60% of MD5 Password Hashes Are Crackable In Under an Hour
Source: Slashdot
Study Findings
In honor of World Password Day, Kaspersky researchers revisited their study on the crackability of real‑world passwords and found that 60 % of MD5‑hashed passwords could be cracked in under an hour with a single Nvidia RTX 5090【source】, and 48 % could be cracked in under a minute【source】.
“The bottom line is that passwords protected only by fast hashing algorithms such as MD5 are no longer safe if attackers obtain them in a data breach,” reports The Register.
Much of the reason password hashes have become so easy to crack is password predictability. Kaspersky’s analysis of more than 200 million exposed passwords revealed common patterns that attackers can use to optimise cracking algorithms, significantly reducing the time needed to guess the character combinations that grant access to target accounts.
Comparison with 2024
Kaspersky ran a prior iteration of this study in 2024. The new results show that passwords are slightly easier to crack in 2026 than they were a couple of years ago—only a few percent, but still a move in the wrong direction.
“Attackers owe this boost in speed to graphics processors, which grow more powerful every year,” Kaspersky explained. “Unfortunately, passwords remain as weak as ever.”
Recommendations
“This World Password Day, the main message ought not to be to the users, who often have no choice but to use passwords anyway, but to the sites and providers that are requiring them to do so,” said senior IEEE member and University of Nottingham cybersecurity professor Steven Furnell.
His advice:
- Providers need to modernise their login systems.
- Enforce stronger protections (e.g., slow, memory‑hard hashing algorithms, multi‑factor authentication).
- Recognise that users are often stuck with whatever security options they’re given, so the burden of security must shift to the services they use.