Password Security in the Age of AI 

31 May 2023 by
5 minutes read
Password Security in the age of AI

Weak computer passwords are a hallmark of the tech age. Even one of the first computer password systems, MIT’s CTSS, faced a hefty security breach in its early days when the computer would display all user passwords upon a single user sign-in. More recently, the UK’s National Cyber Security Centre (NCSC) published a list of the most common passwords in the 2019, including words like “50cent,” “superman,” “ashley,” and even “password”. 

Whilst we at Whycatcher use a magic link to avoid password pitfalls, online passwords are now storing more sensitive data than ever. And whilst the evolutionary arms race between cyber security and hackers has battled on for decades, a new weapon in the arsenal threatens to change the nature of the fight: generative AI. 

Over the past few months, business leaders and politicians alike have had to contend with the staggering advancements of AI. This technology has been used to create movie scripts, cheat academic essays, and even help develop fantastic animal puns (as in the case of our recent Pet Day Competition). Now, the cybersecurity company Hive Systems has identified ChatGPT as a new super-speed hacking device.    

Hive Systems releases an annual infographic depicting the estimated time it would take a hacker to break a given password. This year, they are substituting ChatGPT in for their human hacker, speeding up hacking times significantly. Which made us at Whycatcher want to know – how safe are our passwords? 

We asked some of our friends and colleagues to tell us a bit about how they strategise their passwords, referencing Hive System’s infographic on ChatGPT hacking times. Hive systems rates passwords by complexity and length on a chart estimating hacking within a time period between “instantly” and “79 billion years”. By using this infographic, we can deduce how long it would take ChatGPT to correctly hack their passwords using “brute force”, which includes common software and processes available and used by most hackers. Here’s what we found. 

Most people like to stick to one word or theme, with slight variation. 

Nearly half of our sample rely on the same one to three words to make up the base of their passwords, rotating in numbers and symbols when necessary. Several others based their passwords on given themes. This is reminiscent of the NCSC’s findings, in which a given word may be child, “ashley,” or a superhero theme could generate “superman”.  

“I tend to use the same password for most things – occasionally I will use a symbol too – anything that makes things easy for me to remember!”

(Not a recommended strong password user, ChatGPT brute force within 1 week) 

Some insisted, however, that the word or string of symbols they use is quite safe as it is unguessable. 

For things where you have to renew your password regularly I tend to use one difficult word that no one else apart from myself would ever come up with, add a couple of symbols here and there, use both upper and lower case letters and then just change the last two digits every time I have to update the password.

(Recommended strong password user, ChatGPT brute force in over 101 years) 

 However, even these users rely on password replication to some extent, which is strongly recommended against by the NCSC. 

Password generators are catching on, but they are still used by a minority.

Roughly a third of participants stated relying on a password generator such as LastPass when available, and nearly half reported using an auto-generated password at least once.  

I use the LastPass password generator which helps me store it automatically in a vault – I never use the same password for different accounts even if super hard to crack.

(Not a recommended strong password user, ChatGPT brute force in over 101 years)

Regardless of the clear perks, some are still nervous about implementing any password management technology, as they fear it may complicate their login process.

Never use password generator- too complicated to remember.

(Not a recommended strong password user, ChatGPT brute force in over 101 years)

Our passwords held up well against ChatGPT…

Despite an unnerving number of “instantly” hackable password series contained in the Hive Systems infographic, our participants reported lengthy hacking times. Over half of the team claimed their passwords would take over 10 years to crack by ChatGPT, and just over a third would take over 101 years. No one  used “instantly” hackable passwords, though slightly over a quarter could be cracked in less than a week.

…Unless, of course, you factor in password strategy 

Remember the alarmingly high amount of “instantly” hackable passwords reported by Hive Systems? Well, according to their infographic, that is the time to hack any password that has been stolen, uses simple words, or is reused across multiple sites – regardless of length and complexity. Given our participants’ reliance on themes, simple words, and reused passwords, it’s likely many of these “strong” passwords are not as reliable as they may seem. 

I have one particular complex password that I use across a number of platforms.

(Not a recommended strong password user, ChatGPT brute force within 1 hour probably instantly)

What are we at Whycatcher doing? 

Those who use Whycatcher know that we do things slightly differently. Bill Gates predicted the demise of the password over 15 years ago, and we couldn’t agree more. Our platform relies on a magic link security system, which bypasses some of the pitfall of passwords by emailing a time-sensitive link to our users. Of course, we recognise that many emails still rely purely on password logins. However, a fast-growing number of emailing systems rely on multi-factor authentication (MFA) in addition to the password. This might take the form of a unique, time-sensitive passcode sent to your email/mobile or a randomly generated code within a mobile authenticator app which requires biometric authentication such as facial recognition or fingerprint for ID. 

And for your other passwords?

Well, it might be time to let Rex stay a dog, and fully out of your tech security strategy. The future is a bleak place for weak passwords, and let’s face it – losing all your information over “Spot123” is a rough way to go.

If you’d like to learn more about Whycatcher, get in touch here.

Written by

Cady works in the research and marketing teams at Whycatcher. She moved to the UK from her home in Brooklyn, NY in 2017, and completed her BA in English and Philosophy from The University of St Andrews in 2021.

Cady is an avid outdoorsman in her free time, and has backpacked over 300 miles of the New England wilderness. She can also wiggle her ears.