Hackers Can Use AI to Guess Your Passwords—Here’s How to Protect Your Data

Learn how to keep your personal information safe from AI password cracking

Artificial intelligence (AI) has been making our lives easier in many areas, from automating tasks to extracting information from big data files. However, not everything AI does is in our best interest. AI password cracking has also increased because artificial intelligence can hack passwords in seconds.

“In recent years, there has been a significant surge in the development of artificial intelligence, enabling the creation of tools that automate tasks related to prediction, generation, analysis and retrieval,” says Ameer Al-Nemrat, PhD, an expert in information security and computer forensics at the University of East London. “Disturbingly, offensive applications of AI include intelligent password guessing techniques designed to evade detection.”

After running more than 15.6 million common passwords through PassGAN, an AI password cracker, a recent Home Security Heroes report found that the software could crack any seven-digit password in less than six minutes—even if they contain symbols, numbers and lower- and uppercase letters. Additionally, the AI cracked 51% of these usual types of passwords within a minute, 65% within an hour, 71% within a day and 81% within a month. After seeing these worrying results, you’ll undoubtedly take online security more seriously. Examine your password list, identify any weak password security and replace them with good passwords that are long and complex. Read on to learn how to protect yourself from AI password cracking.

Can AI be used to crack passwords?

Most definitely. Conventional hackers rely on manual effort, common tools and expert knowledge to achieve their objectives. At the same time, those possessing AI capabilities can use it to automate tasks, enhance tools and avoid detection, according to Al-Nemrat.

“The use of AI empowers adversaries to expedite the attainment of their goals,” he says. “For instance, machine learning can assist in extracting credentials, intelligently selecting the most suitable target, monitoring users for information-gathering purposes or identifying previously unknown vulnerabilities in software.”

As per the report mentioned above, the time for AI to crack passwords depends on the length and complexity of the password. Rahul Mahna, managing director at EisnerAmper’s Outsourced IT Services team, says that many people use passphrases, which are longer and more complex passwords, but even those can be hacked. “The concern now is if a person’s passphrase can be determined by machine learning from their social media and other postings, then that phrase can become compromised,” he warns.

How can hackers use AI to crack passwords?

AI can help hackers expand their operations through automation, reducing the reliance on human labor, thus enhancing the likelihood of success, Al-Nemrat notes. He says the following AI methods can support their endeavors:

Automate the creation and execution of spear phishing attacks

Spear phishing is a type of phishing that includes information known to be of  interest to the target, like current events or financial information. Hackers target people with fraudulent text messages, emails, phone calls, invoices and more to get hold of sensitive personal data.

Analyze and derive insights from data gathered through OSINT (Open Source Intelligence)

OSINT collects publicly available data from search engines, social media, professional social networks, published articles and academic papers, government reports, the dark web and more. “Machine learning can skim pictures found on a potential user’s social media to see recurrence of text such as a dog’s name tag,” explains Mahna. “This can be coupled with the ability to listen to a user’s voice in postings and hear the emphasis on certain words being said. Then, intelligently inferring the users’ proclivity toward a password or phrase.”

Carry out simultaneous attacks on multiple organizations

“In essence, AI empowers adversaries to target a larger number of organizations with more precise and targeted attacks, all with a reduced workforce,” Al-Nemrat summarizes. This allows for deeper penetration into a network by targeting a greater number of assets.

How can you protect your passwords from these hackers?

Cyber attack protection, conceptual illustrationSCIENCE PHOTO LIBRARY/Getty Images

Mahna believes that risk is mitigated by diversity, a principle common in many disciplines, including password protection. He suggests the following methods to help you protect yourself against hackers.

Unique passwords everywhere

Mahna emphasizes having different passwords for each website, device or service. Don’t worry about remembering all these passwords, since password managers can not only store your passwords but can also generate unique combinations for you.

Long passwords

Using long passwords that include numbers, lower- and uppercase letters and symbols—and are not easily understood or inferred—will enhance the protection element.

Personal privacy

Posting too much information online—like on Facebook or Instagram—about your life is not a good idea if you’re concerned about security. It can provide information about your whereabouts, assets and family.

“Recent examples showed how a person posted they went on vacation, and their house was broken into because of their stated absence,” Mahna says. “Using this as a reality, AI will learn at a much quicker rate of such occurrences and be able to better time an intrusion, and possibly discover passwords or gaps and attempt logins during a vulnerable period—even potentially disabling security measures like multi-factor authentication.”

What to do if you think you’ve been hacked

If you assume you’ve been hacked, first you should disconnect from the internet (if possible) before taking further steps, such as scanning for malware or viruses, changing passwords and activating or enabling two-factor authentication (2FA), Al-Nemrat recommends.

Additionally, Mahna says that the best way to handle an attack is to prepare in advance, like changing your passwords frequently. Here are more things you can do if you suspect you’ve been hacked:

Monitor your credit

Assuming the worst scenario, Mahna suggests exploring credit monitoring services to help mitigate after a hacking event occurs. These companies alert you if any changes are made to your credit reports or if your credit score changes, so you can keep an eye out for fraudulent transactions.

Create new accounts

If possible, instead of changing your password after you’ve been hacked, start fresh and create a new account instead. “It’s not a fun process, but often a new account will have increased security mandates and make the experience of that service far more compelling,” he concluded.


  • Ameer Al-Nemrat, PhD, expert in information security and computer forensics at the University of East London
  • Rahul Mahna, managing director of EisnerAmper’s Outsourced IT Services team
  • Home Security Heroes: AI password cracking report

Kitti Palmai
Kitti Palmai is a UK-based freelance journalist covering business, technology, health and fitness. Her work has appeared in BBC, Business Insider, Insider, VICE, Stylist Magazine, Evening Standard, The Local Europe, Language Magazine and other publications.