All products are independently selected by our experts. To help us provide free impartial advice, we will earn an affiliate commission if you buy something. Click here to learn more
Millions of popular passwords can be cracked in less than a minute, a troubling report from Kaspersky has claimed. Security experts analysed a database of 193 million passwords shared on the Dark Web to determine whether recent advances in computer processing power would make cracking passwords easier.
Spoiler alert — Yes, it has.
Hackers attempted to break into passwords 32 million times last year alone, according to data from Kaspersky. That figure is likely to increase as it becomes easier and easier to brute-force passwords with the latest algorithm and hardware.
Kaspersky researchers used a combination of the latest algorithms and an Nvidia RTX 4090 GPU worth £1,549 to attempt to crack the database of 193 million passwords unearthed on the Dark Web. All of the passwords stored were hashed and salted — meaning researchers still needed to correctly guess them to break in.
If your password has 8 characters or fewer, it could be cracked in just 17 seconds, researchers found. Most of these passwords were either all lowercase or uppercase English letters with a few numerical digits — showing the importance of using special characters, like symbols, to make your password harder to crack.
In total, 45% of all passwords analysed from the database — 87 million — could be guessed within a minute.
The majority of the passwords examined by researchers contained at least one word from the dictionary, which significantly reduces the strength of a password and makes it more susceptible to brute force-style attacks.
As the researchers cracked millions of passwords, some patterns started to emerge. If you want to create a strong, unique password to shield your account, avoid some of these popular patterns —
Popular Words
- forever
- love
- hacker
- gamer
Common Names
- daniel
- kevin
- ahmed
- nguyen
- kumar
Standard Passwords
- password
- qwerty12345
- admin
- 12345
- team
Kaspersky used a brute-force algorithm to achieve these results, a technique that’s very popular with hackers. This tries all possible password combinations by running through a list of words from the dictionary, as well as diverse character types, numbers, and more. Researchers attempted to improve on the initial results by programming the algorithm to consider popular character combinations, common names, and sequences.
Hackers have also developed smart algorithms that make attempts with character replacements, like swapping an “a” for “@” or an “e” with “3” — so don’t do that when creating a password, it won’t make your account safer.
With the most efficient brute-force algorithm, researchers were able to break 59% of the 193 million passwords within an hour, and almost three-quarters of all passwords (73%) within a month.
Just 23% of passwords from the Dark Web database would take longer than a year to break.
Discussing their findings, the security experts from Kaspersky noted: “Unconsciously, human beings create ‘human’ passwords — containing the words from the dictionary in their native languages, featuring names, numbers, etc, things that are easy for our busy brains to recall easily.
“Even seemingly strong combinations are rarely completely random, so they can be guessed by algorithms. Given that, the most dependable solution is to generate a completely random password using modern and reliable password managers.”
Kaspersky analysed millions of hashed-and-salted passwords shared by hackers on the Dark Web to work out how long it would take to break into accounts
KASPERSKY
If you want to improve protections on your accounts, never use a password that can be easily guessed based on your personal information: no birth dates, names of family members, pets, or your own name. These will often be the first guesses made by attackers.
Brute-force attacks that run through hundreds of thousands of words from the dictionary — including substitutions with @, 3, ! and other special characters — will be caught out by advanced algorithms.
Enabling two-factor authentication is one of the most sure-fire methods to safeguard your data.
This doesn’t impact the strength of your password, but it means that nobody can log in to your account with just your username and password. Instead, you’ll need to enter a unique code sent via SMS, email, or an app like Microsoft Authenticator, as well as your login details to access an account.
Passkeys could be another solution to the password strength conundrum. This clever solution uses the security feature built into your smartphone — like Face ID facial recognition on iPhone, fingerprint scanners on Samsung Galaxy, and more — to verify your identity when you log in to a website or app.
Support for these password replacements is slowly being adopted by the biggest online services and applications, with Elon Musk enabling support on X for iPhone owners earlier this year, with WhatsApp also adopting passkeys to avoid its users relying on guessable passwords.
Password managers are another popular solution.
These standalone apps generate unique passwords with no discernable pattern at all — and a healthy mixture of lower- and uppercase characters, symbols, numerical digits, and much more. It would be impossible to memorise these long, unique jumbles of characters for every login, so password managers encrypt and save all of them for you — filling in the fields within apps and websites for you.
You’ll only need to remember a single password: the one that unlocks your password manager.
Many of these applications also rely on biometrics, like fingerprints and facial scans, to lock down everything.
Apple includes a password manager — known as iCloud Keychain — as part of the mobile operating system that ships on every iPhone, iPad, and Mac, while Californian rival Google has baked in a similar system into Chrome.
LATEST DEVELOPMENTS
In the last few months, we’ve seen security researchers unearth the so-called “mother of all breaches”, with billions of stolen usernames and passwords for popular sites like LinkedIn, X (formerly Twitter), Telegram, and Dropbox. Not only that, but hackers used credential stuffing to break into half a million Roku accounts and spend money using saved payment details.
Whatever you do, make sure you’re not using a password on this list published by Nord.