Like the humans in every evil robot movie, most people today vastly underestimate how smart AI can be.
We are already at the point where a reasonable hacking rig can mathematically crack a standard 8-character password in minutes. The old tricks don’t work anymore: AI programs know about our tendency to use numbers to substitute letters, to capitalize the last letter instead of the first, etc., and actually predict these safeguards in their dictionaries. It’s no wonder that passwords are now broken en masse: even major websites like LinkedIn see huge numbers of brute-force password breaking.
To look at how to stop this, let’s look at how it works.
How Passwords Are Cracked
In theory, any password can be cracked with enough tries, like monkeys on typewriters. A program can simply run through billions of passwords until one clicks. With an 8-character password, with capital letters, numbers, and symbols, there are about 6600 trillion possible combinations.
It could take months for a computer to run those combos, but, with modern AI, pattern analysis can greatly narrow these down.
For example, early hackers noticed how common it was to use names as passwords, and built dictionaries of names to help with guesses. Other patterns have made their way in as well. In the LinkedIn hack, over a million passwords were guessed in three hours, including hundreds of thousands that included the word “LinkedIn.” There was no reason to run through trillions of combos, when there are only a few hundred thousand variations on the common patterns.
How to Craft a Stronger Password
The technology right now is based on common patterns. Thus, uncommon patterns, like strings of symbols or wildly varying capitalization, are useful. Non-English characters, like ÿ an ź, accessible through text macros, can work great as well.
However, there is always the danger that the clever pattern you choose will become mainstream and part of the AI dictionaries, so keep yourself educated on the most current common patterns so you can adjust your password accordingly.
Every character you add makes it exponentially more difficult to crack a password. 8-character passwords have 6600 trillion combinations; 20-character passwords have 3500 trillion, trillion, trillion combinations. Often, an AI program will be instructed to give up after trying low-length combinations rather than spend centuries trying to crack a phrase. Phrases are also often easier to remember than complex symbol combinations.
Even the most elaborate password is useless if it can be recovered or changed, through email alerts or personal questions. Make absolutely sure that the answers to your personal questions are not public information. For example, if you post about your pet on Facebook, don’t use your pet’s name to change your password. A good strategy is to develop several strong passwords, and use each as the answer to password recovery questions.