- Kaspersky researchers have found that most passwords can be cracked in less than a minute
- The researchers used a GPU to crack real-world passwords from the dark web
- Most passwords can be cracked in less than an hour
Using real-world samples recovered from the dark web, Kaspersky researchers tested how long it would take to crack most passwords and found that nearly half of the world’s passwords can be cracked in less than a minute.
In addition, the research shows that within an hour that number increases to three out of five passwords.
Armed with this knowledge, the researchers then investigated what separates a strong password from a weak one.
Cracked in less than a minute
The Kaspersky research team collected a dataset of 231 million unique passwords leaked on the dark web between 2023 and 2026 and, using a single RTX 5090 GPU, proceeded to see how long it would take a persistent hacker to crack most MD5 hash algorithm passwords.
The results showed that 48% of the world’s passwords can be cracked in less than a minute, 60% in less than an hour and 68% in less than 24 hours.
But it’s only a single threat actor with a single GPU. If the attacker turned to renting GPU computing power online, for just a few dollars an hour they can rent multiple GPUs to crack the password even faster.
The main thing that stands in the way of fast password cracking is its length. If a password is under 8 characters, it often takes less than 24 hours to crack. The gold standard is more than 15 characters, but make sure it’s not just a character variation.
If you want to add more hours to your password cracking time, add some numbers. But don’t use your year of birth, and definitely don’t use ‘1234’. Using a special character can help, but Kaspersky found that the ‘@’ symbol is by far the choice for most people, appearing in one in ten passwords.
Kaspersky also found that more than half of the passwords in their dataset have been exposed before, showing the extent of password reuse.
To best protect your passwords and online accounts, there are some actions you can take:
- Use a reputable password manager to generate and store your credentials
- Never write down your passwords in plain text.
- Don’t use browser storage for your passwords, they can be mined almost instantly by malware.
- Wherever possible, use an access key instead of a password. They are more secure and phishing resistant.
- Wherever you can, use multi-factor authentication (MFA) to secure your accounts. Even if a hacker has your username and password, MFA can prevent them from getting in.
The best password manager for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
