How AI makes password-based authentication even weaker (and what to do about it)

Passwords have long been the first line of defense for securing digital accounts and protecting sensitive information. And while it's no surprise that passwords are vulnerable to attacks, AI makes password-based authentication even weaker.

On one hand, AI is helping us create more robust systems to protect sensitive data. On the other hand, it’s also being used by malicious actors to exploit weaknesses in password practices.

So, how exactly can we strike a balance between using AI to enhance our security while safeguarding ourselves against its potential pitfalls? Understanding the vulnerabilities AI exposes in password security can help you better protect access to your organization's sensitive data.

The benefits of AI for password security

First, let's look at how recent advances in AI do benefit password security. Here are a few of the most important:

Password strength assessment

AI algorithms evaluate password strength in real-time, identifying weak and easy-to-guess passwords.

Benefit: IT teams can enforce stronger password policies and reduce the risk of unauthorized access.

Behavioral authentication

AI analyzes user behavior patterns like keystroke dynamics and mouse movements for continuous authentication.

Benefit: Adds a dynamic layer of security beyond static passwords. This helps to detect anomalies and thwart unauthorized access attempts.

Anomaly detection

AI monitors login activity and flags unusual behavior, such as logins from unfamiliar locations or at odd times.

Benefit: Early detection of potential breaches which enables quick response to security threats.

Multi-factor authentication (MFA)

AI enhances MFA by intelligently adapting authentication methods based on risk levels.

Benefit: Streamlined yet robust authentication processes that adapt to security needs.

Password recovery automation

AI-driven chatbots and self-service portals simplify password recovery and reset procedures.

Benefit: Reduces IT helpdesk workload while maintaining security protocols.

The dark side of AI in password attacks

Clearly, the benefits are real. Yet one question looms large: Are we the only ones benefiting from AI's prowess in password security? Regrettably, the answer is “no.” Cybercriminals, ever resourceful and adaptive, have harnessed the power of AI to develop devastating password attacks.

So, how exactly are hackers using AI to crack passwords more efficiently?

Brute force attacks

One of the most common attack methods is brute-forcing, where a specialized program tests different combinations of letters, numbers, and symbols at a speed far beyond human capabilities.

With AI-driven brute-force attacks, hackers can attempt millions of possible passwords per minute. As you can tell, these AI-powered tools let cybercriminals exploit the weaknesses in password complexity. Thus the pressing need for stronger password practices.

Dictionary attacks

Another technique hackers use is the dictionary attack. In a dictionary attack, hackers rely on a list of everyday words, phrases, and their variations in the hope that your password is something simple, like a common word or a password people often use on different websites. It works especially well against passwords that are just regular words, like 'cowboys' or 'longhorns.'

A brute force attack systematically tries all possible combinations of characters, while a dictionary attack uses a systematic approach and predefined list of common words to guess passwords more efficiently.

AI vs. traditional password security

To make better cybersecurity decisions, it’s important to understand the differences between AI-driven security and traditional password-based authentication.

Authentication accuracy

• AI-driven security: Uses biometric data and behavioral analysis. For example, facial recognition systems like Apple's Face ID analyze unique facial features (actually thousands of invisible dots) to grant access. Biometrics aren’t fool proof, but they do require a certain level of sophistication from hackers.

• Traditional passwords: Rely solely on alphanumeric combinations, making them susceptible to brute force attacks. Weak passwords like "password1", "q1w2e3r4", or "qwertyuiop" are easy for even novice hackers to crack.

Threat detection

• AI-driven security: Employs real-time anomaly detection. If AI detects an unusual login from a location a user has never visited before, it raises a flag for investigation.

• Traditional passwords: Typically rely on historical data or manual reviews. Detecting unauthorized access in real-time is challenging.

Password complexity

• AI-driven security: Enforces strong password policies and detects password-related vulnerabilities. AI can identify and prompt users to change passwords like "Password1" due to its predictability.

• Traditional passwords: Users can select easily guessable passwords, leaving systems vulnerable to dictionary attacks. An AI-powered system can quickly identify and exploit a password like "summer2023."

Vulnerability to AI attacks

• AI-driven security: While advanced, AI can be susceptible to adversarial attacks. For example, AI models can be tricked into misclassifying legitimate users, allowing unauthorized access.

• Traditional passwords: Prone to brute force attacks and dictionary attacks, both of which AI can execute with greater efficiency.

User experience

• AI-driven security: Offers a smoother user experience, incorporating multi-factor authentication seamlessly. For example, users may simply glance at their phone to unlock it using facial recognition.

• Traditional passwords: Users often encounter complex password requirements and frequent resets, leading to user frustration.

Addressing the risks and challenges

An AI password cracker, PassGAN, can break 51% of common passwords in just a minute.

For threat actors, figures like those mean Business At Scale is here.

For IT teams everywhere, those numbers mean two things:

1. Passwords are really really not secure (but you knew that), and

2. AI makes it even more likely that any weak passwords will be compromised (and soon).

Here are some steps to take to mitigate these challenges:

#1: Never stop enhancing password policies

• Regularly update and strengthen password policies to ensure they align with evolving threats.

• Enforce complex password requirements, encourage multi-factor authentication (MFA), and educate users about password hygiene.

#2: Use AI-powered intrusion detection

• Implement AI-driven intrusion detection systems that can quickly identify unusual login behavior.

• Establish automated alert mechanisms for immediate response to suspicious activities.

#3: Secure passwords with hashing and salting

• Store passwords securely using strong cryptographic techniques like hashing and salting.

#4: Provide user training and awareness

• Conduct regular cybersecurity awareness training for employees and emphasize the risks of AI-powered attacks.

• Encourage employees to use password managers and enable multi-factor authentication (MFA) whenever possible.

#5: Use AI in penetration testing

• Use AI in penetration testing to identify vulnerabilities while reducing the need for human intervention, making the process more efficient and less labor-intensive.

• AI-powered systems can analyze large datasets to detect vulnerabilities accurately, minimizing false positives and negatives in test results.

#6: Develop comprehensive incident response plans

• Lastly, develop comprehensive incident response plans that specifically address AI-driven attacks since traditional incident response guidance is a starting point.

Why AI makes login security more important than ever

So, The logon is the point of access to sensitive digital resources and data. Traditionally, logon security relied on password-based authentication. And while we've long known the need to go beyond password security, AI only emphasizes the point. With MFA adoption still low, the way AI exploits password vulnerabilities makes organizations more susceptible to cyber threats than ever before.

Now more than ever, it's important to bolster user authentication with additional layers of verification, such as two-factor authentication (2FA).

2FA adds an extra step beyond the traditional username and password, requiring users to provide a second factor of identification. This second factor can be something you know, something you are, or something you do.

Bottom line: AI makes it more likely your organization will experience a password breach. If you don't have additional security beyond the password, you'll find yourself dealing with all the negative consequences of a data breach:

Financial ramifications and legal consequences

First, ignoring password security can lead to big financial losses. The financial fallout from a data breach includes fines, legal fees, and the costs of rebuilding customer trust.

Remember, Target Corp agreed to pay $39 million to address claims made by banks in connection with their 2013 data breach. And that's just one example among many.

Loss of intellectual property

For many organizations, a lapse in password security also puts proprietary processes and intellectual property at risk. A breach can not only undermine competitivity, but can also lead to competitors or malicious actors directly copying proprietary technology.

For example, Equifax, one of the largest credit reporting agencies, experienced a breach in 2017 that exposed the personal and financial data of approximately 147 million individuals. This breach not only resulted in the loss of sensitive customer information but also put Equifax's proprietary credit reporting algorithms and intellectual property at risk.

Operational disruption

Of course, successful attacks also can disrupt an organization's operations, causing downtime. And, as we all know, the inability to access critical systems following a password compromise impacts day-to-day business operations in a big way.

For example, look no further than the 2017 WannaCry ransomware attack. It brought business worldwide to a screeching halt, including critical services at the U.K.'s National Health Service (NHS),where the attack encrypted computers and disrupted hospital operations, leading to canceled appointments.