Ultimate Guide: How Generative AI Accelerates Identity Attacks Against Active...

Active Directory is still how most organizations manage user identities, making it a frequent focus during attacks. What’s changed isn’t the target, but how much faster and more effective these attacks have become.

Generative AI has made password attacks cheaper and more efficient, turning what once required specialized skills and significant computing power into something almost anyone can do.

Tools like PassGAN represent a new generation of password crackers that don't rely on static wordlists or brute-force randomness. Through adversarial training, the system learns patterns in how people actually create passwords and improves at predicting them with each iteration.

The results are sobering. Recent research found that PassGAN was able to crack 51% of common passwords in under a minute and 81% within a month. Even more concerning is how quickly these models are evolving.

When trained on organization-specific breach data, social media content, or publicly available company websites, they can generate highly targeted password candidates that reflect actual employee behavior.

Traditional password attacks followed predictable patterns. Attackers used dictionary wordlists, then applied rule-based mutations (e.g., swapping "a" for "@", adding "123" to the end), and hoped for matches. It was a resource-intensive and relatively slow process.

The AI boom has created an unintended consequence: wider availability of powerful consumer hardware well suited for password cracking. Organizations that train machine learning models often rent GPU clusters during downtime.

Now, for approximately $5 per hour, an attacker can rent eight RTX 5090 GPUs that crack bcrypt hashes roughly 65% faster than previous-generation cards.

Even with strong hashing algorithms and high-cost factors, the available computational power allows attackers to test far more password candidates than was feasible just two years ago.

When combined with AI models that generate more effective guesses, the time required to crack weak-to-moderate passwords has decreased.

Source: BleepingComputer