables for the most common passwords, called rainbow tables. These included variants with symbol for letter substitution such as P@55w0rd as well as other commonly used passwords (think password, admin, letmein, etc.). And for years, this was the gold standard, and was highly effective.
Why Is Password Cracking So Effective?
The success of password crackers is due in large part to poor security practices by users. In conjunction with world password day, security firm Bitwarden published their recent findings highlighting a number of shocking statistics. More than one third of respondents use personal information as part of their passwords. Given social media mining techniques, this private information is highly unlikely to be secret. Further, more than half of users surveyed rely on their memory for managing password. This implies the passwords are most likely relatively simple and thus easy to guess for cracking tools.
In the survey, nearly two thirds of users were confident they could identify a phishing attack. Yet almost twenty percent also admitted to having been the victim of a breach. Also, more than a third of users are aware their own personal workplace security practices are risky, despite training and awareness campaigns by their employers.
These statistics highlight an alarming trend. Users don’t seem to be adopting secure password practices, despite being aware of the need and informed about the rise of cyber crime. As reported by the Insurance Information Institute, 2023 saw a record number of compromises, a 72% increase from the previous high-water mark.
How Has AI Changed The Game?
Making matters worse is the newest development in password cracking technology, smart guessing algorithms. Bolstered by artificial intelligence, smart guessing relies on human nature to reduce the possible combinations that need to be guessed. These algorithms predict likely character combinations putting the most common sequences at the head of the line. They take into account the fact that most users will create passwords using common dictionary words, perhaps separated by a number or a symbol. They also account for the fact that many users tend to stick to words that rely on keys in the middle of the keyboard to ensure the password is easy to type.
Using this new technology, the Forbes article cites data from Kaspersky showing 45% of more than 190 million actual passwords were cracked in less than sixty seconds.
What Can Users Do To Protect Themselves?
The best defense against password cracking is to avoid the use of passwords altogether. The use of passkeys, biometrics and hardware devices can reduce or eliminate the need for traditional passwords. Unfortunately, these technologies require changes to the back-end systems. As such, adoption has been slow. Two-factor mechanisms such as authenticator apps or text messages provide an additional layer of security on top of passwords. This speed bump can notify users that there’s a breach attempt and shut down the crooks.
If traditional passwords cannot be avoided, the best advice is to use a password manager application to generate unique random passwords that are highly complex and difficult to guess. These apps securely store the unique passwords, allowing for a completely different password for each application. But for those that can’t or won’t use password manger apps, there’s a simple scheme that allows a user to generate complex passwords that are hard to guess, easy to remember and unique for each application. This involves generating a sentence such as, I like to eat pizza on Tuesdays at Cottage Inn in Ann Arbor Michigan. Taking the first letter of each word, and adding some common substitutions, the password becomes: Il2epoT@CIiAAM.
This password is long and complex, using letters, numbers and symbols. Yet it’s easy to remember because of the originating sentence. The user can speak the sentence in their mind while typing each letter, number or symbol. It foils even smart password crackers because it doesn’t contain dictionary words, nor common character sequences. This scheme can be further customized to enable reusing the same base password with a unique component added for each application or service. The password Il2epoT@CIiAAM. becomes Il2epoT@CIiAAM.4gdc for Google services (at Google dot com) or Il2epoT@CIiAAM.4adc for Amazon, and so on. This ensures unique passwords can be used for every site or service, in case there’s a breach.
Check out our previous article for more tips on password security.
How Can Black Kilt Help?
At Black Kilt, we practice what we preach. All of our engineers are trained and skilled in the use of password managers and password complexity. We can also perform penetration testing and employ brute force and other smarter tools to see just how strong your passwords really are. We can put together engaging user training to help your users retain the security essentials and put into practice better habits to secure your company. Give us a call to see how we can protect your business.
