A report by Home Security Heroes on how fast AI can crack your passwords was recently released. Purportedly, using AI, 51 percent of passwords from the RockYou dataset, which comprises 15.68 million common passwords, were cracked in under one minute, with an additional 20 percent cracked in under a day.
On the same website, you will notice a form that allows you to check the strength of your password. As of the time of my writing, you can safely use the current version of the page to test passwords, because I have validated that it uses a client-side script to process the type of character sets I use and length of password. As a precautionary measure, I also disabled my network connectivity when testing. For an extra dose of caution, you may simply wish to test a different password, but with the same formatting you relied upon and length, just in case the page has been modified since.
Granted that most password policies require passwords to be changed at least every 90 days, therefore, if you reverse engineer the script’s algorithm, for AI to take longer than that to crack your password, it will need 18 characters for numbers only, 13 characters for lowercase letters only, 11 characters for a mix of lower and upper case letters, 10 characters for alphanumeric with upper and lowercase and, finally, 10 characters for alphanumeric with upper and lower case plus symbols.
The findings are not entirely surprising. Without doubt, multi-factor authentication (MFA) comes to mind as the solution to password cracking. However, it is more complicated than that. Not all MFA is built to the same level of security. If we refer to the Consumer Authentication Strength Maturity Model (CASMM) v6, the adoption of passwordless authentication is at the highest level of maturity of 8 with the least vulnerability exposures, whereas the use of SMS-based 2FA codes aligns with a maturity level of 5 and is vulnerable to phishing, man-in-the-middle (MiTM) and SIM-swapping/cloning attacks.
From a risk-based, ideal user experience and business-enabling approach, rather than requiring users to create a lengthy and difficult to remember password and requiring passwords to be changed regularly at 90-days intervals, a near friction-less approach like passwordless is most desirable, maintaining strong security while not requiring the use of passwords at all. If keyboard entry of passwords and OTPs are not required, the risk of stolen credentials due to falling prey to phishing is eliminated. Having said that, the passwordless enrollment process must be robust. If the enrollment process degrades to a weaker form of authentication that can be compromised, it becomes a backdoor for the hacker to enroll their own biometrics to be trusted.
How can you ensure sound authentication?
The following is one approach comprised of nine steps to ensure a sound authentication process:
- Perform a system impact assessment.
- Determine the criticality and sensitivity of the asset.
- Perform adequate threat modeling to determine the extent of exposure to credential attacks.
- Determine the risk appetite and residual risk level that can be tolerated for this asset.
- Determine the authentication strength maturity to be matched to the residual risk tolerated.
- Design a robust enrollment process for the implemented authentication mechanism.
- Perform adequate testing against both the enrollment process and authentication mechanism.
- Re-visit the robustness of enrollment and authentication mechanisms based on fresh intelligence on new threats and tactics.
- Rinse and repeat.
In fact, the bright side of AI can be utilized in adaptive authentication. AI can reinforce or elevate the strength of existing authentication measures dynamically based on telemetry information and apply an increased amount of authentication where a high-risk situation warrants—for instance, applying triple-factor authentication and limiting access to who you are (i.e. biometrics), what you have (i.e. your mobile device) and where you are (i.e. GPS location).
Unfortunately, no authentication technology works stand-alone. It must be supplemented by adequate user awareness training on the user enrollment process, on utilizing the authentication mechanism correctly, and understanding that an authentication mechanism, even with triple-factor authentication, is not invulnerable, so it is important to watch out for the vulnerability exposures that are specific to the chosen mechanism.
AI and zero trust working in tandem
If we take a step back to design a layered defense approach, robust strong authentication is just one part of the holistic cybersecurity approach. For an entire security architecture to work effectively, zero trust must be integrated into the whole equation. To that end, there are two additional aspects—attestation and assumed breach—beyond simply authentication. AI helps in both these areas.
In this new cybersecurity normal, breaches are inevitable. This widely accepted truth also means that it is not so much a matter of getting breached as it is a matter of having a rapid detection, containment and recovery so that significant business impact is not felt and cyber resilience is sustained after a breach.
Assumed breach requires the continual upkeeping and ingestion of cyber threat intelligence so that new IoCs (Indicators of Compromise) and TTPs (Tactics, Techniques and Procedures) can be utilized to update the protective and detective measures to limit the blast radius of any successful attacks and to detect early for prompt containment. Therefore, AI again, beyond adaptive authentication, can be used in this third aspect of zero trust.
In summary, AI is a double-edged sword. While hackers have used AI for nefarious purposes, it can also be used by blue teams to protect assets. This credential hacking threat requires renewed attention with the boost from AI. However, defenders can most certainly fight fire with fire. Therefore, include credential hacking techniques into the threat modeling process and elevate control measures accordingly with the support of AI to counter such techniques effectively – not only in the authentication process but also in the automation of cyber threat intelligence ingestion, incident containment and response as part of zero trust’s assumed breach, and much more.
Editor’s note: Learn more about AI through ISACA’s AI Fundamentals Certificate.