World Password Day: ChatGPT is not a password manager
Good passwords are the foundation of internet security. Experts recommend using a unique, complex password for every login and online account. As the number of internet accounts steadily increases, this becomes quite a challenge – can modern artificial intelligence (AI) systems like ChatGPT help us invent and manage secure passwords? "It depends," says Arne Allisat, Head of Email Security at mail.com.
How important is a secure password?
Using passwords that are too simple or too short is a risk to the security of personal, sensitive data: attackers can gain access to such things as private photos, important emails and documents, or social media accounts. Even more important than secure passwords is to only use each password for one service. When you use the same password for multiple services, only one of these services needs to be hacked – and then all accounts with this password are at risk. This is particularly dangerous for your email account: if online criminals find out the password, they can simply reset passwords for other services using the "Forgot password" function and gain access there as well.
What makes a password secure?
First and foremost, a secure password is long and complex. This means at least 8, preferably 12 or more characters, and then a mix of uppercase and lowercase letters, numbers, and special characters. This makes it more difficult to crack the password using brute force attacks, or simply by trying different combinations. It is also crucial to avoid personal information such as nicknames or pet names – many people still do this, but if the attacker knows me, they will obviously try such personal data first.
Given these requirements, it seems logical to use an AI tool like ChatGPT to invent and manage passwords. Is this a good option from your perspective?
It depends. AI chatbots like ChatGPT can make password suggestions when you ask them. These systems are trained based on texts and articles from the internet, so they can access and implement common advice for secure passwords. However, when I request a password from ChatGPT, I am also training the AI just by doing so. Through my input alone, the AI learns which of its generated passwords are well-received by the user – and then it may suggest the same passwords to other users with the same question. So, I would definitely advise against simply adopting passwords suggested by ChatGPT. While you can get tips, you should always modify the results.
Do we have to fear that AI tools will be able to crack passwords even more easily in the future?
That is a possibility, yes. If many users have an AI-created password, the AI can provide lists with these prompts, which can then be used for brute force attacks during a hack. In general, I believe people are not worried enough about the passwords they use in their daily lives.
What's a better way to do it?
The number one rule is: each account gets its own, long, and complex password. There is a trick to easily remember secure passwords, the so-called sentence method. Choose a long sentence that you can remember well, take only the first letters of each word, and add a few numbers and special characters. It's easy to remember, relatively complex, and therefore secure.
Can password managers be a solution?
Password managers can be an alternative, but they also have weaknesses. Although such software creates secure passwords using special algorithms, they are initially stored on a single device, such as a computer. If you want to use the same passwords on your phone, they are usually transferred via the cloud, or the online storage of the provider – and thus, they are still stored as a list on the internet. In addition, in an emergency, such as when your phone is lost, you may not have access to your passwords. So, it's better in any case to develop your own secure passwords with a system that allows you to easily remember them.