By Craig Lurey, CTO and Co-Founder, Keeper Security
As Artificial Intelligence–better known as AI–proves to be a revolutionary technology that is already leaving an indelible mark on many aspects of our lives, criminals are actively seeking ways to use that same technology for nefarious purposes. In the world of cybersecurity, we expect a dramatic uptick in malicious actors using AI techniques to attack online accounts and data.
Yet, despite stolen credentials being a leading cause of data breaches, organizations and individuals alike continue to neglect good password hygiene. Keeper Security’s Password Management Report: Unifying Perception with Reality revealed a mere 25% of consumers use a strong and unique password for every account. The consequences of this negligence, compounded with the explosion in AI, grow more dangerous every day.
Today, we are seeing several attack methods for using AI to crack passwords: acoustic side-channel, brute force and dictionary.
Cybercriminals can use AI to analyze the distinct sound patterns produced by keyboard keystrokes in what’s called an acoustic side-channel attack. Each key emits a slightly different sound when pressed, which can be captured and analyzed to determine the character being typed. By processing these sound patterns using AI algorithms, cybercriminals can determine the password being entered and use it to compromise an account. A new study from Cornell University demonstrates this growing risk. The Cornell researchers trained an AI model on audio recordings of people typing, and the AI learned to identify the unique sound that each key makes–with 95% accuracy.
In a brute force attack, AI can be used to automate the arduous process of guessing various password combinations until the correct password is found. This method is particularly effective against weak and short passwords because of the low levels of entropy. With AI, cybercriminals can quickly cycle through an immense number of password combinations, dramatically increasing the speed at which they crack simple passwords.
Dictionary attacks are another popular method of cracking passwords in which a cybercriminal uses common words or phrases to determine a user’s credentials. With the power of AI, these bad actors can automate the process of testing a large list of common words and phrases that are often used as passwords. These lists can include words found in the dictionary, on leaked password databases and even terms specific to a target’s interests.
It’s easy to feel overwhelmed by the cyberthreats posed by AI, and more risks seem to emerge every day. The Password Management Report: Unifying Perception with Reality report further revealed that 64% of respondents are not confident that they are managing their passwords well.
However, following a few best practices can help protect against the cybercriminals that are using AI for their own malicious purposes:
- Create strong, unique passwords for all accounts. Using different, high-strength passwords for all accounts is crucial. This way, if one account is breached through AI, a cybercriminal does not gain access to all of the accounts that use the same password. When it comes to password creation, passwords should be at least 16 characters with a mix of uppercase and lowercase letters, a variety of special characters and a random assortment of numbers. Consider using a passphrase rather than a single word and avoid using guessable information such as familiar names, birthdates and addresses.
- Implement Multi-Factor Authentication (MFA) as an additional layer of security. MFA is a security measure that requires users to provide more than one form of authentication to access a service or application. The idea behind MFA is to create an additional layer of security beyond the traditional username and password, by mandating that users provide additional proof of their identity. Several forms of MFA exist with different levels of protection. Using a hardware device such as a Yubikey offers the best MFA protection, but using a software application such as Google Authenticator or password managers that store TOTP codes are also sufficient. Using SMS is very common but this offers low security due to the risks of SIM swapping and other well known attacks.
- Use a password manager. One of the simplest and most secure ways to protect passwords is by using a dedicated password manager. Specifically, using a password manager shields sensitive data from AI-based password attacks by:
o Aiding users in creating strong passwords that resist common password-cracking methods, including dictionary attacks.
o Providing warnings for weak and reused passwords, thus prompting users to change them, and minimizing the risk of accounts being compromised through password-cracking techniques like brute force attacks.
o Autofilling credentials to safeguard against cybercriminals deciphering passwords through an acoustic side-channel attack.
Passkeys are another great option, although their availability is limited. A passkey is a cryptographic key that allows users to log in to accounts and apps without having to enter a password. Passkeys are simpler to use than many traditional methods of authentication and are phishing-resistant, making it possible for users to log in to supported websites seamlessly and more securely. While passkeys are a long way off from ubiquitous use across the internet, passkey directories offer up-to-date lists of websites and platforms that currently support their use.
The volume and severity of AI-driven cyberattacks has the potential to greatly intensify. Now is the time for everyone to shore up their defenses to protect against existing attack vectors, as well as these new and evolving threats. Adopting password best practices is a critical first step.
