- Kaspersky researchers have found that most passwords can be cracked in less than a minute
- Researchers used a GPU to crack real-world dark web passwords
- Most passwords can be cracked in less than an hour
Using real-world samples recovered from the dark web, Kaspersky researchers tested how long it would take to crack most passwords and found that almost half of the world’s passwords can be cracked in less than a minute.
Additionally, research shows that within an hour, that number increases to three out of every five passwords.
Armed with this knowledge, the researchers explored what differentiates a strong password from a weak one.
Cracked in less than a minute
The Kaspersky research team collected a data set of 231 million unique passwords leaked on the dark web between 2023 and 2026 and, using a single RTX 5090 GPU, proceeded to see how long it would take a persistent hacker to crack most of the MD5 hashing algorithm passwords.
The results showed that 48% of the world’s passwords can be cracked in less than a minute, 60% in less than an hour, and 68% in less than 24 hours.
But this is a single threat actor with a single GPU. If the attacker turned to renting GPU computing power online, for just a few dollars an hour they could rent multiple GPUs to crack passwords even faster.
The main obstacle to quickly cracking a password is its length. If a password is less than 8 characters, it often takes less than 24 hours to crack. The gold standard is 15+ characters, but make sure there isn’t just some character variation.
If you want to add more hours to your password cracking time, add some numbers. But don’t use your birth year and definitely don’t use ‘1234’. Using a special character can help, but Kaspersky found that the ‘@’ symbol is by far the choice for most people, appearing in one in ten passwords.
Kaspersky also found that more than half of the passwords in its data set have been exposed before, showing the extent of password reuse.
To better protect your passwords and online accounts, there are some practical steps you can take:
- Use a reliable password manager to generate and store your credentials
- Never write your passwords as plain text.
- Do not use the browser’s storage for your passwords, as malware can extract them almost instantly.
- Whenever you can, use a passcode instead of a password. They are more secure and resistant to phishing.
- Whenever you can, use multi-factor authentication (MFA) to protect your accounts. Even if an attacker has your username and password, MFA can prevent them from logging in.
The best password manager for every budget
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
