How long have you heard the warnings about choosing good passwords? Years? Decades? How’s that working out for you, password1234? We all know we should be careful, but as the most common passwords show, most people haven’t gotten the memo. And really, having a slew of unique passwords at the ready—with uppercase and lowercase and numbers and special characters, oh, my—is honestly exhausting. No wonder many of us lean on some old standbys.
But the internet is rife with bad actors and scams, so it’s more important than ever to secure your online accounts with strong passwords. Unfortunately, with the sheer number of online accounts we have these days, our passwords pile up and become difficult to manage. It’s tempting to use simple, easy-to-remember passwords, or you might even ask your favorite AI chatbot for help. But a new report from cybersecurity firm Irregular suggests that might be a very bad idea.
Read on to see why you shouldn’t rely on AI for help with your online security and get tips for actually creating a good password.
Get Reader’s Digest’s Read Up newsletter for more tech, cleaning, humor, travel and fun facts all week long.
How did researchers test AI-generated passwords?
The team at Irregular tasked three popular large language models (LLMs)—ChatGPT, Google Gemini and Claude—with creating 16-character passwords featuring numbers, letters and special characters. Researchers then compared these outputs with passwords created by standard random-password generators to expose any flaws of the AI-generated passwords.
What’s so bad about asking AI to generate your passwords?
At a glance, the passwords the LLMs created looked secure, much like those that a password generator might spit out. But that’s exactly where the problems arose: Although the AI-generated passwords appeared to be complex and safe to use for securing online accounts, they were actually quite predictable upon closer inspection. All three LLMs exhibited clearly identifiable patterns in how they created these passwords.
These patterns included repeated character strings, predictable password structure, frequent reuse of similar characters, clear biases toward certain numbers and letters, and even duplicate passwords in some cases. Although the AI-generated passwords looked random, they really weren’t. This could easily create a false sense of security if you were to use these predictable passwords for your online accounts.
Just how much of a security risk are AI passwords?
They’re a big risk, and here’s why: True password security depends on randomness. But unlike a standard password generator, AI isn’t designed to create randomness—it predicts patterns.
This is actually baked into how these LLMs are designed to think and learn. And because they’re prediction machines, when they were asked to generate random passwords, the AI chatbots created (or rather, predicted) what they thought “typical” random passwords would look like. But they weren’t random at all.
And your password doesn’t need to be an easily identifiable word, phrase or character string (such as a birth date) for a hacker to crack it. Today’s hackers can use technology-assisted methods such as brute-force attacks to enter thousands of “guesses” in seconds. All they need for such an attack to be successful is for your password to feature predictable patterns—which is exactly what these AI-generated passwords did.
Attackers can even use LLMs to generate passwords just to analyze them for patterns and structures they can then use to train their own brute-force software. And you can be sure that hackers are well aware that people are relying more and more on AI chatbots in their day-to-day lives and will take advantage of this when developing new tactics for cybercrime.
What’s a more secure way to come up with a password?
Just because AI isn’t very good at coming up with secure passwords doesn’t mean there aren’t other ways. Before you go back to using your kid’s names and birthdays for your passwords, consider these methods to come up with passwords that will keep your accounts safe from prying eyes.
Use a password manager
One easy way is to use a good free password manager like 1Password or NordPass. These apps are purpose-built to create strong, unique passwords for all of your accounts and also keep them organized for you (even across different devices) so you don’t have to keep track of them all yourself.
Unlike AI chatbots, password managers can create genuine randomness. Every password is generated from scratch using modern cryptography, making them much more secure than AI-generated passwords.
Use passkeys whenever you can
Passkeys are arguably even better than passwords—even ones generated using a password manager. Passkeys use device-based authentication, which means your identity is verified by your device itself, not a typed password. This is much harder for hackers to break. For starters, a hacker can’t guess your passkey; they need access to your device to bypass it. Furthermore, passkeys are resistant to phishing attacks because you can’t really give a passkey away like you can a password.
Many modern devices, such as iPhones, Android phones and laptops, have passkey systems already built in. Apple’s FaceID and Windows’ Hello are two examples. Online services, especially those run by banks and other financial institutions, are increasingly requiring passkeys over passwords as well. The reason is simple: They’re harder to hack.
Use a long passphrase
When you need a password you can remember and a passkey isn’t an option, consider using a long passphrase rather than a string of characters. Note that the term phrase doesn’t mean this should be a common sentence or something else that’s easy to remember, as “easy to remember” often means “easy to guess.”
Instead, a secure passphrase should be made of random words strung together. The length increases security dramatically, as more characters make your passphrase much harder for brute-force attackers to guess. However, since it’s made of words rather than random characters, it’s still something you can memorize. Just remember: The passphrase must be random words, not a quote from your favorite book or movie!
Use multifactor authentication
This isn’t directly related to having strong passwords, but multifactor authentication (MFA), or two-factor authentication, is an additional and increasingly necessary way to secure your accounts. MFA works by requiring additional verification when you try to log into an account with your password.
If you’ve ever logged in to something and then received a text message or email with a code to verify your login, you’ve used multifactor authentication. Along with SMS messages, MFA can require things like a third-party authenticator app or a hardware key, which you must use alongside your password to complete your login.
When combined with a strong, secure password, MFA adds a very robust layer of security that makes it much more difficult for bad actors to gain access to your accounts.
RELATED:
- Ring Doorbells Can Now Identify Faces—But Experts Say It’s a Major Privacy Invasion. Here’s Everything You Need to Know
- Scammers Are Trying to Get Their Hands on Your New Phone—Here’s How to Stop Them
- I Tried the Productivity App That Was Named iPhone App of the Year—Here’s What Happened
Why trust us
Reader’s Digest has published hundreds of articles on personal technology, arming readers with the knowledge to protect themselves against cybersecurity threats and internet scams as well as revealing the best tips, tricks and shortcuts for computers, cellphones, apps, texting, social media and more. For this piece, Lucas Coll tapped his experience as a tech journalist to ensure that all information is accurate and offers the best possible advice to readers. We rely on credentialed experts with personal experience and know-how as well as primary sources including tech companies, professional organizations and academic institutions. We verify all facts and data and revisit them over time to ensure they remain accurate and up to date. Read more about our team, our contributors and our editorial policies.
Source:
- Irregular: “Vibe Password Generation: Predictable by Design”
The post Warning: Your AI-Generated Password Is a Major Security Risk. Here’s What to Use Instead appeared first on Reader's Digest.
from Reader's Digest https://ift.tt/xeW4Zyc
Comments
Post a Comment