Can AI Crack Your Password?

An AI tool tested 15.68 million real passwords. It cracked 51% of them in under 60 seconds. Not minutes. Seconds.

That tool is called PassGAN. It was trained on leaked passwords from real breaches, and the study used the RockYou dataset, a real tool, real data, not a thought experiment. But that’s just the start. The hardware that trains AI systems like ChatGPT has also been turned toward password cracking, and according to Hive Systems’ annual benchmark, cracking speeds with consumer GPUs dropped by nearly 20% in just one year between 2024 and 2025.

The question is not whether AI can crack passwords. It already can. The question is whether yours is one of them and what specifically makes the difference between a password that falls in seconds and one that would take 56 billion years.

How AI Cracks Passwords — And Why It Is Getting Faster Every Year

Most readers have no idea how AI password cracking actually works. There are three distinct methods, and each is scarier than the last.

Method 1 — Brute Force + AI-Grade Hardware

Traditional brute force tries every possible combination. What changed is the hardware. According to Hive Systems, the speed at which passwords can be cracked using AI-grade hardware, the same GPUs used to train large language models like ChatGPT has increased by over 1.8 billion percent compared to consumer-grade machines from just a few years ago. Their 2025 benchmark used twelve RTX 5090 graphics cards working in parallel, a setup a determined attacker with criminal or government backing can realistically assemble.

Method 2 — Pattern Learning

AI does not just guess randomly. It learns from real leaked passwords. When billions of passwords are exposed in breaches, AI models are trained on those datasets and learn exactly how humans choose passwords: the capital first letter, the number at the end, the @ substituting for an a, the exclamation mark to finish. Your “clever” substitutions are not clever to an AI that has seen them hundreds of millions of times. As PCWorld notes, if your password uses common dictionary words or has been reused in a hacked site, it will be cracked instantly through dictionary attacks and rainbow tables — no brute force required.

Method 3 — Credential Stuffing

According to IBM’s 2024 Cost of a Data Breach Report, stolen or compromised credentials were the most common initial attack vector, accounting for 16% of all breaches studied. Attackers automatically test stolen credentials across hundreds of platforms. If your password leaked anywhere, a forum, a shopping site, an old account, it is being tried elsewhere right now.

So the real question is not whether these tools exist. It is: how long would your specific password actually last?

How Long Would It Take AI to Crack Your Password? (Real Data, 2025)

Hive Systems has published an annual password crack-time benchmark since 2020. Their 2025 table — widely cited by Forbes, CNBC, Tom’s Hardware, and PC Gamer — used 12 NVIDIA RTX 5090 GPUs running against bcrypt-hashed passwords at work factor 10, which reflects real-world defaults used by frameworks like Laravel and PHP. The table below shows their published results.

Source: Hive Systems 2025 Password Table  —  12x RTX 5090, bcrypt work factor 10. Red = cracked near-instantly; green = practically safe.

Three critical insights from this data:

•        Anything under 8 characters is essentially useless, regardless of complexity. AI breaks those instantly.

•        An 8-character password with a full mix of characters could theoretically take 164 years to crack — but the same number of characters using only uppercase and lowercase letters drops to 62 years. Length matters more than complexity.

•        Cracking speeds dropped by nearly 20% between 2024 and 2025. A password that was considered safe last year may not be safe today. This trajectory does not slow down.

Important caveat: These figures represent worst-case (last possible guess) scenarios for the attacker, meaning real-world cracks against weak or patterned passwords happen much faster than the table suggests.

The Passwords AI Targets First

These are the patterns AI checks first — the ones it has seen billions of times in real breach data:

•        Any password under 8 characters, regardless of how complex it looks

•        Passwords starting with a capital letter and ending in a number or ! — e.g., Password1!, Summer2026!

•        Keyboard sequences: qwerty, 123456, asdfgh

•        First name + birth year: john1995, sarah2001

•        Obvious substitutions: p@ssw0rd, s3cur!ty — AI has seen every variation

•        Any dictionary word, even with numbers appended

•        Any password reused across accounts — IBM found that credential-based breaches took an average of 292 days to identify and contain, the longest of any attack vector.

The research also reveals something unexpected: AI can sometimes guess passwords just by listening to keystrokes. A study found that keystroke audio captured over Zoom achieved over 90% accuracy in some test cases. This is not yet mainstream, but it demonstrates the direction this technology is heading.

What Actually Makes a Password AI-Proof in 2026

The counterintuitive truth: Most people think complexity — the symbols, the capital letters, the substitutions — is what makes passwords strong. The research shows this is wrong. According to Hive Systems’ data, an 8-character fully complex password (164 years) is far weaker than a 16-character lowercase passphrase (15,000 years). Length creates exponential gains. Complexity helps, but length wins.

1 — Length: The Minimum Is Now 16 Characters

NIST SP 800-63B Revision 4, released in August 2025, now requires a minimum of 15 characters for passwords used as a single-factor authentication mechanism. Revision 4 specifically raises this floor because of AI-accelerated cracking. Most security practitioners recommend 16 as a practical target. For critical accounts, aim for 18 or more.

2 — Uniqueness: One Password Per Account, Non-Negotiable

IBM’s 2024 report confirmed that compromised credentials were the #1 attack vector in data breaches, responsible for 16% of all incidents, with an average breach cost of $4.81 million. One leaked password from one breached site can unlock every account where it was reused. The only practical solution is one unique password per account, which requires a password manager.

The Passphrase Method — Strong and Actually Memorable

Four unrelated random words create a passphrase that is both highly secure and human-readable. For example:

Dolphin94Piano!Glacier

21 characters • All character types • Trillions of years to crack

Compare that to P@ssw0rd! — 9 characters, cracked in minutes. AI has seen every variant of that pattern across hundreds of millions of real passwords.

Three Things to Do Today That Make AI Password Cracking Irrelevant

Step 1 — Get a Password Manager

You cannot manually create and remember 100+ unique 16-character passwords. A password manager generates and stores them for you. Bitwarden is completely free, open-source, and consistently recommended by security researchers. Chrome and Safari’s built-in managers are also a solid starting point for most people.

Step 2 — Enable Two-Factor Authentication

Even if AI cracks your password, 2FA stops the attack. Use an authenticator app (like Authy or Google Authenticator) rather than SMS, which NIST now discourages due to SIM-swapping vulnerabilities. Start with your email and banking accounts, these are the highest-value targets.

Step 3 — Check Whether You’ve Already Been Leaked

Go to haveibeenpwned.com and enter your email address. It will show you every breach your credentials have appeared in. This is free, run by respected security researcher Troy Hunt, and takes 30 seconds. It tells you exactly which accounts to fix first.

The Password Myths That Are Getting People Hacked

Myth 1: “My password is strong because it has symbols and numbers.”

Reality: A short complex password is weaker than a long simple one. Per Hive Systems’ 2025 data, an 8-character fully complex password (164 years to crack) is thousands of times weaker than a 16-character all-lowercase passphrase (15,000 years). Complexity without length is false security.

Myth 2: “I would know if my account was hacked.”

Reality: According to IBM’s 2024 Cost of a Data Breach Report, credential-based breaches took an average of 292 days to identify and contain, the longest detection time of any attack vector studied, across 604 organizations globally. Most people find out months or years later, if at all. Waiting until you notice something is not a strategy.

The Bottom Line

Here is the honest truth: if your passwords are under 12 characters, follow predictable patterns, or are reused across accounts, AI can crack them. Not eventually. Now. The research is not speculative — it comes from Hive Systems’ annual GPU benchmarks, IBM’s study of 604 real breaches across 17 industries, and NIST’s updated guidelines specifically written in response to AI-accelerated cracking.

The fix takes about 20 minutes. Install Bitwarden. Let it generate a 16-character password for your email and your bank. Turn on 2FA on both. Check haveibeenpwned.com. That is it.

Twenty minutes against years of protection. What are you waiting for?

Sources

[1] Hive Systems (2025). "Are Your Passwords in the Green?" 12x RTX 5090, bcrypt work factor 10. — https://www.hivesystems.com/blog/are-your-passwords-in-the-green

[2] Tom's Hardware (May 2025). "Nvidia RTX 5090 can crack an 8-digit passcode in just 3 hours." — https://www.tomshardware.com/pc-components/gpus/nvidia-rtx-5090-can-crack-an-8-digit-passcode-in-just-3-hours

[3] heise online (May 2025). "Study: This is how much time it will take to crack a password in 2025." Citing Hive Systems CEO Alex Nette on 1.8B% acceleration. — https://www.heise.de/en/news/Study-This-is-how-much-time-it-will-take-to-crack-a-password-in-2025-10373456.html

[4] PCWorld (May 2025). "Welp, Nvidia's RTX 5090 can crack an 8-digit password in 3 hours." — https://www.pcworld.com/article/2778193/welp-nvidias-rtx-5090-can-crack-an-8-digit-password-in-3-hours.html

[5] IBM Security / Ponemon Institute (2024). "Cost of a Data Breach Report 2024." 604 organizations globally, March 2023–Feb 2024. — https://newsroom.ibm.com/2024-07-30-ibm-report-escalating-data-breach-disruption-pushes-costs-to-new-highs

[6] Cybersecurity Dive (July 2024). "Global data breach costs reach all-time high of $4.9M, IBM says." — https://www.cybersecuritydive.com/news/ibm-data-breach-cost-credentials-phishing/722689/

[7] NIST SP 800-63B Revision 4 (August 2025). Section on memorized secrets — 15-char minimum for single-factor. — https://pages.nist.gov/800-63-4/sp800-63b.html

[8] Enzoic (September 2025). "NIST SP 800-63B Rev 4." Analysis of Rev 4 password length requirements. — https://www.enzoic.com/blog/nist-sp-800-63b-rev4/

[9] Home Security Heroes (2023). PassGAN study on RockYou dataset — 15.68M passwords, 51% cracked in <60 seconds. — https://www.homesecurityheroes.com/ai-password-cracking/

[10] PC Gamer (May 2025). "Here's how long it would take 12 RTX 5090 GPUs to crack your password." Notes table = worst-case scenario. — https://www.pcgamer.com/software/security/heres-how-long-it-would-take-12-rtx-5090-gpus-to-crack-your-password-and-a-reminder-that-just-adding-more-characters-still-works/

Continue with AI Tools, the blog archive, AI Tools & Workflows.