AI tools crack passwords in seconds. How password managers can help.
It is increasingly evident that passwords are no longer entirely adequate for securing network resources — research continually reveals that the vast majority of data breaches stem from weak or compromised passwords. In the age of artificial intelligence, passwords are even more vulnerable.
An AI-powered password cracking tool called PassGAN can decipher most common passwords in a matter of seconds, according to a recent report by the cybersecurity research firm Home Security Heroes. Working with a dataset of more than 15 million credentials, the tool cracked 51 percent in less than a minute, 65 percent in less than an hour and 71 percent in less than a day. The firm further noted that PassGAN can crack any seven-character password in six minutes or less, even if it uses a combination of upper- and lower-case letters, numbers and symbols.
With organizations struggling to provide distributed workforces with remote access to network resources, the PassGAN experiment is another reminder of the massive risk created by poor password practices. According to a recent IDC global survey, 83 percent of organizations that have suffered a security breach believe the breach resulted from compromised credentials.
“It’s imperative that organizations put in place a universal and user-friendly solution to enable all their employees to securely access the tools they need to do their jobs, regardless of where that may be,” said Mark Child, Research Manager at IDC. “Security controls need to be transparent and manageable for all users.”
A Better Approach
Password management solutions offer a simple and effective alternative by eliminating the burden on users to create, type, change and remember passwords. Password managers, or password wallets, allow users to create and store unique passwords for all their accounts. Most work by encrypting a list of passwords with a single master password that only the user knows. The best also include a built-in password generator that ensures passwords are complex, difficult to guess and changed frequently.
There are a variety of password managers available, ranging from low-cost and even free consumer-grade solutions to more advanced enterprise-grade solutions with more robust features. They can come in the form of installed software applications, locally accessed hardware devices or as online services accessed via web portals. They are all fairly easy to use.
LastPass, Dashlane, Keeper, Zoho Vault and Bitwarden are among the many password managers with free editions. However, most free versions come with some restrictions. They generally limit the number of passwords that can be stored, the amount of encrypted file storage available and the number of devices that can be used. These free versions are most suitable for individual users rather than company-wide deployment.
The professional editions of these solutions offer more robust features, including AES-256 encryption, salted hashing, two-factor authentication, Active Directory synchronization and identity management. Some offer additional features such as alerting when websites or services have been breached, priority customer service and the ability to change old passwords automatically on certain sites.
Powerful Features
Multi-device syncing is one of the more useful features offered in professional editions. This allows users to work with a single account across office and home desktop computers, laptops, tablets and mobile phones. Any password changes are synchronized to all linked accounts in real time, reducing the time and trouble of submitting help desk reset requests.
The ability to share credentials is another important feature for organizations that allow multiple employees to access online services through company accounts. For example, organizations often set up user groups for cloud services such as Microsoft 365, Salesforce or Webex. A password manager with shared credentials ensures that everyone is kept up to date about password changes.
To further strengthen security, organizations should look for password managers with integrated privileged account management (PAM) features. PAM solutions are designed to protect privileged accounts that have administrator-level access to servers, security systems, network devices, databases, applications and other resources.
Password managers with a PAM module allow organizations to segregate privileged account credentials in a secure, encrypted vault. Beyond secure storage of these credentials, PAM solutions restrict access to the credential vault, automatically rotate passwords when needed, record and monitor privileged session activity for audit and forensics, and enforce least-privilege policies on endpoints.
For years, much of the responsibility for better password practices has fallen squarely on users — create stronger passwords, use unique passwords for every account, change them frequently, and never reuse them, share them or write them down. However, even those practices may be inadequate against AI-powered cracking tools. As threats become more sophisticated, password managers can enhance security by making it easier for users to create complex passwords, encrypt them and sync them across multiple devices.
