The Tranquil Blog

Why our Long Passwords are Failing us, and why is it our own fault?

In a time when security breaches are now becoming the weekly norm on the news headlines, we need to consider why this is happening more frequently and look to ways to stop it.

What I hate to tell you is, technically, it’s our own fault.

For years we’ve been told the same thing - the longer your password, the safer you are.

We humans are creatures of habit and therefore we do not pick our passwords randomly. We choose things that are easy to remember—like names, dates, or familiar phrases. Hackers know this, and they use it to their advantage. Approximately 78% of people use the same passwords across multiple accounts for ease of access (Security Magazine, 2024)

The statistics do not lie; according to Mimecast human error contributed to approximately 95% of data breaches in 2024. (Goodchild, 2025)

Hackers are upping their methodologies by using our own human nature and pattern making against us, and AI is helping them.

Hackers Are Smarter Than You Think

Thanks to historical data breaches and the easily accessible information on the dark web. They will use a “dictionary attack” - where they try lists of passwords that have already been leaked in past data breaches. And if your password (or something close to it) is on one of those lists, it doesn’t matter how long it is—it can still be guessed.

Think you’re being clever changing your password from “Password” to “Pa$5w0rD”? Sadly, this has also become a weak way of looking after your password management. Hackers understand the nature of these forms of mangling and will automatically swap out the basics for alternatives. LeetSpeak, as it is known, may satisfy complexity requirements for a password, but unfortunately are easily hackable. (Li, Zeng, 2021)

The Rise of AI-Powered Password Cracking

Even though AI has no form of cognitive thinking, emotions, or self-awareness - and therefore cannot truly understand human nature; it can very easily see, define, use pattern recognition, probability and educated guesswork. It can analyse millions of leaked passwords on behalf of a Hacker and swiftly learn patterns. Then it can generate new, realistic guesses. In all honesty, it’s like giving a hacker a superpower. Tools like PassGan are getting smarter, and therefore scarier.

As this kind of technology improves and grows - using more powerful computers and bigger datasets—they could build a tool that cracks passwords far more effectively than anything we’ve seen before.

The Real Danger: Personalized Attacks

Here’s where things get really concerning most of us have a ton of personal information online. Our names, birthdays, interests, workplaces, and more already online.

We always recommend that any website, or social media platform with your details and personal attributes recorded (Such as Facebook and Instagram) are locked down with 2FA, and profile limited to who can view, so that scraper tools cannot be used to mine and glean personal details already left on the web to be correlated with information to crack your password. (Ok, 2024). A smart AI tool may use this format of scraping to perform more educated password guesses.

So, What Can You Do?

The truth is, like I said at the start of this blog. The problem starts with us humans in the first place!

We just aren’t great at creating secure passwords. We’re too predictable.

But here’s the good news: you don’t need to outsmart the hackers. You just need to change the game.

Here’s how to protect yourself:

• Use a password manager. It can generate strong, random passwords and remember them for you.
• Don’t reuse passwords. Every account should have its own unique password. The password Manager can help you with that
• Use a secure master password. Ideally, something very long and random - If you can’t memorise it make sure it’s written down in multiple safe alternative places.
• Use the recommended NIST 2 Password Guidelines: You can find the guidelines here: https://sprinto.com/blog/nist-password-guidelines/

The Bottom Line

We’re entering a future where AI will make guessing human-made passwords faster and easier than ever. Long passwords won’t protect you if they’re based on patterns. Only truly random passwords—created by machines, not people—are safe. Ironic, huh?

Resources:

https://www.mimecast.com/blog/human-error-at-the-heart-of-recent-ransomware-attacks-on-uk-retail-giants/

https://www.securitymagazine.com/articles/100765-78-of-people-use-the-same-password-across-multiple-accounts

https://wandli.github.io/docs/Leet_Usage_and_Its_Effect_on_Password_Security.pdf

https://multilogin.com/blog/what-is-facebook-scraping/