How Quickly Can AI Crack Your Password? (messente.com)

submitted 1 week ago by cm0002@libretechni.ca to c/cybersecurity@infosec.pub

6 comments fedilink hide all child comments

AI Password Cracking in 2025: Key Findings

AI-powered password cracking has become dramatically faster in 2025, with 85.6% of common passwords now crackable in under 10 seconds[^1]. This acceleration stems from two main factors: advanced AI models that learn password patterns and powerful consumer GPUs.

Hardware Advances

The latest consumer graphics cards, particularly the RTX 5090, have transformed password cracking capabilities. Hive Systems reports that a setup of 12 RTX 5090s is now used as the benchmark for modern password cracking attempts[^2].

Time to Crack by Password Type

For bcrypt-hashed passwords (work factor 10):

8 characters or less: Instant crack regardless of complexity

10 characters with mixed characters: 27 years

12 characters with mixed characters: 244,000 years

16 characters with mixed characters: 19 trillion years[^2]

AI's Impact

AI tools like PassGAN have revolutionized cracking by:

Learning common password patterns

Recognizing user habits like capitalizing first letters

Predicting likely passwords instead of random guessing[^1]

Security Recommendations

Recent findings emphasize:

Length over complexity (minimum 16 characters)

Use of password managers

Implementation of Multi-Factor Authentication (MFA)

Adoption of passkeys where available[^3]

[^1]: Messente - How Quickly Can AI Crack Your Password? [^2]: Hive Systems - Are Your Passwords in the Green? [^3]: Forbes - AI Can Crack Your Passwords Fast—6 Tips To Stay Secure

all 7 comments

sorted by: hot top controversial new old

[-] slazer2au@lemmy.world 12 points 1 week ago* (last edited 1 week ago)

Oh, AI has nothing to do with it. It grabs the RockYou password list and guesses a password based on frequency of use.

This is nothing new.

If they want to do something actually impressive how fast can they crack sha256 hashed passwords without rainbow tables. I will let them off and not require any salting.

[-] adminofoz@lemmy.cafe 1 points 20 hours ago* (last edited 20 hours ago)

Here is the thing, does the corporate entity you work with use Microsoft? Then your password is stored as an NTLM hash in NTDS.dit. That means you are using MD4.

Has anyone in your organization clicked a phishing link? It only takes one weak link to get in. Then it only takes one (Maybe 2) bad configuration for a malicious actor to escalate privileges. Then dump the whole organization passwords from the Domain Controller.

Hope you aren't reusing passwords anywhere.

[-] slazer2au@lemmy.world 1 points 15 hours ago

We are all running password less with passkeys so our Entra passwords are all 128 length randomised that even we don't know because why should we?

Corporate phishing tests are a joke, you can bypass them by filtering for Phishme or kb4 in the email header.

[-] brossman@infosec.pub 12 points 1 week ago

this is dumb as hell.

[-] CubitOom@infosec.pub 5 points 1 week ago

I still don't really understand what passkeys are since I've only ever been introduced to them by companies like Google and Microsoft. Are there any open source implementations of passkeys?

Also, why does no one ever recommend SSH keys, or GPG keys as an alternative method?

this post was submitted on 25 Nov 2025

11 points (69.0% liked)

cybersecurity

5026 readers

15 users here now

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Community Rules

Be kind
Limit promotional activities
Non-cybersecurity posts should be redirected to other communities within infosec.pub.

Enjoy!

founded 2 years ago

MODERATORS

shellsharks@infosec.pub

tweedge@infosec.pub