📰 Originally published on SecurityElites — the canonical, fully-updated version of this article.
The 2023 Home Security Heroes study ran PassGAN against a database of 15.6 million passwords. The results: 51% cracked in under a minute. 65% cracked in under an hour. 81% cracked within a month. PassGAN isn’t a traditional dictionary attack — it’s a generative adversarial network trained on real leaked passwords that generates novel guesses matching the statistical distribution of how humans actually choose passwords.
Those numbers don’t mean 81% of all passwords are crackable. They mean 81% of the passwords in that particular dataset — which represent how real users choose passwords — were crackable. The passwords that weren’t cracked were the randomly generated ones, the long ones, and the ones protected by slow hashing algorithms that limited the guess rate. The ones that were cracked were the human-pattern ones: words with substitutions, words followed by numbers, names plus dates.
AI password cracking is improving. But the defences have been available for decades — and they still work.
🎯 After This Tutorial
How PassGAN uses generative adversarial networks to produce human-pattern password guesses
OMEN+ and Markov model cracking — ordered probabilistic guessing vs dictionary attacks
Targeted AI cracking — how personal data dramatically improves success rates against self-chosen passwords
What defences work — slow hashing, MFA, random generation, and HIBP integration
Practical password security assessment — testing whether your policy is AI-crack-resistant
⏱️ 18 min read · 3 exercises ### 📋 AI Password Cracking – Contents 1. PassGAN — Generative Password Cracking 2. OMEN+ and Probabilistic Cracking 3. Targeted AI Cracking — Personal Data as Attack Surface 4. Defences That Work Against AI Cracking 5. Password Security Assessment Methodology ## PassGAN — Generative Password Cracking PassGAN is the model I benchmark first when evaluating AI password cracking capability — the GAN approach produces qualitatively different output from rule-based generators. My defence recommendations against AI password cracking focus on increasing attacker cost rather than preventing attacks entirely. PassGAN applies Generative Adversarial Networks to password cracking. A GAN consists of two competing neural networks: a generator that produces candidates and a discriminator that evaluates whether they look realistic. Trained on a large dataset of real leaked passwords, the PassGAN generator learns the statistical properties of human password choice — which character combinations occur together, what transformations people apply to base words, how length distributes across real passwords. The output is a generative model that produces novel password guesses that match how humans actually create passwords, not just how attackers traditionally guess them.
The practical improvement over rule-based cracking: traditional hashcat rules encode known human patterns explicitly (capitalise first letter, append number, leet speak substitution). PassGAN learns patterns implicit in training data that no human thought to encode as a rule — unusual character combinations, regional password patterns, emerging trends in how people chose passwords in specific breach datasets. At shorter password lengths and human-chosen passwords, PassGAN’s coverage exceeds rule-based attacks. At longer lengths and randomly generated passwords, it offers no advantage — randomly generated passwords have no statistical patterns to learn.
PASSWORD CRACKING — AI VS TRADITIONAL COMPARISONCopy
Traditional dictionary + rules attack (hashcat)
hashcat -a 0 -m 0 hashes.txt wordlist.txt -r rules/best64.rule
Generates: password → P@ssword, p4ssword, Password1, PASSWORD, etc.
Limited to explicit rule patterns coded by humans
PassGAN approach (after model training on breach corpus)
python passgan.py –generate 1000000 –output guesses.txt
Generates: statistically realistic passwords matching human choice patterns
Includes patterns no explicit rule would generate
Why it doesn’t help against slow hashing
MD5: ~10B guesses/sec on consumer GPU → AI optimisation matters
bcrypt: ~5K guesses/sec on consumer GPU → AI optimisation marginal
Argon2: ~1K guesses/sec on consumer GPU → AI optimisation irrelevant
The real takeaway: fix the hash algorithm first, then worry about AI guessing
OMEN+ and Probabilistic Cracking
OMEN+ is the probabilistic cracker I use most often in authorised password audits — it outperforms hashcat rules on complex datasets. OMEN (Ordered Markov ENumerator) and its neural-network-enhanced variant OMEN+ use probabilistic models trained on password datasets to order guesses by likelihood — testing the most probable passwords first within a given compute budget. Traditional dictionary attacks test guesses in wordlist order. Rule-based attacks test transformed dictionary words in rule order. OMEN+ tests passwords in order of their statistical probability given the target character sequence, using Markov chain analysis of real password datasets to determine that probability.
The practical improvement is efficiency at constrained compute budgets: OMEN+ finds more passwords per hour than rule-based hashcat attacks against human-chosen password sets because it’s testing in probability order rather than rule-coverage order. For penetration testing and password auditing, this means OMEN+ can identify a higher proportion of weak passwords in a fixed-time assessment window — which produces a more accurate picture of password policy effectiveness against real-world attack efficiency.
securityelites.com
AI Cracking Effectiveness vs Password Type
Password Type
Length
vs MD5
vs bcrypt (w12)
Word + number (soccer99)
8 chars
Seconds
Hours — AI improves speed vs rules
Leet speak (P@ssw0rd!)
9 chars
Minutes
Days — AI covers patterns rules miss
📖 Read the complete guide on SecurityElites
This article continues with deeper technical detail, screenshots, code samples, and an interactive lab walk-through. Read the full article on SecurityElites →
This article was originally written and published by the SecurityElites team. For more cybersecurity tutorials, ethical hacking guides, and CTF walk-throughs, visit SecurityElites.
Top comments (0)