Although World Password Day, held annually on the first Thursday in May, has passed, our — and we hope your — fascination with password security continues. Instead of analyzing artificial “test-tube” passwords created for lab studies, we stayed in the real world — examining actual passwords leaked on the dark web. The results were alarming: 59% of these passwords could be cracked in less than an hour — and all it takes is a modern graphics card and a bit of know-how.

Today’s post explains how hackers crack passwords and how to counter it (spoiler alert: use reliable protection and automatically check your passwords for leaks).

The usual way to crack passwords

First, let’s clarify what we mean by “cracking a password”. We’re talking about cracking the password’s hash — a unique sequence of characters representing the password. Companies typically store user passwords in one of three ways:

This is the simplest and clearest way: if a user’s password is, say, qwerty12345, then it’s stored on the company server as qwerty12345. If a data breach occurs, the hacker needs only enter the password with the corresponding username to log in. That is, of course, if there’s no two-factor authentication (2FA), but even then, cybercriminals can sometimes intercept one-time passwords.
This method utilizes hashing algorithms like MD5 and SHA-1 to transform each password into a unique hash value in the form of a fixed-length string of characters, which is stored on the server. When the user enters their password, the system converts the input sequence of characters into a hash, and compares it to the one stored on the server. If they match, the password is correct. Here’s an example: if your password is that same qwerty12345, then “translated” into SHA-1, it looks like this: 4e17a448e043206801b95de317e07c839770c8b8. Hackers obtaining this hash would need to decrypt it back to qwerty12345 (this is the “password cracking” part), for example, by using rainbow tables. A cracked password can then be used to access not only the compromised service but potentially other accounts where the password was reused.
Hashed with salt. Nothing to do with a tasty dish from a takeaway, this method adds a random sequence of data, known as a salt, to each password before hashing. A salt can be static or generated dynamically. A password+salt sequence is fed into the algorithm, which results in a different hash. Thus, pre-computed rainbow tables become useless to hackers. Using this method of storing passwords makes them much more difficult to crack.

For our study, we formed a database of 193 million leaked passwords in plaintext. Where did we get them all from? You have to know where to look. We found them on the dark web, where such “treasures” are often freely available. We used this database to check user passwords for possible leaks — but rest assured we don’t store or even see any passwords. You can read more about the internal structure of the password vault in our Kaspersky Password Manager and how, without knowing your passwords, we match them against leaked ones.

The cost of password cracking

Modern GPUs are the best tool for analyzing a password’s strength. For example, the RTX 4090 paired with the password recovery tool hashcat achieves a rate of 164 billion hashes per second (GH/s) for salted MD5 hashes.

Let’s imagine an 8-character password using both Latin letters (either all lowercase or all uppercase) and digits (36 possible characters per position). The number of possible unique combinations is 2.8 trillion (calculated by raising 36 to the power of eight). A powerful CPU boasting processing power of 6.7 GigaHashes per second (GH/s), could brute-force such a password in seven minutes. But the aforementioned RTX 4090 manages it in just 17 seconds.

While such a hi-end GPU costs slightly south of US$2,000, even attackers unable to get hold of one can easily rent computing power for just a few dollars per hour. But what if they rent a dozen RTX 4090s all at once? That would pack enough power to process massive hash database leaks with ease.

59% of passwords crackable in under an hour

We tested password strength using both brute-force and smart-guessing algorithms. While brute force iterates through all possible combinations of characters in order until it finds a match, smart guessing algorithms are trained on a passwords data-set to calculate the frequency of various character combinations and make selections first from the most common combinations and down to the rarest ones. You can read more about used algorithms in the full version of our research on Securelist.

The results were unnerving: a staggering 45% of the 193 million real-world passwords we analyzed (that is, 87 million passwords!) could be cracked by the smart algorithm in less than a minute, 59% within an hour, 67% within a month, and a mere 23% of passwords could be considered truly strong — needing more than a year to crack.

Cracking time
Percentage of passwords crackable using the given method

Brute force
Smart guessing

Under a minute
10%
45%

1 minute to 1 hour
+10% (20%)
+14% (59%)

1 hour to 1 day
+6% (26%)
+8% (67%)

1 day to 1 month
+9% (35%)
+6% (73%)

1 month to 1 year
+10% (45%)
+4% (77%)

Over 1 year
+55% (100%)
+23% (100%)

It’s important to note that cracking all passwords in the database doesn’t take much more time than cracking just one (!). At each iteration, having calculated the hash for the next combination of characters, the attacker checks whether the same one exists in the general database. If it does, the password in question is marked as “cracked”, after which the algorithm continues to guess other passwords.

Why smart guessing algorithms are so effective

Humans are predictable. We rarely choose truly random passwords, and our attempts at generating them pale in comparison to machines. We rely on common phrases, dates, names, and patterns – precisely what smart cracking algorithms are designed to exploit.

Moreover, the human brain is such that if you ask a sample of folks to pick a number between one and a hundred, most will choose… the same numbers! The YouTube channel Veritasium surveyed more than 200,000 people and found the most popular numbers to be 7, 37, 42, 69, 73, and 77.

Even when attempting random character strings, we tend to favor keys in the middle of the keyboard. Around 57% of all the passwords we analyzed were found to contain a dictionary word or frequent symbol combination. Worryingly, 51% of these passwords could be cracked in less than a minute, 67% in under an hour, and only 12% took more than a year. However, at least just a few passwords consisted of a dictionary word only (which could be cracked within a minute). See the Securelist post for more about the password patterns we encountered.

Smart algorithms make short work of most passwords that contain dictionary sequences. And they even catch character substitutions — so writing “pa$$word” instead of “password” or “@dmin” instead of “admin” won’t make the password much stronger. Using popular words and number sequences is equally risky. In 4% of the passwords we examined, the following cropped up somewhere:

12345
123456
love
12345678
123456789
admin
team
qwer
54321
password

Recommendations

The takeaways from our hands-on study:

Many user passwords aren’t strong enough; 59% of them can be cracked in an hour.
Using meaningful words, names, and standard character sequences in your password significantly reduces password guessing time.
The least secure password is one that consists entirely of numbers or only words.

To keep your accounts safe, consider the following simple recommendations:

Generate strong passwords using Kaspersky Password Manager.
If you decide to create a password yourself, use mnemonic passphrases rather than meaningful word combinations, names, or dictionary sequences.
Never reuse passwords across different sites, because not all companies store user data securely.
Never save passwords in browsers.
Keep your passwords safely stored in a password manager and create a crack-proof primary password for it.
Check how crack-resistant your password is with Password Checker or directly in your Kaspersky Password Manager. It will identify weak and duplicate passwords, check all your passwords against compromised databases, and alert you if a match is found.
Utilize Kaspersky Premium to continually monitor in the background all accounts linked to your and family members’ phones or email addresses for data leaks.
Enable 2FA wherever possible. Incidentally, Kaspersky Password Manager also lets you save 2FA tokens and generate one-time codes.

Kaspersky official blog – ​Read More