60% of Passwords Can Be Cracked Within an Hour: Kaspersky Report Shows GPU Brute‑Force Era Has Arrived

Kaspersky Lab examined 2.31 billion passwords leaked on dark‑web markets between 2023 and 2026. Using an NVIDIA RTX 5090 GPU, the lab measured MD5 hash‑cracking at 2.2 × 10¹¹ hashes per second, a 34% improvement over the RTX 4090.

Core findings : 60% of the tested passwords can be guessed within one hour; 48% of them break in less than a minute, typically because they are extremely weak (e.g., “123456”, “password”, simple year additions). An additional 12% fall within the hour, while only 23% would require more than a year of continuous brute‑force effort.

The breakdown is based on real‑world leaked data, not theoretical models, underscoring a rapid deterioration of password security as GPU power becomes cheap and widely available.

Three dominant cracking techniques :

Brute‑Force – exhaustive enumeration of all possible character combinations. GPU parallelism now makes this approach viable at massive scale, illustrated by the RTX 5090’s 2.2 × 10¹¹ hashes/s.

Rainbow‑Table attacks – pre‑computed hash tables that quickly map hashes to plaintext for weak algorithms like MD5 or SHA‑1. Salting mitigates this, but many legacy systems remain vulnerable.

AI‑enhanced “smart” attacks – machine‑learning models trained on large leaked‑password corpora to prioritize likely patterns (e.g., common substitutions, keyboard sequences, personal‑info concatenations, frequent suffixes such as “!@#2025”). These models dramatically increase success rates.

Human behavior is identified as the weakest link: users favor memorable, predictable passwords, reuse them across services, and often store them insecurely in browsers or plain‑text files. Such practices enable rapid “password‑reuse” attacks once a single hash is compromised.

GPU democratization – The RTX 50 series, especially the RTX 5090, is now affordable via cloud providers. Renting a few hours of GPU time can provide the compute needed to crack millions of passwords, turning large‑scale attacks from a nation‑state capability into a commodity.

Risk scenarios include massive data‑breach fallout, enterprise VPN compromise, and cascading account takeovers that lead to phishing, ransomware, or identity theft.

Mitigation recommendations (as outlined by Kaspersky):

Adopt reputable password managers (e.g., Bitwarden, 1Password) to generate and store random passwords of at least 20 characters.

Follow strong‑password creation rules: length ≥ 16‑20 characters, high entropy, no personal information, unique per service, and periodic rotation for critical accounts.

Transition to password‑less authentication (Passkeys) based on public‑key cryptography.

Enable multi‑factor authentication (MFA) using authenticator apps or hardware keys; avoid SMS‑based codes.

Maintain good security hygiene: avoid saving passwords in browsers, regularly check for breaches with tools like Have I Been Pwned, and keep software patched.

Service providers should retire weak hash algorithms (MD5, SHA‑1) in favor of memory‑hard functions such as Argon2, bcrypt, or PBKDF2, increase salt length, and enforce rate‑limiting.

Looking ahead, the report warns that quantum computing will further threaten traditional hash functions, urging a shift toward post‑quantum cryptography and zero‑trust architectures.

Source: 安全牛