Passwords in the age of AI: We need to find alternatives

For decades, passwords have been our default method for keeping online accounts safe. But in the age of artificial intelligence, this traditional security method is facing challenges it was never built to withstand.

A team at Cybernews conducted a study of over 19 billion newly exposed passwords which showed we’re looking at a “a widespread epidemic of weak password reuse.” It shows that despite years of trying to educate users about the dangers of using weak, lazy passwords, and re-using them across different sites and services, we have hardly made any progress.

But our opponents have. They can use new tools, faster computers, and because of both these developments, they ended up needing less effort for a greater yield. Because our digital presence in life has grown enormously and with that the number of passwords and the importance of the information they can unlock.

Enter AI

Artificial Intelligence (AI)-powered tools are now capable of cracking passwords faster and more efficiently than ever before. What once took days or weeks using brute force can now be accomplished in minutes. Tools like PassGAN (Password Generative Adversarial Network) use deep learning to predict and generate likely passwords based on leaked data sets. Unlike traditional dictionary attacks, AI doesn’t rely solely on existing word lists. AI is able to learn patterns from billions of compromised passwords and create new ones that closely mimic real human behavior.

This represents a huge advantage to the attackers. While a human hacker might guess that someone used their pet’s name followed by the year they were born, an AI can deduce that “Fluffy2023!” is statistically probable based on thousands of other similar combinations. And it can do this millions of times per second.

AI’s password-cracking capabilities are further supercharged by powerful hardware. Graphics processing units (GPUs), which are commonly used in gaming and scientific computing, can now be harnessed to run password-cracking algorithms at scale. Combined with AI, these machines make short work of weak or even moderately complex passwords.

The result is a world where even passwords once considered strong, like for example “Tr33House!” may no longer provide meaningful protection.

Does that make the password obsolete?

Tech companies are already betting on a passwordless future. Passkeys, biometrics, and multi-factor authentication (MFA) are gaining traction. Passkeys, in particular, offer a cryptographic alternative that eliminates the need for users to remember or even create passwords at all. But adoption of passkeys is still in the early stages, and many systems still rely on traditional passwords.

Beyond the technical risks, there are serious personal consequences when passwords are stolen. Due to our widespread online presence, once an attacker obtains your login credentials, they can access sensitive documents, reset other account passwords, or impersonate you online. From there, the path to identity theft is short. Criminals can use stolen data to open credit lines, file fraudulent tax returns, or drain your savings. In many cases, victims don’t even know their identity has been stolen until serious financial or legal damage has already occurred.

In the age of AI, the stakes are higher, and the window of vulnerability is shorter. A single reused or weak password might be all it takes to lose control over your digital identity.

The lesson is clear: we can’t rely on passwords alone anymore. AI has changed the game even further, and now it’s up to us to change how we play it. And as far as passwords go, there are some ways to use them as securely as possible where you have no alternative:

• Make passwords as strong as possible and never reuse passwords.
• Use a password manager to help remember all the passwords.
• Where possible, use MFA as an extra layer.
• Pressure important services into adapting passkeys and use them as soon as the occasion arises.

You can use Malwarebytes’ free Digital Footprint scan to see how many passwords of yours have been included in leaks and data breaches.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.