Kaspersky picked a fitting time to share bad news about passwords. On World Password Day, the security firm revealed that most password hashes can now be cracked in less than an hour with a single modern graphics card.
The company tested more than 231 million unique passwords collected from dark web leaks. That dataset included 38 million passwords added since its last study. Researchers hashed the passwords with MD5, a fast hashing algorithm that many systems still use despite years of security warnings.
Using one Nvidia RTX 5090 GPU, Kaspersky found that 60 percent of the password hashes could be cracked in under an hour. Almost half fell in less than a minute.
That result sounds extreme at first. The RTX 5090 is expensive and built for high-end workloads. Yet the real point is not the hardware itself. Attackers no longer need to own powerful systems. They can rent cloud GPUs for a small fee and run password cracking tools at scale.
The message is simple: passwords protected only by fast hashing algorithms are no longer safe once attackers get access to stolen data.
Kaspersky said, “One hour is all an attacker needs to crack three out of every five passwords they’ve found in a leak.”
The Password Gap: Why Hardware Speed is Outpacing Human Habit
The problem goes beyond hardware. Passwords remain predictable. Many people still use names, dates, simple patterns, or short phrases. Attackers know this. Modern cracking tools do not guess random combinations first. They start with common structures, reused phrases, and popular character patterns.
That cuts cracking time by a huge margin.
Kaspersky compared the results with a similar study from 2024. Passwords became slightly easier to crack in 2026. The change was small, but the trend matters. Graphics processors keep getting faster while user password habits stay mostly unchanged.
The company blamed that gap directly on GPU performance gains.
For years, the tech industry has talked about the “death of the password.” Yet passwords still sit at the center of most login systems. Many people use them dozens of times each day for work, banking, shopping, and personal accounts.
Security experts now argue that passwords should act as only one layer of protection.
Chris Gunner, a virtual CISO at managed service provider Thrive, said strong passwords still matter, but they cannot carry the full burden of account security.
According to Gunner, organizations need broader identity controls around passwords. He recommended multi-factor authentication, especially biometric verification, because it creates another barrier after the password itself. Even if attackers crack or steal a password, they still need access to a second factor.
Gunner also stressed the need for identity governance, endpoint protection, and zero trust security models. Those controls reduce the damage attackers can cause after gaining access to one compromised account.
The broader lesson is clear. Companies should stop treating passwords as a complete security solution.
Why Organizations Must Lead the Charge in Modern Authentication?
Steven Furnell, a senior IEEE member and cybersecurity professor at the University of Nottingham, argued that users should not carry all the blame either.
Many websites still fail to support stronger login methods like passkeys. Others allow weak passwords or provide little guidance on how to create secure credentials. That leaves users stuck between outdated systems and growing security risks.
Furnell noted that people often face a mixed login experience. Some services support passkeys and modern authentication tools, while others rely on passwords alone. Until adoption becomes consistent, passwords will remain part of everyday life.
He also pointed out that many sites fail to enforce strong password rules. Some still allow short passwords, weak patterns, or reused credentials. In many cases, users never receive clear advice on modern password security.
That shifts part of the responsibility back to organizations.
World Password Day should not focus only on telling users to create stronger passwords. Companies must modernize authentication systems as well. Strong hashing algorithms, multi-factor authentication, passkeys, and layered security controls should now be standard practice.
Passwords are not disappearing soon. But the idea that a password alone can protect an account no longer holds up against modern attack tools.
The latest findings from Kaspersky show how quickly attackers can break weak defenses once data leaks occur. In many cases, cracking passwords now takes minutes instead of days.
That reality leaves companies with one practical choice: build more than one locked door between attackers and sensitive systems.
Comments are closed.