Weak passwords, as various studies have shown, can be cracked in a second, but now AI can crack even stronger ones in the same amount of time. Language models can and will be used to brute force passwords and organize dictionary attacks more often, cybersecurity experts predict.
“AI is a breakthrough technology that is beginning to permeate all aspects of life and business, including cybersec. We should be mindful that in 2025, the time it takes to guess, social engineer, or brute force passwords is going to drop dramatically due to AI tools in the hands of cybercriminals”, says Ignas Valancius, Head of Engineering at NordPass, a leading password manager.
According to the Top 200 Most Common Passwords research, simple passwords like “123456” or “qwerty” can be cracked in under a second. The more complex the password, the longer it takes, but with the increasing computing power and AI advances, hackers will be able to try many more combinations in less time. So even more complex passwords will be cracked faster.
AI is learning
“I’m not saying that super long, random 18-character passwords are at immediate risk. But shorter ones – they could be in danger. With the arrival of DeepSeek, language models are being commoditized. Recently, researchers at Stanford and the University of Washington trained the “reasoning” model using less than $50 in cloud computing credits. With things so cheap, more threat actors will choose the easy way – buy some datasets on the dark web, ask an AI to make dictionary or brute force attacks on all the accounts, and go watch a movie. No need to organize months-long phishing campaigns,” says Valancius.
A dictionary attack is a systematic method of guessing a password by trying many common words and their simple variations. Attackers use extensive lists of the most commonly used passwords, popular pet names, fictional characters, or literally just words from a dictionary – hence the name of the attack. They also change some letters to numbers or special characters, like “p@ssw0rd”.
Poor security habits
The latest Top 200 Most Common Passwords research shows that despite the efforts of many organizations, there hasn’t been much improvement in people’s password habits. During a six-year study by NordPass, the password “123456” topped the charts as the most common password 5 out of 6 times. “password” held this not-so-noble title just once.
“And let’s not forget that the more people use AI, the more it learns about them. This is to say that many people already share sensitive data with ‘free’ AI tools to get things done, but here’s the catch – nothing’s really free. That data gets used for training, tracking, and, even worse, creating detailed profiles for more targeted attacks. So, as we move forward, it’s crucial to keep our passwords long and strong, and tread carefully as we interact with AI tools,” Valancius added.
How to create long and strong passwords
- When creating or updating passwords, make sure they are at least 8 characters long and contain some uppercase and lowercase letters, symbols, and numbers. Keep in mind that this is the bare minimum for your password. The longer it is, the better. Just be sure not to use your name or other personal information, like your date of birth, because that is exactly the type of correlation an AI or a hacker would be looking for. Anniversaries, names of family members, and pet names should be avoided as well.
- Since long random passwords are very hard to remember, creating a passphrase might be a good workaround. For example, the well-known phrase from Star Wars, “May the Force be with you,” could make a pretty good passphrase: “M@Y7heF0rc3BwithY0(_)”.
- Use different passwords for different accounts and never reuse them. If it gets overwhelming, consider using a password manager. It can help you create strong passwords and synchronize them across devices. That way, you’ll only need to remember one master password.
- Another option is switching to passkeys. They combine biometric verification with cryptographic keys, offering a safer and more convenient alternative to passwords. In other words, passkeys let you get rid of passwords entirely and use your face or a fingerprint to log in.
ABOUT NORDPASS
NordPass is a password manager for both business and consumer clients. It’s powered by the latest technology for the utmost security. Developed with affordability, simplicity, and ease of use in mind, NordPass allows users to securely access their passwords on desktop, mobile, and browsers. All passwords are encrypted on the device, so only the user can access them. NordPass was created by the experts behind NordVPN – the advanced security and privacy app trusted by more than 14 million customers worldwide. For more information: nordpass.com.
