How hackers can crack your password in a minute

Cybercriminals can guess almost half of the passwords that exist in less than a minute. This and other - particularly worrying - findings have been revealed by a large-scale study conducted by Kaspersky experts into the resilience of 193 million passwords compromised by infostealers and available on the darknet to brute force and smart guessing attacks.

According to the results of the research, fraudsters could guess 45% of all passwords analysed (87 million) within one minute. Furthermore, Kaspersky experts revealed which character combinations are most commonly used when creating passwords. Only 23% (44 million) of the combinations proved to be strong enough - which would take more than a year to crack.

Kaspersky's telemetry shows more than 32 million attempts to attack users with password stealers in 2023. These numbers show the importance of digital hygiene and timely password policies.

In June 2024, Kaspersky analyzed 193 million passwords in a new study, which were found on public domains on various resources on the darknet. These results indicate that the majority of the reviewed passwords were not strong enough and could be easily cracked using clever guessing algorithms. Below is an analysis of how quickly this can happen:

• 45% (87M) in less than 1 minute.
• 14% (27M) - from 1 minute to 1 hour.
• 8% (15M) - from 1 hour to 1 day.
• 6% (12M) - from 1 day to 1 month.
• 4% (8M) - from 1 month to 1 year.

Experts classified only 23% (44M) of passwords as resilient - their cracking would take more than 1 year.

Besides, the majority of passwords examined (57%) contain a dictionary word, which significantly reduces the strength of passwords. Among the most popular vocabulary sequences, several groups can be distinguished:

• Names: "ahmed", "nguyen", "kumar", "kevin", "daniel".
• Popular words: "forever", "love", "google", "hacker", "gamer".
• Typical passwords: "password", "qwerty12345", "admin", "12345", "team".

The analysis showed that only 19% of all passwords contained elements of a strong combination that is difficult to crack - a non-dictionary word, lowercase and uppercase letters, as well as numbers and symbols, and contained no regular, dictionary words. At the same time, the study revealed that they were also able to guess 39% of such passwords using clever algorithms in less than an hour.

What's probably most worrying, however, is that for attackers, no deep knowledge or expensive equipment is required to crack passwords. For example, a powerful laptop processor can find the right combination for an 8-letter or digit password using brute force in as little as 7 minutes. In addition, modern graphics cards will tackle the same task in 17 seconds. In addition, smart algorithms for password guessing consider character substitutions ("e" for "3", "1" for "!" or "a" for "@") and popular sequences ("qwerty", "12345", "asdfg").

In order to strengthen their password policy, users can use the following simple tips:

• It is almost impossible to memorize long and unique passwords for all the services you use, but with a password manager you can memorize only one master password.
• Use a different password for each service. That way, even if one of your accounts is stolen, the others won't be compromised.
• Passphrases may be more secure when unexpected words are used. Even if you use common words, you can put them in an unusual order and make sure they are not related. There are also online services that will help you check if a password is strong enough.
• It's best not to use passwords that can be easily guessed from your personal details, such as birthdays, family members' names, pets or your own name. These are often the first guesses an attacker will try.
• Activate two-factor authentication (2FA). Although not directly related to password strength, enabling 2FA adds an extra layer of security. Even if someone discovers your password, they will still need a second form of verification to access your account. Modern password managers store 2FA keys and secure them with the latest encryption algorithms.
• Using a reliable security solution will enhance your protection. It monitors the Internet and the Dark Web and warns if your passwords need to be changed.