AI-driven cyber threats are evolving, making password security vital. Strong, unique passwords and passphrases are key to staying resilient against these risks.
Getting your Trinity Audio player ready...

Author: Johnty Mongan

null

Password protection is the first line of defence against cyber threats. With 94% of passwords reused or duplicated1, many individuals who manage multiple accounts across personal and professional domains often simplify or reuse their passwords for convenience. This creates vulnerabilities that can be exploited, making it the primary target for threat actors.

The increased use of AI in cyber-attacks and phishing attempts has heightened this risk. Threat actors can automate billions of password-guessing attempts within minutes.

Additionally, AI can now mimic voices and generate realistic images, enabling attackers to impersonate colleagues or executives with alarming accuracy and trick unsuspecting employees into sharing their credentials.

"Practicing good password hygiene, paired with tools like multi-factor authentication and intrusion detection systems, is essential for building real cyber resilience," says Johnty Mongan, global head of Cyber Risk Management at Gallagher.

The AI threat: Guessing passwords from social media

AI supercharges brute-force attacks

A brute-force attack attempts to gain unauthorised access by systematically guessing usernames, passwords, or other credentials. With the adoption of AI, attackers can now automate the process, analyse large datasets and test combinations at scale, significantly increasing the speed and success rate of brute-force attacks.

AI technologies can extract information from social media profiles to predict potential passwords. It identifies patterns in human behaviour, such as the use of pet names, birth years or common phrases, and uses these insights to generate targeted guesses with precision.

Consider a social media post where an individual shares a photo celebrating their 40th birthday, holding a balloon that reads "Happy 40th!" The caption mentions, "Celebrating with my dog Bella," and their name, Sarah Jones, is visible on the profile. A threat actor could correlate this information to generate likely password combinations such as Sarah1985, Bella40, or JonesBella1985.

What makes this threat particularly potent is AIs ability to automate the analysis of vast volumes of data across multiple platforms. It enables threat actors to scale their efforts and refine their predictions with precision. This is a stark reminder to avoid using personal information in passwords and regularly update credentials.

The role of secure passwords and passphrases

Maintaining secure and unique passwords that include a combination of symbols, numbers and letters for each of your accounts makes them much harder to predict. Passphrases, with four or more words, can be a more secure alternative. Using a series of words or a meaningful sentence increases password entropy, making them easier to remember but difficult to crack. Including special characters between words can further add to the unpredictability of the password and strengthen it against brute-force attacks.

Best practices for password security

  • Enable two-factor authentication (2FA): For additional security, enable 2FA whenever possible. This requires a second verification step, such as a code sent to your phone or biometric/fingerprint confirmation, as well as your password.
  • Use password managers: Use password managers to store and manage passwords securely. These tools generate strong passwords and help you keep track of them without compromising security.
  • Create complex passwords: Incorporate a mix of uppercase and lowercase letters, numbers and symbols. Avoid easily guessable information such as names or birthdays.
  • Use passphrases: Consider passphrases, which are longer but often easier to remember than complex passwords. A passphrase can be a sequence of random words or a sentence with numbers and symbols.
  • Change passwords regularly: Update passwords and passphrases regularly to minimise the risk of unauthorised access. This step is critical if you suspect information may have been compromised.

How Gallagher can help

By adopting strong passwords, updating them regularly and implementing additional security measures like two-factor authentication, individuals can fortify their digital defences and safeguard their personal and professional data.

In addition to following best practices to secure your devices and online accounts, keeping up with the evolving cyber threats remains critical. To assist in your organisation's security, the Gallagher Cyber Defence Centre offers real-time updates on common vulnerabilities and the tools available to boost your cybersecurity posture.

Contact the Gallagher Cyber Risk Management team for personalised advice and solutions. Our specialists will guide you in implementing robust cybersecurity measures and developing a strategic cybersecurity approach tailored specifically to safeguard your organisation’s future.

Author Information

Sources

1 Naprys, Ernestas. “19 Billion Leaked Passwords Reveal Deepening Crisis: Lazy, Reused, and Stolen,” Cybernews, 13 May 2025.

Disclaimer

The sole purpose of this article is to provide guidance on the issues covered. This article is not intended to give legal advice, and, accordingly, it should not be relied upon. It should not be regarded as a comprehensive statement of the law and/ or market practice in this area. We make no claims as to the completeness or accuracy of the information contained herein or in the links which were live at the date of publication. You should not act upon (or should refrain from acting upon) information in this publication without first seeking specific legal and/or specialist advice. Arthur J. Gallagher Insurance Brokers Limited accepts no liability for any inaccuracy, omission or mistake in this publication, nor will we be responsible for any loss which may be suffered as a result of any person relying on the information contained herein.

Arthur J. Gallagher Insurance Brokers Limited is authorised and regulated by the Financial Conduct Authority. Registered Office: Spectrum Building, 55 Blythswood Street, Glasgow, G2 7AT. Registered in Scotland. Company Number: SC108909. FP1385-2025. The approval will expire on 11.09.2026

Stay connected with the company that’s connecting the dots with what’s happening in the industry and around the world
Related Articles