Although World Password Day, held annually on the first Thursday in May, has passed, our — and we hope your — fascination with password security continues. Instead of analyzing artificial “test-tube” passwords created for lab studies, we stayed in the real world — examining actual passwords leaked on the dark web. The results were alarming: 59% of these passwords could be cracked in less than an hour — and all it takes is a modern graphics card and a bit of know-how.

Today’s post explains how hackers crack passwords and how to counter it (spoiler alert: use reliable protection and automatically check your passwords for leaks).

The usual way to crack passwords

First, let’s clarify what we mean by “cracking a password”. We’re talking about cracking the password’s hash — a unique sequence of characters representing the password. Companies typically store user passwords in one of three ways:

This is the simplest and clearest way: if a user’s password is, say, qwerty12345, then it’s stored on the company server as qwerty12345. If a data breach occurs, the hacker needs only enter the password with the corresponding username to log in. That is, of course, if there’s no two-factor authentication (2FA), but even then, cybercriminals can sometimes intercept one-time passwords.
This method utilizes hashing algorithms like MD5 and SHA-1 to transform each password into a unique hash value in the form of a fixed-length string of characters, which is stored on the server. When the user enters their password, the system converts the input sequence of characters into a hash, and compares it to the one stored on the server. If they match, the password is correct. Here’s an example: if your password is that same qwerty12345, then “translated” into SHA-1, it looks like this: 4e17a448e043206801b95de317e07c839770c8b8. Hackers obtaining this hash would need to decrypt it back to qwerty12345 (this is the “password cracking” part), for example, by using rainbow tables. A cracked password can then be used to access not only the compromised service but potentially other accounts where the password was reused.
Hashed with salt. Nothing to do with a tasty dish from a takeaway, this method adds a random sequence of data, known as a salt, to each password before hashing. A salt can be static or generated dynamically. A password+salt sequence is fed into the algorithm, which results in a different hash. Thus, pre-computed rainbow tables become useless to hackers. Using this method of storing passwords makes them much more difficult to crack.

For our study, we formed a database of 193 million leaked passwords in plaintext. Where did we get them all from? You have to know where to look. We found them on the dark web, where such “treasures” are often freely available. We used this database to check user passwords for possible leaks — but rest assured we don’t store or even see any passwords. You can read more about the internal structure of the password vault in our Kaspersky Password Manager and how, without knowing your passwords, we match them against leaked ones.

The cost of password cracking

Modern GPUs are the best tool for analyzing a password’s strength. For example, the RTX 4090 paired with the password recovery tool hashcat achieves a rate of 164 billion hashes per second (GH/s) for salted MD5 hashes.

Let’s imagine an 8-character password using both Latin letters (either all lowercase or all uppercase) and digits (36 possible characters per position). The number of possible unique combinations is 2.8 trillion (calculated by raising 36 to the power of eight). A powerful CPU boasting processing power of 6.7 GigaHashes per second (GH/s), could brute-force such a password in seven minutes. But the aforementioned RTX 4090 manages it in just 17 seconds.

While such a hi-end GPU costs slightly south of US$2,000, even attackers unable to get hold of one can easily rent computing power for just a few dollars per hour. But what if they rent a dozen RTX 4090s all at once? That would pack enough power to process massive hash database leaks with ease.

59% of passwords crackable in under an hour

We tested password strength using both brute-force and smart-guessing algorithms. While brute force iterates through all possible combinations of characters in order until it finds a match, smart guessing algorithms are trained on a passwords data-set to calculate the frequency of various character combinations and make selections first from the most common combinations and down to the rarest ones. You can read more about used algorithms in the full version of our research on Securelist.

The results were unnerving: a staggering 45% of the 193 million real-world passwords we analyzed (that is, 87 million passwords!) could be cracked by the smart algorithm in less than a minute, 59% within an hour, 67% within a month, and a mere 23% of passwords could be considered truly strong — needing more than a year to crack.

Cracking time
Percentage of passwords crackable using the given method

Brute force
Smart guessing

Under a minute
10%
45%

1 minute to 1 hour
+10% (20%)
+14% (59%)

1 hour to 1 day
+6% (26%)
+8% (67%)

1 day to 1 month
+9% (35%)
+6% (73%)

1 month to 1 year
+10% (45%)
+4% (77%)

Over 1 year
+55% (100%)
+23% (100%)

It’s important to note that cracking all passwords in the database doesn’t take much more time than cracking just one (!). At each iteration, having calculated the hash for the next combination of characters, the attacker checks whether the same one exists in the general database. If it does, the password in question is marked as “cracked”, after which the algorithm continues to guess other passwords.

Why smart guessing algorithms are so effective

Humans are predictable. We rarely choose truly random passwords, and our attempts at generating them pale in comparison to machines. We rely on common phrases, dates, names, and patterns – precisely what smart cracking algorithms are designed to exploit.

Moreover, the human brain is such that if you ask a sample of folks to pick a number between one and a hundred, most will choose… the same numbers! The YouTube channel Veritasium surveyed more than 200,000 people and found the most popular numbers to be 7, 37, 42, 69, 73, and 77.

Even when attempting random character strings, we tend to favor keys in the middle of the keyboard. Around 57% of all the passwords we analyzed were found to contain a dictionary word or frequent symbol combination. Worryingly, 51% of these passwords could be cracked in less than a minute, 67% in under an hour, and only 12% took more than a year. However, at least just a few passwords consisted of a dictionary word only (which could be cracked within a minute). See the Securelist post for more about the password patterns we encountered.

Smart algorithms make short work of most passwords that contain dictionary sequences. And they even catch character substitutions — so writing “pa$$word” instead of “password” or “@dmin” instead of “admin” won’t make the password much stronger. Using popular words and number sequences is equally risky. In 4% of the passwords we examined, the following cropped up somewhere:

12345
123456
love
12345678
123456789
admin
team
qwer
54321
password

Recommendations

The takeaways from our hands-on study:

Many user passwords aren’t strong enough; 59% of them can be cracked in an hour.
Using meaningful words, names, and standard character sequences in your password significantly reduces password guessing time.
The least secure password is one that consists entirely of numbers or only words.

To keep your accounts safe, consider the following simple recommendations:

Generate strong passwords using Kaspersky Password Manager.
If you decide to create a password yourself, use mnemonic passphrases rather than meaningful word combinations, names, or dictionary sequences.
Never reuse passwords across different sites, because not all companies store user data securely.
Never save passwords in browsers.
Keep your passwords safely stored in a password manager and create a crack-proof primary password for it.
Check how crack-resistant your password is with Password Checker or directly in your Kaspersky Password Manager. It will identify weak and duplicate passwords, check all your passwords against compromised databases, and alert you if a match is found.
Utilize Kaspersky Premium to continually monitor in the background all accounts linked to your and family members’ phones or email addresses for data leaks.
Enable 2FA wherever possible. Incidentally, Kaspersky Password Manager also lets you save 2FA tokens and generate one-time codes.

Kaspersky official blog – ​Read More

Fraudsters love hype and all-things-trending. Ah, so Toncoin is becoming very popular? Let’s build a cryptocurrency pyramid scheme. Artificial intelligence has hit the next level? Perfect for making voice deepfakes. The Euros have started? Get ready for a month of soccer scams…

The UEFA Euro 2024 tournament will gather over 2.7 million people in stadiums, and another 12 million in fan zones across Germany, while the total number of folks who’ll be following the year’s biggest soccer tournament boggles the mind. Alas, many of these spectators and viewers could make easy targets for scammers. That’s why it’s important to take the right precautions, understand the potential cyberthreats in the soccer world, and learn how to watch your favorite team’s matches safely.

Fake tickets

A typical threat before any major offline event is ticket fraud. In short: buy tickets only from the official UEFA website, or at the stadium box office – not from third parties or any other websites.

What could go wrong otherwise? Here are a few common scenarios:

Payment data compromise. This can happen if you pay by card on a fake (phishing) website. So before attempting to buy a ticket online, make sure there are no typos in the website’s address and that the domain wasn’t registered just a couple of weeks ago.
Personal data compromise. This scenario is also possible when buying from a phishing site — fraudsters may ask for not just your bank details but also your name, address, phone number and email. Be cautious if buying tickets requires an unusual amount of personal data.
Malware downloads. Fraudsters may offer to sell Euro 2024 tickets via a “special app”. This seemingly harmless app could turn out to be a stealer, miner, or something even worse. If you come across an offer to “download this app to buy tickets”, ignore it — it’s a scam.

All these scenarios have the same potential outcome — no tickets actually purchased, financial loss, and a very grumpy mood. If you want to make sure your data hasn’t already been compromised, install Kaspersky Premium — it will protect your devices from viruses, keep you safe from phishing and malicious links while surfing the web, and automatically check for data leaks from your accounts tied to email and phone numbers.

Pirate streams

Even if you plan on watching the entire tournament online — remain vigilant. Some attractively priced streaming services may turn out to be pirated, and a subscription that seems like a great deal could empty your bank account.

The risks here are the same as with tickets — payment and personal data can be stolen, and malicious scripts can be embedded in the streaming site pages, allowing attackers to control your browser and system. That’s why we don’t recommend storing passwords in your browser — use a password manager.

Illegal betting

Another popular type of soccer fraud is betting with illegal, fraudulent bookmakers offering fantastic odds. These outfits lure gamblers with attractive odds, and then disappear within a couple of weeks. As a result, the fans lose their money and, yet again, their payment data ends up in grubby hands. If you want to place a bet on a soccer match, use the official website or app of a bookmaker licensed to operate in your country.

Fake stores

Any soccer tournament involving national teams inevitably causes a surge in the popularity of stores selling fan merchandise: jerseys, scarves, T-shirts and so on. Among the plethora of such shops, it’s best to choose official or offline stores — that way you won’t get scammed.

Fraudsters attract buyers with big discounts, low prices and free shipping, but in reality, these are classic scammer scenarios: without reliable protection, your payment and personal data can be stolen and you’ll never receive your favorite team’s jersey.

Recommendations

Watch soccer matches only on official channels/sites and don’t pay distributors of pirated content.
Use reliable protection that warns you when you’re about to visit a phishing site.
Pay using a virtual card with a set limit. Before purchasing a ticket or subscription, transfer only the amount needed for that one transaction. This way, fraudsters won’t be able to get their hands on anything extra.
Don’t buy tickets on the second-hand market— such tickets may be invalidated by UEFA. It’s better to use the organization’s official website.
Buy fan merchandise only from official stores— otherwise you risk encountering fraudsters.

Kaspersky official blog – ​Read More

Episode 351 of the Transatlantic Cable podcast begins with discussion around Microsoft’s controversial ‘Recall’ feature. Following from there, news turns to discussion around Elon Musk’s frustration around Apple’s decision to include ChatGPT in the upcoming iOS 18.

To wrap up, the team discuss two news stories. The first covers the arrest of 2 suspects in relation to a smishing campaign, and what the police are calling “an illegitimate telephone mast,” converted into a “text message blaster.”  The finals story looks at how a 27-year-old Tamagotchi mystery has finally been solved.

If you liked what you heard, please consider subscribing.

Microsoft ‘recalls’ screenshot feature after outcry
Elon Musk threatens to ban Apple devices from his companies over Apple’s ChatGPT integrations
Two cuffed over suspected smishing campaign using ‘text message blaster’
A 27-Year Old Tamagotchi Mystery Has Been Solved

Kaspersky official blog – ​Read More

Episode 350 of the Kaspersky Transatlantic Cable podcast kicks off with surprising news that whilst Generative AI tools such as ChatGPT and MidJourney are marketed aggressively, they’re not actually that popular with everyday folk – with just 2% of people in the UK saying they use Gen AI in their day.

From there talk moves to news regarding two large data breaches, both of which were hit by the same group “ShinyHunters”.  To wrap up, the team discuss a story around Microsoft’s India X account, which was recently hacked in order to spread crypto scams.

If you liked what you heard, please consider subscribing.

AI products like ChatGPT much hyped but not much used
Ticketmaster hacked. Breach affects more than half a billion users
Santander staff and ’30 million’ customers hacked
Microsoft India’s X account hijacked in Roaring Kitty crypto scam

Kaspersky official blog – ​Read More

Despite being owned by Meta — a company frequently criticized for privacy issues — WhatsApp remains the most popular instant messenger in the world. Surprisingly, it’s also one of the most secure. In this post, we discuss why this is the case, and explain how you can further fortify your WhatsApp conversations with the right privacy and security settings, as well as protect your smartphone with our security solutions.

WhatsApp end-to-end encryption: always on

The most important thing to know about WhatsApp’s security is that all communications are securely protected with end-to-end encryption. It’s powered by the Signal Protocol, developed by the creators of the independent privacy-focused Signal messenger. This is an open protocol, so anyone (with the necessary know-how, of course) can scrutinize its source code for bugs and backdoors.

What this means for you is that all text and voice messages (be they in one-on-one or group chats), along with images, videos, documents, and calls, are encrypted on the sender’s device and only decrypted on the recipient’s device.

This ensures that even WhatsApp itself has no technical ability to snoop on your conversations. This also creates an impenetrable barrier for cybercriminals attempting to intercept messages, whether in transit or by compromising WhatsApp’s servers.

The use of end-to-end encryption for all messages sets WhatsApp apart from Telegram. While Telegram touts its security features, end-to-end encryption isn’t on the default. It’s relegated to so-called “secret chats”, which must be specially created — and which, unfortunately, almost no one ever uses for various reasons.

How to make communication on WhatsApp even safer

So, we’ve covered what makes WhatsApp secure at the base level. Now, let’s explore how you can bolster your defenses against surveillance, unauthorized access to your messages, and other threats to your privacy and security. This involves a bit of fine-tuning within WhatsApp’s settings. Let’s get started…

How to protect WhatsApp from being hijacked

The first thing you should do is to fortify your WhatsApp account against hijacking. WhatsApp accounts are tethered to phone numbers. Therefore, if someone takes control of your number, they can also access your WhatsApp account. This could happen intentionally through a SIM swapping attack, or through an unfortunate consequence of number recycling: if you don’t pay your phone bill on time, the operator could disconnect your number and reassign it to another subscriber.

To protect against this threat, enable two-factor authentication for WhatsApp. Navigate to Settings → Account → Two-step verification and set a PIN code to confirm account logins.

In addition, you can link an email address to your account. This provides a lifeline if you lose access to your phone number. You can enable this in Settings → Account → Email address.

Beyond PIN codes, WhatsApp offers an alternative option for confirming account login: so-called “passkeys”. We’ve dedicated a separate post to discussing what these are and how they work. To enable this option, go to Settings → Account → Passkeys.

I also recommend making it a habit to audit the list of devices logged into your WhatsApp account. You can find this list in Settings → Linked devices. If you spot any suspicious entries, play it safe and log out of that session by selecting the device and tapping Log out.

How to protect your WhatsApp chats from prying eyes

The next step is to ensure that your conversations remain private — even if your phone falls into the wrong hands. To do this, first and foremost, enable the screen lock in your phone’s settings. Don’t forget to disable message previews in WhatsApp push notifications on the lock screen, so no one can read your secrets without unlocking your smartphone — this is done in the Notifications section of your smartphone settings.

It’s also a good idea to enable WhatsApp’s own app lock, in case you forget to lock your device. To do this, head to Settings → Privacy, scroll down almost to the bottom, and locate App lock. I recommend choosing After 1 minute — this strikes a good balance between security and convenience. This way, if you switch from WhatsApp to another app, you’ll have one minute to return to your messages, after which you’ll need to unlock WhatsApp using your chosen method. However, keep in mind that if you leave your smartphone unattended with an open chat and the screen on, WhatsApp won’t automatically lock until the screen times out.

Another way to keep your confidential information away from prying eyes is to lock chats. Such chats disappear from your main chat list and reside in a separate folder. To hide a chat, tap the contact’s profile picture, scroll down, and tap Lock chat.

Situations may arise where you need to quickly get rid of locked chats and their contents. WhatsApp makes this easy to do with a single button: go to Settings → Privacy → Chat lock and tap Unlock and clear locked chats.

To further protect your WhatsApp chats, you can use disappearing messages. There are two ways to use this function. First, you can set a timer for a specific chat. To do this, tap the contact’s profile picture, scroll down to Disappearing messages, and select the desired duration.

The second way is to set a default timer for all new chats. To do this, go to Settings → Privacy → Default message timer and set the interval after which messages will disappear.

Additionally, WhatsApp lets you send photos, videos, and voice messages for one-time viewing (no more). This is easy to do: select the item you want to send, and before hitting send, tap the icon with the number one in the caption field.

How to disable “blue ticks” in WhatsApp

If you prefer to keep your message-reading habits under wraps, you can disable read receipts. To do this, go to Settings → Privacy, scroll down, and toggle off the switch next to Read receipts.

Bear in mind that this is a two-way street: if you disable read receipts, you too will stop seeing blue ticks in chats. It’s also important to know that this feature doesn’t apply to group chats, where people will still see read receipts.

 Other privacy settings in WhatsApp

The Settings → Privacy section in WhatsApp holds a few more settings worth paying attention to. These determine who can access specific information about you. While there are no hard and fast rules — it all boils down to your personal circumstances and preferences — here’s what I consider a balanced approach:

Last seen & online → Nobody.
Profile photo → Everyone.
About → Everyone.
Groups → My contacts.
Status → My contacts.
Calls → Silence unknown callers.

If you use WhatsApp’s live location sharing feature, it’s a good idea to regularly review the list of chats where your location is visible. To do this, go to Settings → Privacy → Live location.

Also, keep in mind that, by default, WhatsApp calls establish a direct connection between participants without involving WhatsApp servers. This helps achieve maximum sound quality, but also means that, in theory, your IP address can be traced. If this concerns you, navigate to Settings → Privacy → Advanced and toggle on Protect IP address in calls.

How to verify the authenticity of someone on WhatsApp

WhatsApp provides a way to confirm that you really are talking to the right person and that no one is eavesdropping on your conversation. Each chat has a unique security code, and you can check it with your chat partner verbally during a call or through a different communication channel. If the codes match, you’re all good. To locate this code, tap your contact’s profile picture in the chat, scroll down, and tap Encryption.

Additionally, you can set up security notifications, which alert you whenever a security code in one of your chats changes. These notifications are disabled by default but can be activated in Settings → Account → Security notifications.

How to create a secure backup of your WhatsApp chats or migrate chats to a new device

WhatsApp allows you to back up your chats, and the backup is stored not on WhatsApp’s own servers, but in the Apple or Google cloud. To protect this backup against leaks, you can also use end-to-end encryption.

To create a backup, go to Settings → Chats → Chat backup. Note here that encryption is off by default. To enable it, select End-to-end encrypted backup.

The Settings → Chats section also allows you to transfer your WhatsApp chats to another device without relying on Apple or Google cloud services. From an iPhone, you can transfer your chats to another iOS device or an Android device by selecting Transfer chats to iPhone or Move chats to Android, respectively. On Android, you can only transfer to another Android device — select Transfer chats.

Don’t forget to protect your devices using WhatsApp

Remember that all your efforts to protect your WhatsApp chats could be completely wasted if someone gains access to one of your devices where the messenger is installed. This could be either physical access or remote access through spyware. Therefore, ensuring the security of these devices is a top priority:

Enable screen lock and set a secure unlock method.
Disable lock screen notifications.
Use a reliable security solution on all your devices.

And to set up privacy and security not only in WhatsApp, but also on social networks, and in online services and applications, use our free Privacy Checker service. Select the platform, application, and security level you’re interested in, and get step-by-step, detailed recommendations.

Kaspersky official blog – ​Read More