Artificial intelligence can be tricked into making password-based authentication even weaker.

6 Min Read
TikTok logo on a phone screen
Source: Aleksey Zotov via Alamy Stock Photo

Have you ever thought of what George Washington's hypothetical TikTok password might be? It's a strange question, but a useful one. Why? Because George Washington can be replaced with anyone a hacker is targeting for impersonation on any platform. And artificial intelligence can help them. The chatbot ChatGPT was recently asked to come up with George Washington's TikTok password as a proof of concept.

Note: This article describes an experiment that was done for research purposes only, to raise awareness of how weak password-based authentication is, and how AI weakens it even more. It does not allow anyone to use the technique described to perform any illegal activity nor gain unauthorized access to different accounts.

What Is ChatGPT?

ChatGPT is an AI chatbot developed by OpenAI. It's trained to follow an instruction in a prompt and provide a detailed response, and anyone can ask it to complete various creative tasks — even to guess what George Washington's password would be if he had a TikTok account.

What Is a Password List?

A password list is a list of passwords that are commonly used. It can be either a generic list that can help with guessing anyone's password, or a customized list for a specific person, celebrity, or platform. This list can then be used to crack credentials using a dictionary attack and lead to identity theft and impersonation. The task of generating this list can be done by AI engines with great efficiency.

Let's hypothetically consider how ChatGPT could be used to generate a password list for George Washington's TikTok account. To start, we would need a data set of passwords that are commonly used by individuals, including historical figures like George Washington. This data set would then be used to train ChatGPT, allowing the model to learn patterns and generate new passwords that are similar in structure and complexity. Examples could include phrases or words from his famous speeches or quotes, historical events, or personal information such as his name or birthdate. Some potential password examples could be:

  • Icannottellalie1776!

  • 1stPresOfUS

  • ValleyForge1778

  • GWbirthday0222

So, Can ChatGPT Help Anyone Generate a Password List?

The creators of ChatGPT and other AI chatbots don't want them to be used for malicious activities such as password cracking and credential theft. This is why a direct approach won't work:

Upon being asked to generate a password list for George Washington's TikTok account, ChatGPT protests

But there's a workaround.

AI Chatbot Jailbreak

As with many other new technologies, ChatGPT has some flaws. Currently, it is extremely naive and can be tricked quite easily. Think of it as performing a social engineering attack against an artificial intelligence entity that acts like a young child. Escaping the restrictions of an AI chatbot is called jailbreak, and there are websites dedicated for the development and sharing of these techniques.

For example, if you want to generate a password list, you can just avoid explicitly writing down the phrase "password list," and also ask for a specific number of passwords:

Upon being asked to give 100 potential passwords for the TikTok account of George Washington (but not using the phrase

Another option is to go with a positive approach instead of a negative one, and ask for a list of safe passwords:

ChatGPT readily agrees to generate a list of safe password that George Washington could use.

Another technique includes attempts to persuade ChatGPT with different excuses:

ChatGPT readily agrees to generate a list of strong passwords.

In addition, there are more fancy techniques, like making ChatGPT act as a different character. For example, it can be turned into the helper AI chatbot of Niccolò Machiavelli, the famous Italian diplomat and philosopher who separated politics and moral and claimed that politicians do not need to follow moral standards. This shakes the moral level of ChatGPT and makes it do things it usually won't do:

Another technique: Getting ChatGPT to inhabit a different

Although ChatGPT is extremely naive, in some cases its naiveté has its limits:

ChatGPT disbelieves the claim that George Washington approved the generation of a password list via a seance

So, How Dangerous is It?

Password list generation tools have existed for a long time. Like with other tasks, AI can greatly increase the quality, efficiency, and ease of generating these lists, hence increasing the chance of successful credential-guessing attacks. It can be used to generate password lists for real people and celebrities:

ChatGPT readily agrees to generate possible passwords for celebrities

It can also be used to create focused and enhanced lists:

ChatGPT can also be used to create focused and enhanced lists

ChatGPT agrees to add special characters and numbers to passwords

How to Stay Safe

Password-based authentication becomes weaker when attackers utilize AI for password list generation and cracking. To reduce the risk of credentials theft, these principles should be followed:

  • Use strong passwords of 12 or more characters with a mix of character types.

  • Do not reuse the same password for different systems; use password managers or a logic that would generate different passwords.

  • Enable strong multifactor authentication for any platform that supports it.

  • Block unnecessary access to login interfaces in systems under your control.

AI Is the Future — but We Need to Be Cautious

As with any new ground-breaking technology, AI chatbots grant us many exciting opportunities, alongside new challenges. Many societal changes will take place when this technology is widely adopted, and some of them might be hazardous, such as massive job loss. Recently, scientists, researchers, and tech leaders, including Elon Musk, published a letter that urges artificial intelligence labs to pause development and described AI tools as "profound risks to society and humanity." This is why we should be very careful and cautious with the speed of development and adoption of this game-changing technology. Nonetheless, artificial intelligence is considered the next great technology leap of mankind. Technology will keep moving forward and new technologies like AI, with its many benefits, should eventually be embraced.

It's also important to note that adoption and usage of AI should be done with a critical eye, as the technology is still new and it makes mistakes from time to time. For example, when ChatGPT was asked to address the issue of this article, it stated, "First and foremost, we have no way of knowing if George Washington even had a TikTok account." Another text-to-image AI had an interesting interpretation of "George Washington with a duck face":

AI-generated image of George Washington with a duck face

Oh, one more thing: One of the paragraphs of this column was completely written by ChatGPT.

Can you spot which one?

About the Author(s)

Gil Cohen

Head of Application Security and Secure-SDLC, CYE

Gil Cohen is a highly experienced information security architect, consultant, researcher and penetration tester with more than 18 years of experience. Previously a senior consultant, a founding member of an IDF Infosec unit hacking section and a CTO of a known Israeli cybersecurity firm, Gil currently acts as a the head of application security and secure-SDLC at CYE, taking part in leading penetration tests and secure secure-SDLC assessments, internal and external trainings and mentoring and more. Gil was also previously a full stack developer who knows the pain of application security firsthand, and strives to promote this field.

Maor Daniel

Application Security Expert, CYE

Maor Daniel is an Application Security Expert at CYE who performs application and web penetration tests as well as Secure SDLC activities including threat modelling, design reviews, secure SDLC gap analysis and more. Maor is an Information Systems Bachelor of Science degree graduate who also develops testing methodologies and tools for CI/CD security activities and performs application security training for developers.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights