81% of data breaches leverage a stolen or weak password. Artificial intelligence and machine learning are making it easier for criminals to identify these passwords quickly, putting your business at risk.
Up until recently, many businesses have been able to prevent traditional “brute force” attacks by detecting and rejecting them. But artificial intelligence and machine learning technology are now creating a vastly new playing field. With over 50% of U.S. businesses experiencing a cyber attack in the last year, it’s important for you to invest in updating the password policies for every employee (access point) in your organization.
Data Breaches, Artificial Intelligence, and Machine Learning
In the past, password cracking was generally a fairly rudimentary process. The most popular method of cracking a password was called “brute force.”
Basic brute force programs would simply try all combinations in succession: 1111, 1112, 1113, 1114, etc. This worked because passwords were, in general, extremely short. More advanced brute force programs were developed and they instead used “dictionary attacks,” trying common words to crack a password.
However, criminals are constantly improving their tools.
As traditional brute force methods began to fail, criminals began to use iterations of dictionary words rather than simply trying random words. For instance, they might try password, p4ssword, and p4$$word. This was more effective, but still presented some challenges.
Machine learning and artificial intelligence has taken this theory much further.
New technologies such as PassGAN (Password Generative Adversarial Networks) can learn from already leaked passwords to identify passwords that are likely in use. This can then be used to penetrate a system.
But how does machine learning work? Machine learning takes a sample of data, identifies patterns, and then predicts additional information based on that data. This is a form of artificial intelligence. The larger its sample of data, the more accurate it will be. This also means that machine learning algorithms gradually get smarter as they are trained.
Experiments with PassGAN were able to match nearly 47% of all leaked user passwords from a previous breach.
Experiments with PassGAN were able to match nearly 47% of user passwords from a testing set comprised of real user passwords that were publicly leaked in a previous data breach. In combination with the leading existing password cracking software (named HashCat), PassGAN was 24% more accurate than HashCat was on its own.
With this level of accuracy and effectiveness, criminal attackers could break into large systems fairly easily. This is especially true if they already have username information available.
Protecting Against Advances in Password-Cracking Artificial Intelligence
Artificially intelligent algorithms that have been trained with machine learning will work to predict passwords based on prior experience.
But this reveals a subtle flaw in the strategy: it only works when passwords can be predicted.
Businesses are most at risk when employees are protecting sensitive company or customer information with weak or reused passwords.
At the other end of the spectrum, a truly random password is not going to be cracked in this way. Regardless of the amount of information the machine learns from, it will never be able to accurately predict a random password.
Of course, the complexity of the passwords themselves isn’t the only concern. Employee negligence accounts for a significant number of data breaches. Employees may share passwords or store them in plain text; they may send them through email, save them to a text document, or simply write them on a notepad and leave them on their desk. These passwords are ripe for the picking.
“About 80% of all the breaches we service have a root cause in some type of employee negligence.”
– Michael Bruemmer, VP of Experian Data Breach Resolution
Businesses can protect against both of these major threats through the use of utilities such as a password manager. Password managers have several major, distinct advantages:
- Generating truly unique passwords: When passwords are generated that are unique and complex, artificial intelligence and machine learning cannot be used to predict them. Generating unique, complex passwords is one of the easiest and best defenses against these new technologies.
- Remembering passwords for employees: Employees often find themselves writing down or saving their passwords in plain text when they cannot remember them. This places most businesses in a catch-22; the more complex a password is, the more likely the password is to be compromised. Companies that utilize password managers can sidestep this issue.
- Eliminating password reuse: Businesses that have multiple logins and authentication systems often find that their employees use the same passwords everywhere. This means that the breach of one system may lead to the breach of another. A password manager can create and store unique passwords for each of these platforms, and employees only need to remember one complex master password.
A password manager is able to protect employees from their own negligent actions, in addition to making it easier for them to authenticate their identities and complete their work. Overall, this doesn’t just improve upon a company’s security, but also provides a more productive environment.
As password cracking utilities further improve, it becomes even more critical for businesses to protect their data and their assets. Password managers are your best bet at changing employee behavior with regards to the weak, reused passwords that currently protect your company and customer information.
As strategies change, password managers can develop even more sophisticated methods of generating truly random passwords, and can also increase the complexity of these passwords — all without forcing employees to memorize or store these passwords on their own. Either way, businesses must work now to create proactive strategies against these growing threats.
Interested in a business password manager to aid your organization in eliminating password reuse? Check out Dashlane Business, trusted by over 7,000 businesses worldwide, and lauded by businesses big and small for its effectiveness in changing security behavior and simplicity of design that enables full company adoption.