You’ve probably seen the headlines over the recent years. Another breach. A hundred million accounts exposed. More companies telling you to change your password. And for a long time, security experts had a somewhat reassuring answer to all of it: “Don’t worry too much — the passwords were hashed.” – AI password cracking changes that.
That reassurance is starting to fall apart.
A new AI system has been trained specifically to reverse password hashes — and it does it fast. If that doesn’t sound alarming yet, let me explain why it should.
Table of Contents
- 1 What “hashed” actually means — and why we’ve relied on it
- 2 Why this threatens every platform you use
- 3 What the government’s involvement tells us
- 4 The industry needs a real answer — and it’s going to be uncomfortable
- 5 What this means for you right now
- 6 The bigger picture: we need a new approach to stored credentials
What “hashed” actually means — and why we’ve relied on it
When you create a password on pretty much any legitimate website, that site doesn’t store your actual password. Instead, it runs your password through a hashing algorithm — a mathematical function that converts your password into a fixed string of characters. Something like 5f4dcc3b5aa765d61d8327deb882cf99 for the word “password.”
The important thing about a hash is that it’s supposed to be a one-way street. You can go from password to hash easily, but going backwards — from hash to password — should be computationally impossible. That’s why when companies get breached and hashed passwords leak, the standard advice has been “change your passwords, but you’re probably okay for now.”
The keyword there is now.
The “not usable yet” problem
Security researchers have warned for years that stolen hashed passwords represent a delayed threat. Even if an attacker can’t crack a hash today, they can store it and wait. As computing power grows and cracking techniques improve, passwords that were safe to store in a breach five years ago may not stay that way.
AI has just made that timeline collapse dramatically.
The system being discussed here was trained on massive datasets — including, in all likelihood, the very breach data that’s been floating around the internet for years. By learning patterns across billions of real-world passwords and their corresponding hashes, it can make educated, accurate guesses at what a hash represents far faster than traditional brute-force or dictionary methods ever could.
This isn’t theoretical. This is a working system that has demonstrated it can reverse hashes successfully and quickly.
Why this threatens every platform you use
Here’s the uncomfortable reality: virtually every website, app, and online service that stores user credentials relies on hashing. It doesn’t matter if it’s a bank, a social media platform, a healthcare portal, or a gaming site. The underlying approach is largely the same across the industry.
That means the attack surface here isn’t one company or one database. It’s essentially the entire internet’s approach to storing passwords.
All of those breaches from the past decade — the ones where companies said “passwords were hashed, so don’t panic” — suddenly look a lot more dangerous. Those hashed passwords that have been sitting in attacker databases, waiting? They may now be crackable.
What the government’s involvement tells us
Reports indicate this AI project had government backing. That detail is worth sitting with for a moment, because it cuts both ways.
On one hand, it suggests this was likely developed for legitimate purposes — intelligence, law enforcement, national security research. The people behind it weren’t trying to drain bank accounts.
On the other hand, the government has a very serious problem now. Their own systems — and every government agency’s systems — use the same hashing methods that this AI can reportedly undermine. You don’t get to build a tool that breaks password security and then opt out of the consequences of that tool existing. Once the knowledge and methodology are out there, someone else will build their own version. Possibly already has.
This is exactly why the history of offensive security tools is littered with weapons that escaped their creators’ control.
The industry needs a real answer — and it’s going to be uncomfortable
So what do we do? A few ideas are floating around, and none of them are simple.
The most obvious near-term fix is for companies to move away from standard, publicly known hashing algorithms. If an AI is trained on SHA-1 or MD5 outputs, proprietary or custom hashing methods give you some protection — at least until someone trains a model against those too. Companies could also periodically rotate their hashing algorithm, re-hashing all stored credentials so that any trained model becomes outdated.
But that’s a temporary patch. Training these models is going to get faster. The window between “algorithm in use” and “algorithm cracked” will shrink.
The longer-term solution that’s starting to get serious attention is far more radical: per-user hashing algorithms. Instead of every user’s password going through the same hashing function, each user would have their own unique cryptographic process. An attacker who compromises a database wouldn’t just have to crack the hashes — they’d have to first figure out which unique algorithm applies to each individual user, then crack each one independently.
This is a dramatic departure from how authentication infrastructure works today. It means more complexity, more storage, more engineering overhead. It’s not something that gets rolled out in a quarter. But it may be the only approach that holds up long-term against AI-assisted cracking at scale.
What this means for you right now
Individual users: this is yet another reason why password reuse is genuinely dangerous. If a site you used five years ago got breached and your hashed password is sitting in a database somewhere, AI may be able to crack it now. If you reused that password elsewhere, those accounts are at risk. Use a password manager, use unique passwords everywhere, and enable two-factor authentication wherever it’s offered.
If you’re a company or developer responsible for authentication: it’s time to take a hard look at your hashing implementation. Are you using a modern, slow hashing algorithm like bcrypt, Argon2, or scrypt? Are your salt implementations solid? Do you have a plan if your user credential database is ever exposed? These aren’t hypothetical questions anymore.
The bigger picture: we need a new approach to stored credentials
At the end of the day, this story is a signal that the security industry is going to have to reckon with something it has avoided for years: our fundamental approach to storing sensitive data may be broken.
Hashing was always a best practice, not a guarantee. AI has just moved the goalpost on what “best practice” means. The companies and developers who adapt quickly — adopting stronger algorithms, exploring per-user cryptographic approaches, and planning for a future where today’s hashing methods are routinely reversible — are the ones who will actually keep their users safe.
The ones who don’t are sitting on a ticking clock. They just don’t know when it goes off.
Have thoughts on how the industry should respond? Check out other readings related to AI here.