The days of “Password12345” have been long gone, but what about something more complex? Most websites, and applications require that your password contain a certain complexity such as a special character, a minimum length, and a number i.e. “Pa$&w0rd12345islong!”. However, we have all done it before; you forget your password to an account, or maybe even your phone, and you start punching in everything you think it could be, birthdays, dates of relationships, graduations. In the cyber world, this is known as a brute force attack, where a threat actor sits down, and attempts to guess your password. When cybersecurity was in its infancy, passwords were weak and could be easily guessed. But as the requirements for passwords evolved, so did the attacks. The brute force attack matured from manual guessing to automated scripts, as an example of such:
int main() {
inguess = 0;
const int max = 9999
while (guess <= max) {
std::cout << “Trying password: ” << guess << std::endl;
if (/* condition that guess is correct */) {
std::cout << “Password accepted: ” << guess << std::endl;
break;
}
guess++;
}
return 0;
}
Starting at a base “XXXX”, and increment until the password is accepted
Of course, the cat and mouse game continued. Passwords have gotten better, and threat actors began working on looking for personal information on their targets, things found on MySpace & Facebook, anything to narrow down the guessing game. It’s always been a dance of mitigation, with enough time and data, a determined attacker could still find a way into the system they were after.
So, what was the next step for users and cyber professionals? The implementation of failed attempt limits, and captchas. You know the drill when we forget our email password that we haven’t used in months until you need to sign into Netflix and get told that you exceeded the number of attempts. So now you’re squinting at blurry stairs in a captcha and that one little corner of a square has some stairs in it, and you just don’t know if that will count or not. These defenses annoy users and are even more annoying to an attacker, as they mitigated their attempts or locked the account after so many failed attempts to protect it. But this mitigation was not the end all, as computing becomes more advanced with the debut of artificial intelligence (AI) and Quantum computing. Why guess the password, when the user can be fooled into just handing it over?
Phishing emails have long been the answer to that question. I’m sure by now we have all heard of the old “Nubian Prince” emails, that were laughably written with broken English. Threat actors utilized this way of speaking in order to bypass email filters that would send the email to spam immediately. Articles from Cybernews, Forbes, ZDNet, and Cyber Defense Magazine highlight how AI reimagines these attacks in new terrifying ways. Researchers have shown that AI can search the web, deduce private info (like a CEO’s email from patterns in company addresses), and draft polished phishing emails complete with malicious scripts it developed with a little prompt engineering.
Source: Symantec
Symantec reported that the AI agent identified O’Brien’s name using only his job title, deduced his private email by analyzing other Broadcom addresses, and created a PowerShell script. To support this, it researched PowerShell online, then installed a text editor plugin on a Google Drive account labeled “IT Support.” Finally, it wrote a convincing phishing email with the script attached and sent it—without any authorization required.
AI can connect dots humans miss, spotting patterns across vast datasets to target victims more effectively. These researchers found how threat actors can make AI utilize advanced tactics and techniques for sophisticated phishing and social engineering, becoming a powerful and dangerous tool.
Just as the shift from brute force to phishing became common, and more training and understanding comes out about safety against phishing, new developments could put brute force back at the top of the food chain. Quantum systems threaten to crack current encryption methods potentially within a decade. Imagine brute force on a quantum scale, dismantling passwords we once thought secure. Suddenly, even “Pa$&w0rd12345islong!” isn’t safe. We are at a point where passwords are almost meaningless, and two factor authentication will be the only means to log on. Yes, you will have to answer those text messages constantly to log in to anything anymore. The cat-and-mouse game continues as AI empowers attackers with speed and sophistication, while quantum looms on the horizon. Stronger passwords gave way to captchas, then MFA; now, AI and quantum demand we rethink everything. As Cybernews puts it, the future of security isn’t just about keeping up, it’s about staying ahead. Because in this dance, the mice are getting smarter, and the cats can’t afford to slow down.
Leave a Reply