Facepalm: A couple of years ago, Kaspersky Lab tested the resilience of hashed passwords against a modern gaming GPU. Now, the Moscow-based security firm has updated its study and found that things are getting slightly – but undeniably – worse.
Just in time for World Password Day, Kaspersky is reminding everyone that outdated hashing algorithms such as MD5 remain among the worst choices for storing passwords. In a recent post, the security firm revisited a 2024 study examining the "crackability" of real-world passwords. The conclusion is not surprising: password cracking speeds continue to improve, which means overall security is steadily getting worse.
Hashing algorithms are designed to convert strings of arbitrary length into fixed-length hash values. Even the smallest change in the input text produces a completely different hash, meaning that a properly secured hash database should protect user passwords from crackers and cybercriminals even if the database itself is leaked.
That is the theory, at least. In practice, the widely used MD5 algorithm is notorious for being an insecure option for password hashing. MD5 isn't actually reversible – there's no mathematical shortcut to recover the original input. What makes it dangerous is that it's designed to be extremely fast to compute, which allows attackers to brute-force billions of candidate passwords per second until one produces a matching hash. The algorithm may still be a suitable choice for other, non-cryptographic purposes such as file integrity checks.
Kaspersky's post focused on 231 million unique passwords leaked on the dark web. The Moscow-based analysts hashed the password database using MD5 and then tested password resilience by attempting to crack the hashes with a single GeForce RTX 5090 GPU. Kaspersky ultimately found that passwords remain as weak as ever, while cracking them is becoming increasingly easier and faster thanks to modern hardware acceleration.
The data showed that 60% of the tested passwords could be cracked in less than an hour, compared to 59% two years ago. Even worse, nearly half of all passwords (48%) were cracked in under 60 seconds. Password length remains one of the most important factors in determining strength, but users still tend to create highly predictable passwords that make the cracking process significantly easier.
User-created passwords are often as weak as "123456," while AI-generated passwords can also be cracked with relative ease if attackers understand the patterns favored by generative AI models. MD5 hashing has effectively become a major security liability, because leaked password databases can continue circulating across underground forums for years.
Kaspersky recommends moving away from MD5 toward slower, purpose-built password hashing functions like bcrypt or Argon2, which are specifically designed to resist brute-force attacks by making each hash computation expensive. Enabling multi-factor authentication and replacing passwords with passkeys whenever possible adds a critical second line of defense, since a cracked password alone is no longer enough to gain access.