New analysis reveals that password cracking becomes 20 to 25% faster every year, according to cybersecurity firm Hive Systems.

Its annual report, the 2026 Password Table, confirms a three-year trend: the time it takes to crack a password keeps falling.

Measured on the same hashing standard across all three years, the time to brute-force a randomly generated eight-character password using the full mix of characters has fallen from 225 years in 2024 to 164 in 2025 to 132 in 2026 – a drop of roughly 20 to 25% annually.

Simpler passwords fare far worse: an eight-character password of only lowercase letters, which took three weeks to crack last year, now falls in two.

AI isn’t to blame

In Hive Systems’ testing, the specialized AI accelerators built to train models like today’s chatbots – hardware that costs many times more than a consumer gaming card – were no better, and in most cases worse, at cracking passwords.

Password cracking is a brute-force numbers problem, and the chips designed for AI hold no advantage at it, the cybersecurity company said.

So where does AI come in? In two places.

First, AI has made it far easier to assemble the kind of powerful, multi-machine cracking setups that once demanded real expertise, lowering the barrier for attackers to build a serious rig.

Second, AI models are more capable at the hacking that surrounds passwords: recent systems can find and exploit software vulnerabilities with little human help, giving attackers faster paths to the password databases in the first place.

“The instinct is to assume AI is what’s cracking passwords faster, but that’s not where the real danger is,” said Alex Nette, CEO of Hive Systems. “AI hasn’t sped up the raw cracking – an at home gaming card still beats a data-center AI chip. What AI has done is make powerful cracking setups easy to build, and it’s become dangerously good at finding the weaknesses that let hackers get to your passwords in the first place. Quantum computing is the next shift, and it’s coming for the encryption that protects data everywhere. The time to prepare is now.”

A Password’s Shelf Life Keeps Shrinking

The Hive Systems Password Table shows how quickly passwords of different lengths and complexity can be brute-forced by an attacker using modern hardware.

This year’s model is based on a rented cloud fleet of 16 high-end consumer GPUs – the kind of setup a motivated attacker can assemble today – run against bcrypt, the password protection most commonly found in real-world breaches.

As in prior years, short, simple passwords that once felt safe now fall in weeks or days, and that window narrows as hardware gets cheaper and easier to rent.

Length remains the single best defense, since every character added multiplies the time required far more than swapping in a symbol or two.

Quantum Computing Is the Next Shift

Beyond today’s hardware, quantum computing is a longer-term change to how data stays secure, Hive stated.

Its greatest threat is to the encryption that secures data in transit and at rest – the protections behind secure websites, VPNs, and stored records – not to hashed passwords.

Adversaries are already acting on it, harvesting encrypted data now in order to decrypt it later once the technology matures, a strategy known as “harvest now, decrypt later.”

The 2026 Hive Systems Password Table version is available now, updated with the latest data and analysis: https://www.hivesystems.com/password