AI doesn't just guess passwords anymore; it is learning them. Passwords that took hackers years to crack can now be cracked in seconds with machine learning models. Weak, short, or reused passwords are essentially unlocked doors for AI-powered cracking machines.

AI Password Cracking in 2025: Key Findings

AI-powered password cracking has become dramatically faster in 2025, with 85.6% of common passwords now crackable in under 10 seconds[1]. This acceleration stems from two main factors: advanced AI models that learn password patterns and powerful consumer GPUs.

Hardware Advances

The latest consumer graphics cards, particularly the RTX 5090, have transformed password cracking capabilities. Hive Systems reports that a setup of 12 RTX 5090s is now used as the benchmark for modern password cracking attempts[2].

Time to Crack by Password Type

For bcrypt-hashed passwords (work factor 10):

  • 8 characters or less: Instant crack regardless of complexity
  • 10 characters with mixed characters: 27 years
  • 12 characters with mixed characters: 244,000 years
  • 16 characters with mixed characters: 19 trillion years[2:1]

AI’s Impact

AI tools like PassGAN have revolutionized cracking by:

  • Learning common password patterns
  • Recognizing user habits like capitalizing first letters
  • Predicting likely passwords instead of random guessing[1:1]

Security Recommendations

Recent findings emphasize:

  • Length over complexity (minimum 16 characters)
  • Use of password managers
  • Implementation of Multi-Factor Authentication (MFA)
  • Adoption of passkeys where available[3]

  1. Messente - How Quickly Can AI Crack Your Password? ↩︎ ↩︎

  2. Hive Systems - Are Your Passwords in the Green? ↩︎ ↩︎

  3. Forbes - AI Can Crack Your Passwords Fast—6 Tips To Stay Secure ↩︎

  • adminofoz@lemmy.cafe
    0·
    9 days ago

    Lol either you are the one percent or a liar. To just casually act like its normal for an entire org to use a 128 character random passwords (FIDO or not) actually made me laugh out loud.

    I’d never heard of bypassing a corporate phishing test using an email filter. You may be surprised to know the people who purchase those tests actually typically whitelist the sending domain, unless they are requesting a test of their filter which is a different type of engagement. They do it so they dont have to buy 4 weeks of a consultants time just so he can blindly figure out your email config through trial and error. Instead a whitelist and a 3 day engagement saves both teams a headache and achieves the same goal. If they actually tried to block it using an email filter, it would be an excellent way to waste their money.

    You are probably ready to tell me how they are even more of a joke.

    Encouraging users to do the same, means you dont get any practice and just get real phishes from real malicious actors. So if you fail it will be to the bad guys and not your own security team who is trying to help. Completely self defeating and a great way to cause real damage instead of just ending up watching an awareness training video. But if you wanna flex on it, go right ahead.

    Its just such a shame that an organization with such a vastly superior password policy hasn’t seen a phish in anything other than phishme or kb4. It’d be a shame if people were bypassing MFA using multiple frameworks during phishing tests and in the real world.

    Just whatever you do dont look up evilginx, evilvnc, Ghostframe, salty2fa, or any talk on phishing since 2020.