Become a TechRadar Insider
- Kaspersky researchers have found most passwords can be cracked in less than a minute
- The researchers used a GPU to crack real worlds passwords from the dark web
- Most passwords can be cracked in less than an hour
Using real-world samples recovered from the dark web, Kaspersky researchers have tested how long it would take to crack most passwords, and found that almost half of the world's passwords can be cracked in less than a minute.
Additionally, the research shows that within an hour, that number rises to three out of five passwords.
Armed with this knowledge, the researchers then explored what differentiates a strong password from a weak one.
Cracked in less than a minute
Kaspersky research team gathered a dataset of 231 million unique passwords leaked on the dark web between 2023 and 2026, and using a single RTX 5090 GPU, proceeded to see how long it would take a persistent hacker to crack most MD5 hash algorithm passwords.
The results showed that 48% of the world’s passwords can be broken in under a minute, 60% in less than an hour, and 68% in less than 24 hours.
But that is just a single threat actor with a single GPU. If the attacker turned to renting GPU computing power online, for just a few dollars an hour they can rent multiple GPUs to crack the passwords even faster.
The main thing standing in the way of a rapid password cracking is its length. If a password is below 8 characters, it often takes less than 24 hours to crack. The gold standard is more than 15 characters, but make sure it's not just there is some character variation.
If you want to add more hours onto your password’s cracking time, add in some numbers. But don’t use your year of birth, and definitely don’t use ‘1234’. Using a special character can help, but Kaspersky found that the ‘@’ symbol is by far the choice for most people, appearing in one out of every ten passwords.
Kaspersky also found that more than half of the passwords in their data set have been exposed before, showing the extent of password reuse.
In order to best protect your passwords and online accounts, there are some actionable steps you can take:
- Use a reputable password manager to generate and store your credentials
- Never write down your passwords as plain text.
- Don’t use browser storage for your passwords, they can be extracted almost instantly by malware.
- Wherever you can, use a passkey instead of a password. They are more secure and phishing resistant.
- Wherever you can, use multi-factor authentication (MFA) to secure your accounts. Even if an attacker has your username and password, MFA can stop them getting in.
➡️ Read our full guide to the best password manager
1. Best overall:
NordPass
2. Best for mobile:
RoboForm
3. Best for syncing and sharing:
Keeper
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
