A fresh cybersecurity study from the Kaspersky team revealed alarming results—only 23% of passwords are strong enough, while 45% of real-world passwords could be cracked in less than a minute.
A recent research by Kaspersky shows that six out of ten passwords can be cracked in less than an hour using a modern graphics card or cloud services.
The team of a popular security software developer obtained a database of 193 million leaked passwords on the dark web. Then, they tested password strength using both brute-force and smart-guessing algorithms. The results were disappointing.
To begin with, 87 million passwords (45% of the database) could be easily cracked by smart algorithms in under a minute. About one-sixth (59%) of the passwords were cracked within an hour, 67% within a month, and only 23% were strong enough to require more than a year to crack.
Smart guessing algorithms are trained on a password data set to calculate the frequency of various character combinations and prioritize the most common combinations while selecting possible variations.
The efficiency of the smart algorithm password guessing is explained by human predictability. Real-world password analysis shows that people rarely choose truly random strings of numbers and letters. Around 57% of all the passwords Kaspersky analyzed contained a dictionary word or frequent symbol combination.
Not only do people find it easier to remember simple, thus weak, passwords, but also a lot of users utilize the same password for different services and applications. A 2022 study found that nearly half of BNPL users use the same password for all their accounts. Therefore, once hackers discover a password for one’s, let’s say, email service, they have even more chances to obtain access to the person’s financial accounts and sensitive data.
To be able to apply smart algorithms to password cracking, all hackers need is a powerful GPU, which might be bought for about $2000, or better rented for a few dollars an hour.
Considering the risks and easy access to efficient cracking tools, Kaspersky recommends users avoid using meaningful words, names, and standard character sequences for the password, generate strong passwords via machine tools, use mnemonic passphrases, create separate passwords for different sites and services, not save passwords in browsers, and enable 2FA.