Warning—This Is How Easy It Is To Steal All Your Passwords
Stealing passwords has never been easier
Microsoft and Google users in particular have been inundated in recent weeks with warnings to ditch passwords for passkeys. And rightly so. These are the passwords that unlock much of your digital life, and it’s never been easier to steal them.
Microsoft is moving fastest when it comes to leaving passwords behind, confirming its intent to delete passwords for more than a billion users. Google is not too far behind, warning that most of its account holders need to add passkeys to their accounts.
Passkeys use your device security to sign into your account, rather than a user name and password. As such, there’s no password to steal or breach, there aren’t even any two factor authentication codes to bypass or share. It’s “phishing resistant.”
With perfect timing, the team at Okta has just warned it has observed threat actors abusing v0, a breakthrough GenAI tool created by Vercelopens to develop phishing sites that impersonate legitimate sign-in webpages.”
There’s even a video showing how this works — and it should worry anyone still relying on passwords to log into key accounts, even if they’re backed up by 2FA and especially if that 2FA is nothing better than SMS, which is now little better than nothing at all.
“This signals a new evolution in the weaponization of GenAI by threat actors who have demonstrated an ability to generate a functional phishing site from simple text prompts,” Okta says. “This technology [is]
being used to build replicas of the legitimate sign-in pages of multiple brands, including an Okta customer.”
Watch the video on Okta’s website
While it may surprise users how easily a sign-in page can be replicated, is should not surprise them that “today’s threat actors are actively experimenting with and weaponizing leading GenAI tools to streamline and enhance their phishing capabilities.”
Gone are are the days of clumsy imagery and texts and fake sign-in pages that can be detected in an instant. These latest attacks need a technical solution.
The advice remains to add passkeys to any account where it’s available, and then to stop using passwords to access those accounts. You should also ensure any passwords that need to remain on accounts are long and unique and backed up by non-SMS 2FA.
The best form of easy-to-use 2FA is an authenticator app on your smartphone, these are quasi passkeys as they link to your hardware, albeit they’re not as good as passkeys and still can be open to interception and users being tricked into sharing codes.
Okta says this “highlights a critical new vector in the phishing landscape. As GenAI tools become more powerful and accessible, organizations and their security teams must adapt to the reality of AI-driven social engineering and credential harvesting attacks.”