There’s no denying Artificial Intelligence (AI) is the hot topic in information security right now with discussions ranging from the implications for malware development to its uses to improve defenses to how it can plan out your weekly meals. AI will undoubtedly shape the future of information security in countless ways over the next few years; although, we’d like to take a moment and examine what it means to password security right now. Several tools based around Large Language Models and Generative Adversarial Networks have drawn attention in the press as they demonstrate capabilities in both password generation and password cracking. Some models also claim to be able to crack relatively simple passwords very quickly and lead to the narrative that AI can crack your passwords and that it is changing password security in a drastic way.
Do I Need to Worry?
The truth, however, is currently less frightening. First of all, AI-driven password cracking has been around for a few years. While awareness of the technology may have rapidly grown over the last few months, the tech (and capabilities) of these AI-driven password crackers have not. Further, as Dan Goodin at
Ars Technica explained, AI-driven password crackers perform marginally better than many existing password cracking tools. And while there are some scary statistics around how quickly they could crack relatively simple passwords, the same is true for non-AI crackers as well.
When you examine the time required to crack more complex passwords that leverage upper- and lower-case letters, numbers, and symbols (the kinds recommended and generated by LastPass and the information security community), things come into perspective. An 18-character password created using the parameters above would require 6 quintillion years
to be cracked with today’s technology. In short, these AI-driven cracks represent an evolutionary, vice revolutionary, change in the existing toolset available to crack complex passwords for the time being. Advancements will inevitably change the threat picture and increase the speed and capabilities of these crackers, but there are steps you can take to protect yourself now and in the future.
What Can I Do?
To begin with, following the basic recommendations provided by
NIST. With LastPass, you can easily implement these recommendations by creating passwords up to 64 characters in length and selecting the composition of the password to include any combination of letters, numbers, and symbols. This capability allows you to quickly and easily create passwords that would be safe for a cosmological era or two against current cracking technologies.
To protect yourself and your data even further, you can move to passwordless authentication. LastPass can help you make this shift as we move to support passkeys in alignment with
FIDO2 authentication standards. These standards create secure and unique cryptographic keys linked to a physical device and biometrics or local PINs. These keys are based on public key cryptography and are by design unique to each account or site you access. The removal of passwords from the process entirely, combined with the use of pubic and private keys, means there would be no more passwords to crack. Which means you could outsmart AI in its efforts to take over your accounts.
