CyberheistNews Vol 16 #08 Do Passwords Need to Be 25+ Characters Due to AI and Quantum Attacks?

Do Passwords Need to Be 25+ Characters Due to AI and Quantum Attacks?

By Roger Grimes

Prior to my further research into AI and quantum for my latest book, How AI and Quantum Impact Cyber Threats and Defenses, I had pretty solid password policy recommendations:

• If your password is truly random, then it should be 12+ characters or longer to fight password hash cracking attacks.
• If your password is made up in your head or not truly random, it needs to be 20+ characters or longer to fight password guessing.

I really think you need to use PHISHING-RESISTANT MFA to protect valuable data and systems, as primary authentication, followed by using password managers (which more easily create and use long, truly random passwords that are different for every site and service you use).

And if and only if you cannot use MFA or a password manager, then make up a long passphrase for your password (like rogerjumpsoverthebrowncow, etc.). In any case, make sure your passwords are unique for every site and service.

I summarize that previous password advice graphically.

[CONTINUED] Blog post with links and graphics
https://blog.knowbe4.com/your-password-needs-to-be-25-characters-or-longer-due-to-ai-and-quantum-attacks

[NEW] Meet Your New AI Agent for Automated Human Risk Management

AI is accelerating threats, creating attack surfaces that traditional training wasn't built to handle. When you're resource-constrained, managing and measuring risk accurately can feel impossible.

To bridge this gap, we're replacing manual campaign execution with an always-on, AI-driven model. Meet the AIDA™ Orchestration Agent, the newest addition to KnowBe4's suite of Artificial Intelligence Defense Agents (AIDA).

Key Benefits for Your Team:

• Autonomous Administration: Independently manages the selection, delivery and optimization of phishing tests and training
• Hyper-Personalization: Tailors security simulations and education to the specific risk profile of every individual user
• Always-On Intelligence: Continuously adjusts strategies in real-time based on user performance and emerging threats
• Seamless Orchestration: Coordinates specialized AI agents to deliver a unified, data-driven security program
• Strategic Guardrails: Provides administrators with "Plan-based" control to set high-level constraints and oversight
• Industry Alignment: Uses the NIST Phish Scale to ensure simulations meet standardized difficulty frameworks

Shift your team's focus from manual campaign execution to strategic risk management. Join our upcoming demo to see AIDA Orchestration in action.

Date/Time: Wednesday, March 4 @ 2:00 PM (ET)

Save Your Spot:
https://info.knowbe4.com/hrm-aida-3?partnerref=CHN

Warning: Attackers Are Using DKIM Replay Attacks to Bypass Security Filters

Cybercriminals are abusing legitimate invoices and dispute notifications from popular services to send scam emails that bypass security filters, according to researchers at Kaseya's INKY.

The attackers have used this technique to impersonate PayPal, Apple, DocuSign, HelloSign and others.

"These platforms often allow users to enter a 'seller name' or add a custom note when creating an invoice or notification," the researchers write. "Attackers abuse this functionality by inserting scam instructions and a phone number into those user-controlled fields.

"They then send the resulting invoice or dispute notice to an email address they control, ensuring the malicious content is embedded in a legitimate, vendor-generated message."

Since the emails themselves are sent from legitimate sources, they're more likely to land in users' inboxes. Humans are also more likely to fall for the scam if they see that the messages were sent from trusted vendors.

"Since the message originates directly from the vendor, such as PayPal, and is cryptographically signed, it easily passes DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting & Conformance (DMARC) checks," INKY says.

"After receiving the legitimate email, the attacker simply forwards it on to their intended targets. The result is a message that looks authentic, passes email authentication and arrives in inboxes with little to no warning."

This technique is known as a "DKIM replay attack," and allows the emails to bypass security controls. "A DKIM replay attack occurs when a bad actor captures a legitimate, DKIM-signed email and then 'replays' that same message to additional recipients," the researchers explain.

"Since the original headers and message body remain unchanged, the DKIM signature continues to validate. As a result, the email passes DMARC authentication even though it is being redistributed by an attacker rather than delivered by the original sender. To avoid breaking DKIM, attackers intentionally do not modify the message after it has been signed."

KnowBe4 empowers your workforce to make smarter security decisions every day.

Blog post with links:
https://blog.knowbe4.com/warning-attackers-are-using-dkim-replay-attacks-to-bypass-security-filters

10 Questions Every CISO Should Ask About AI-Powered HRM Tools

AI has certainly become a hot topic in the human risk management (HRM) space, but how can you cut through the hype?

Assessing AI in Human Risk Management

This guide provides a framework for you to thoroughly evaluate AI-based HRM tools and separate real innovation from empty marketing claims. It covers key considerations, including:

• Identifying true AI needs vs. AI for AI's sake
• Understanding how a vendor's AI model works under the hood
• Assessing AI performance, training and human oversight

Download now for insight into the right questions to ask to make informed decisions about adopting AI for a more effective HRM program in your organization.

Download Now:
https://info.knowbe4.com/10-questions-every-ciso-should-ask-about-ai-powered-hrm-tools-chn

AI-Assisted Social Engineering Attacks Continue to Rise

Social engineering remained the top initial access vector for cyberattacks in 2025, with increasing assistance from AI tools, according to a report from ThreatDown.

The researchers warn that AI will likely become a core component of social engineering attacks throughout 2026. "Deepfake voice, image and video impersonation now requires minimal expertise and only a handful of reference images or seconds of audio," the researchers write.

"Criminals are using these capabilities across a wide spectrum of attacks: creating fabricated IDs for financial fraud; mimicking IT or helpdesk staff to persuade employees to share passwords, reset multi-factor authentication (MFA) or approve remote access; and impersonating executives to conduct highly convincing forms of CEO fraud."

"ThreatDown expects AI-driven social engineering operations to scale significantly throughout 2026 and to emerge as the dominant form of social engineering used by attackers."

Attackers have already widely adopted AI to generate phishing lures. Generative AI tools allow threat actors to craft realistic phishing emails with no typos, even if the attacker doesn't have a good grasp of the target's language.

"Phishing campaigns used familiar brands and believable lures like secure document downloads," ThreatDown says. "Increasingly, attackers relied on AI-generated emails to eliminate the errors that many rely on to identify phishing and to produce more polished, convincingly personalized messages at scale.

"Using simple techniques such as checking MX records, attackers served victims fake versions of Google or OneDrive login screens tied to the victims' own domains. In some cases, victims were redirected to their real inboxes after harvesting credentials to minimize suspicion."

AI-powered security awareness training can give your employees a healthy sense of suspicion so they can avoid falling for evolving social engineering attacks.

Blog post with links:
https://blog.knowbe4.com/ai-assisted-social-engineering-attacks-continue-to-rise

The Modern Workplace Is No Longer Just People

The workforce is transforming. Within five years, your employees will work alongside AI agents autonomously. Both require protection, training and oversight. KnowBe4 is the only platform built to secure this hybrid future, where humans and AI agents collaborate as colleagues.

We empower your organization to outpace phishing, vishing, deepfakes and the full spectrum of social engineering. In an environment where humans and AI agents collaborate in real time, your defense must be as fast and adaptive as the threats you face.

• 70K + organizations trust us globally
• 15+ years of user behavior data and threat intelligence
• Seven AI agents in market

Meet KnowBe4's AI Defense Agents.

Learn More:
https://www.knowbe4.com/training-humans-ai-agents

Let's stay safe out there.

Warm regards,

Stu Sjouwerman, SACP
Executive Chairman
KnowBe4, Inc.

PS: [BUDGET AMMO] WSJ: "A Defector Explains the Remote-Work Scam Helping North Korea Pay for Nukes."
https://www.wsj.com/world/asia/a-defector-explains-the-remote-work-scam-helping-north-korea-pay-for-nukes-277fc94f/

PPS: [By Yours Truly] Marketers Think They're Using AI, But Most Have Much To Learn:
https://www.forbes.com/councils/forbestechcouncil/2026/02/20/marketers-think-theyre-using-ai-but-most-have-much-to-learn/

You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-16-08-do-passwords-need-to-be-25-characters-due-to-ai-and-quantum-attacks

Humans Will Give AI Anything If You Make It Sound Cool Enough

By Javvad Malik

There's a beautiful moment happening right now, and by "beautiful" I mean "horrifying in that can't-look-away-from-the-car-crash sense."

People are giving OpenClaw access to, well, pretty much their entire lives. The results are exactly what you'd expect...

One user gave his agent $500 and watched it create 25 trading strategies, generate 3,000+ reports, build 10 new algorithms, scan every post on X and trade 24/7 non-stop. The result? It lost everything. Not most of it. Everything. The agent traded the portfolio down to zero with the kind of efficiency that would make a casino jealous.

The user was fascinated by the process. Like watching a very expensive bonfire consume your life savings while taking notes on the color of the flames.

Others have handed OpenClaw the keys to their social media accounts. The posts it's generating are, by all accounts, absolutely unhinged. And people are loving it.

From a security perspective, this is a nightmare rendered in code. Many users have left OpenClaw accessible without proper authentication. It's got API access to financial systems, social platforms and who knows what else. It's making autonomous decisions with real money and real reputational consequences.

And here's the thing that should terrify every CISO on the planet: this is going to be completely normal in about eighteen months.

[CONTINUED] At the KnowBe4 Blog:
https://blog.knowbe4.com/humans-will-give-ai-anything-if-you-make-it-sound-cool-enough

NOTE: You have to wonder if OpenClaw is the ultimate social engineering attack...

Warning: Scammers Are Targeting Fans of the Winter Olympics

Malwarebytes warns that threat actors have set up dozens of phishing sites that impersonate the Winter Olympics merchandise store. The sites are designed to steal credentials, payment details and personal information, or trick users into installing malware.

"In roughly the past week alone, we've identified nearly 20 lookalike domains designed to imitate the official Olympic merchandise store," Malwarebytes says. "These aren't crude copies thrown together overnight. The sites use the same polished storefront template, complete with promotional videos and background music designed to mirror the official shop.olympics.com experience.

"The layout and product pages are the same—the only thing that changes is the domain name. At a quick glance, most people wouldn't notice anything unusual." The scammers are exploiting the popularity of the viral plush toys of the 2026 Olympics, Tina and Milo, which are currently sold out on the official site.

"On the official store, the Tina plush costs €40 and is currently out of stock," the researchers write. "On the fake sites, it suddenly reappears at a hugely discounted price—in one case, €20, with banners shouting "UP & SAVE 80%." When an item is sold out everywhere official and a random .top domain has it for half price, you're looking at bait."

Scammers always take advantage of major events, and users should always be wary of websites that convey a sense of urgency and try to make them act quickly.

"The formula is simple," Malwarebytes concludes. "Take a globally recognized brand, add urgency and emotional appeal (who doesn't want an adorable stoat plush for their kid?), mix in limited availability and serve it up on a convincing-looking website.

"With over three billion viewers expected for Milano Cortina, the pool of potential victims is enormous. Scammers are getting smarter. AI-powered tools now let them generate convincing phishing pages in multiple languages at scale. The days of spotting a scam by its broken images and multiple typos are fading fast."

Over 70,000 organizations worldwide trust the KnowBe4 HRM+ platform to strengthen their security culture and reduce human risk.

Malwarebytes has the story:
https://www.malwarebytes.com/blog/scams/2026/02/fake-shops-target-winter-olympics-2026-fans

What KnowBe4 Customers Say

"Hi Bryan. Thanks for checking in. We have just started using the platform. I have used it before in my last company and was very satisfied. Amy F. has been great in assisting us."

- C.J., Chief Information Officer

1. Starlink restrictions hit Russian forces as Moscow seeks workarounds:
   https://therecord.media/starlink-restrictions-hit-russian-forces
   
   
2. AI Is Taking Over Social Media, but Only 44% of People Are Confident They Can Spot It:
   https://www.cnet.com/tech/services-and-software/cnet-survey-ai-slop-confidence-in-spotting-ai-waning/
   
   
3. Polish police detain alleged cybercriminal with Phobos ransomware ties:
   https://therecord.media/poland-phobos-ransomware-arrest
   
   
4. Researchers find major phishing campaign targeting Fortune 500 financial and technology firms:
   https://socradar.io/resources/whitepapers/operation-doppelbrand-fortune-500-access/
   
   
5. Major operation in Africa targeting online scams nets 651 arrests, recovers USD 4.3 million:
   https://www.interpol.int/News-and-Events/News/2026/Major-operation-in-Africa-targeting-online-scams-nets-651-arrests-recovers-USD-4.3-million
   
   
6. FBI: Increase in Malware Enabled ATM Jackpotting Incidents Across United States:
   https://www.ic3.gov/CSA/2026/260219.pdf
   
   
7. Dutch intelligence warns: Russia stepping up hybrid attacks, preparing for long standoff with West:
   https://therecord.media/russia-cyberattacks-europe-warfare
   
   
8. 'Starkiller' Phishing Service Proxies Real Login Pages, MFA:
   https://krebsonsecurity.com/2026/02/starkiller-phishing-service-proxies-real-login-pages-mfa/
   
   
9. Palo Alto Networks: "QR code phishing is on the rise.":
   https://unit42.paloaltonetworks.com/qr-codes-as-attack-vector/
   
   
10. Latin America sees an increase in ransomware and phishing activity:
    https://industrialcyber.co/reports/latin-america-sees-sharp-rise-in-ransomware-hacktivist-attacks-in-2025-amid-expanding-fraud-and-phishing-threats/
    
    

• Virtual Vaca #1 - Carcassonne Citadel: Europe's Largest & Best-Preserved Medieval Fortress [Amazing Places 4K]:
  https://youtu.be/JwoKUQK8us0
  
  
• Virtual Vaca #2 - Epic Elbe Journey: From a Czech Mountain Spring to the North Sea:
  https://youtu.be/pduICTVvE58
  
  
• Virtual Vaca #3 - 10 Lesser-Known German Cities That Will Amaze You:
  https://youtu.be/9AbxJrqpPqQ
  
  
• Sebastian Lopez's viral short film asks the uncomfortable question: when everything could be AI, can we still trust what we see?:
  https://www.flixxy.com/thats-ai-2026-hilarious-short-film.htm?utm_source=chn&utm_medium=email
  
  
• Supreme Talent | Best Videos of the Week!:
  https://youtu.be/84Oc18Tk4Xc
  
  
• A year ago Unitree robots could barely wave a handkerchief, now they can do backflips and kung fu with nunchucks. Incredible and scary:
  https://youtu.be/R40IDdAkRZM
  
  
• Mountain Bike Adventure Through The Streets of Prague:
  https://www.flixxy.com/mountain-bike-adventure-through-the-streets-of-prague.htm?utm_source=chn&utm_medium=email
  
  
• The LockPickingLawyer Is Very Surprised... It Works!
  https://youtu.be/4xsTHTnOB5M
  
  
• Most Unexpectedly Hilarious British Dog Commercial:
  https://www.flixxy.com/most-unexpectedly-hilarious-british-dog-commercial.htm?utm_source=chn&utm_medium=email
  
  
• Your eyes insist the two batteries are different sizes, but nothing actually changes except the context around them:
  https://www.instagram.com/reel/DTnbY7UgBmU/?igsh=MTI5Nzh1czhhN243OQ%3D%3D
  
  
• Insane Wingsuit Flyby of a 1000-Year-Old Castle:
  https://youtu.be/240Frl4pB-o
  
  
• $2M Golf GTI of the Future:
  https://youtu.be/Dvr3Ps80LVE
  
  
• From a car transformed to a T-Rex by AI. The speed of progress is astounding:
  https://www.instagram.com/reel/DU7Fz3mj57M/?igsh=MWhucWZoNHg5dHV0bA==
  
  
• For Da Kids #1 - Cat Hops Into The Truck To Ride With His Dad!:
  https://youtu.be/C8WMG0HeXNY
  
  
• For Da Kids #2 - Man Rushes to Help Injured Swan and Discovers Heartbreaking Sight:
  https://youtu.be/Oq6alNJgEZY
  
  
• For Da Kids #3 - This Puppy Interrupted Yoga Class To Find His Forever Mom:
  https://youtu.be/8PrmSBb1Tnk
  
  
• For Da Kids #4 - Scared Coyote Slowly Lets Man Help Him:
  https://youtu.be/TwQO19ryQ-s
  
  
• For Da Kids #5 - Doctor Jumps Into Action After Seeing Someone Struggling In His Pool:
  https://youtu.be/SgE-lS74xwc