Think your password is safe? AI could break it before you blink
You may think your passwords are strong, with their mix of upper and lower case letters, numbers, and special characters, but new analysis from Messente shows that they likely aren't as safe as you think. The company's study looked into how quickly AI can crack common passwords, revealing that most were defeated in seconds and only very long, mixed-character passwords offered any kind of real barrier to modern cracking tools.
Messente reviewed 14.2 million real-world passwords using AI systems such as PassGAN alongside GPU-based simulations. The goal was to see how quickly an AI-powered model could crack passwords of different lengths and structures.
SEE ALSO: The passwords most likely to get you hacked
As you might expect, the analysis found that weak, short, or predictable choices offered almost no defense against current attack methods.
Messente says that 85.6 percent of common passwords can be cracked in under ten seconds. Almost 88 percent fall within a month. Those numbers come from AI models trained on leaked password databases, which help them anticipate common patterns before attempting more random guesses. That behavior mirrors real user habits, which makes the model far faster than traditional brute-force approaches.
Short passwords are the easiest to break. Ones of eight characters or below, regardless of how many symbols or numbers they contain, are broken instantly.
Length creates the biggest difference. A twelve-character mixed password could take hundreds of years to crack, and sixteen characters extends that timeline into the trillions of years. Complexity still matters, but far less than length.
A ten-character password using letters alone lasts only three weeks, while full complexity stretches that figure to twenty seven years.
Predictable password choices
PassGAN learns from leaked datasets, including the well known RockYou collection, and spots predictable choices such as capitalized first letters or common substitutions.
This allows the model to jump directly to likely candidates, while modern GPUs process billions of operations per second. Combined, they create a system that can break a huge share of everyday passwords almost instantly.
Messente’s analysis shows that people often rely on familiar patterns that create an illusion of strength. A shorter password with symbols or numbers feels secure, but the dataset reveals that only extended length resists modern cracking tools.
Patterns in the study also highlight the danger of recycled passwords across multiple accounts, since an exposed password from one breach quickly becomes a target elsewhere.
Uku Tomikas, chief executive at Messente, says the results point to a growing security challenge that affects individuals as much as businesses. “AI has made password cracking faster and smarter than ever. The days when simple passwords could keep you safe are gone,” Tomikas explains. He says that secure authentication needs layered verification rather than a sole reliance on passwords.
While AI can quickly defeat weak passwords, it still cannot bypass multi-step systems that combine long, unique passwords with second-factor checks.
Messente’s dataset was built from the updated RockYou 2024 password collection, processed with Unicode NFKC normalization and filtered to include entries between four and eighteen characters. Each password was assigned to one of five categories ranging from numbers-only to fully mixed combinations.
AI cracking times were then modeled using PassGAN outputs and GPU-based simulations designed to reflect real-world attack conditions.
What do you think about these AI password findings? Let us know in the comments.
Image credit: marekuliasz/Shutterstock