Generative AI and the risk to passwords

Unless you’ve been living under a rock this past year you’ve probably noticed a significant increase in noise surrounding Artificial Intelligence (AI), and most specifically Generative AI or GenAI. AI has of course been a hot topic for a while but with the latest version of ChatGPT hitting the internet, the technology has been propelled into the public consciousness in a much bigger way.

There continues to be plenty of debate around the ethical, legal, and social implications of AI, but one subject that’s often overlooked is the ramifications for cybersecurity. In this blog, we’ll take a look at what this new wave of ‘Generative’ AI means for passwords, and cybersecurity in general.

What is Generative AI?

First, let’s start with a quick discussion about what exactly we mean by AI, and more specifically, Generative AI.

There are two main types of AI currently available - traditional and generative. Both rely on a foundation of machine learning, which is exactly what it sounds like. It is the process by which an AI learns from data sets in order to become more proficient and make better decisions.

Traditional AI is designed to perform specific tasks, such as data analysis or making recommendations based on what viewers have watched. This type of AI is narrow in scope and only performs within the parameters set for it.

Over time, traditional AI will increase its accuracy and decision-making as it processes more and more data. However, this learning will be restricted within the specific tasks it is being asked to perform and it will not become “smarter” in a traditional sense or across a range of disciplines.

Generative AI, on the other hand, is much broader in scope. It uses machine and deep learning to make more accurate predictions based on the data that it’s fed. With this learning process, Generative AI can create new and original content based on those predictions.

If we take a language model like ChatGPT as an example, the AI is fed data in the form of written words. This could be novels, online articles, or user inputs. From that data, the model can learn in much the same way humans do, learning how language is constructed, and when given a prompt the AI can make predictions about what should come next.

The more data the AI is fed, the better these predictions become and thus, the better the output of the AI until it can write reams of human-sounding text based on very simple guidance. 

Generative AI can crack your passwords!

So, what does this new frontier in AI mean for cybersecurity? Well, it has potentially devastating consequences for passwords as we know them, which is a pretty serious problem given that much of our cybersecurity ecosystem is based around passwords in one form or another.

Cybersecurity experts Home Security Heroes recently ran a study using a password-cracking AI tool called PassGAN to find out how long it takes an AI to crack common passwords. They used data exposed during the RockYou data breach to run over 15,000,000 passwords through the AI.

The results of which were that the AI was able to crack 51% of passwords in less than a minute, 71% fell within a day, and 81% within a week. From this, they were able to make estimates on how long it takes current AI to crack passwords based on their complexity. You can see the list here, as well as finding out how long it would take an AI to crack your password!

As you’ve probably guessed, the longer and more complex the password, the longer it takes for an AI to crack it. At the current level of technology, once you get past a certain threshold of length and complexity, it would take so long for an AI to crack your password that the problem essentially becomes redundant.

However, AI has improved exponentially in the past few months alone, in fact if recent whisperings out of OpenAI are correct we’re fast approaching the Skynet point. It’s impossible to predict how capable these programs will become as they process more and more data and gain more computation power. There is every likelihood that within five years' time, AI will be able to crack even the most complex of passwords almost instantly.

Solving the password problem

It’s been clear for some time that something needs to change in the way we protect our data. Despite many of us knowing the risks of poor password management, a 2021 SpyCloud study observed that 70% of people reused passwords for their personal accounts. In fact, back in 2004 during an RSA Security Conference, Bill Gates commented on how passwords “just don’t meet the challenge for anything you really want to secure”. 

While it’s true that we can leverage AI in our response to cyber threats, bad actors are already using it to commit cybercrimes and the risks are going to remain. What consumers and commerce must consider is preventative steps that can protect against the threats posed in the first instance.

2-factor (2FA) and multi-factor authentication (MFA) have been employed for some time to add extra layers of security to online accounts, the most familiar forms of these being SMS One-Time-Passcodes and email verification links. However, these don’t entirely solve the password problem and have in recent years become increasingly vulnerable to cyberattacks and fraud.

A more useful solution is to simply get rid of passwords, which is exactly what JT and anti-fraud experts Honey Badger have done as part of a new collaboration to create a safer, more secure way to authenticate a user’s identity with a new innovation called Silent Authentication+. 

This new solution leverages the cryptographic technology used by mobile network operators to authenticate subscribers on the network. The technology itself has been around for a while but only recently become available to third parties.

Not only does Silent Authentication+ provide an infinitely more secure alternative to SMS OTPs and email verification links, but also near instant authentication. The result is the delivery of passwordless, friction free authentication experiences across a broad set of use cases from onboarding new customers, user logins, payments, live chat and much more.

Find out more about Silent Authentication+