A recent study by cybersecurity firm Kaspersky has unveiled a disturbing reality about the state of password security. The research analyzed 193 million passwords found on dark web resources, revealing that a staggering 59% of these passwords could be cracked in less than an hour. That's a scary stat, considering passwords protect everything from our bank accounts to our health information to our IRS accounts.
Study methodology and detailed results
Kaspersky's research team employed various password-guessing algorithms to assess the strength of the sampled passwords. The first method used was a Brute Force Attack, which systematically tries all possible character combinations. Using an RTX 4090 GPU and the MD5 hashing algorithm with a salt, researchers achieved an impressive speed of 164 billion hashes per second.
The study's findings paint a concerning picture of password vulnerability. Here's a breakdown of how quickly the analyzed passwords could be cracked:
- 45% of passwords could be guessed in less than a minute.
- 14% took between 1 minute to 1 hour to crack.
- 8% required 1 hour to 1 day.
- 6% needed 1 day to 1 month.
- 4% took 1 month to 1 year.
- Only 23% of passwords were resistant enough to withstand cracking attempts for more than a year.
The study also revealed that 57% of examined passwords contained dictionary words, significantly reducing their strength. Researchers identified several groups of commonly used sequences:
- Names: "ahmed", "nguyen", "kumar", "kevin", "daniel"
- Popular words: "forever", "love", "google", "hacker", "gamer"
- Standard passwords: "password", "qwerty12345", "admin", "12345", "team"
Importantly, even passwords using all recommended character types (uppercase and lowercase letters, digits, and special characters) were vulnerable, with only 20% proving resistant to brute-force attacks.
Implications for digital security
These findings have serious implications for both your personal and professional digital security. Kaspersky says that there were more than 32 million attempts to attack their users with password stealers in 2023, highlighting the real and growing risk. Weak passwords leave you vulnerable to identity theft, financial fraud, and unauthorized access to your sensitive information.
Best practices for password security
There are a few basic steps everyone can (and should) take to protect your accounts.
Use strong, unique passwords
Using unique passwords is crucial for maintaining digital security. Never reuse passwords across multiple accounts. Instead, create a distinct password for each service or website you use.
Creating complex passphrases can significantly enhance your password strength. Use a combination of unrelated words to form a passphrase, aiming for at least 4 words and 15 characters in total. Incorporate uppercase and lowercase letters, numbers, and symbols into your passphrase. However, avoid using common phrases or quotes that might be easily guessed.
Avoiding personal information in your passwords is essential. Don't use easily guessable information like birthdays, family names, or pet names. Also, avoid using parts of your email address or username in your password. Steer clear of sequential numbers or letters, such as "123" or "abc", which are easily cracked.
For additional tips, read my story on how to create a strong password.
Use a password manager
Creating and remembering numerous strong, unique passwords is obviously an impossible task, but password managers are the perfect solution. They provide everything you need to manage your strong password strategy:
- Generating highly secure, random passwords.
- Encrypting and safely storing passwords.
- Autofilling login credentials, reducing the risk of keyloggers.
- Syncing across multiple devices securely.
- Offering password health checks and breach alerts.
- Providing secure note storage for other sensitive information.
At Techlicious, we use and recommend 1Password ($2.99 per month with annual plan) and Dashlane ($4.99 per month). Both are easy to use and have industry-leading security. Dashlane is more expensive because it includes additional features, like a VPN. For a free password manager, I recommend Google’s password manager, which is built into Chrome. It’s easy to use and works across all operating systems.
Read more: Everything You Need to Get Started with Google Password Manager
Enable two-factor authentication (2FA)
Enabling Two-Factor Authentication (2FA) adds an extra layer of security to your accounts. Activate 2FA on all accounts that offer it. When possible, use authenticator apps like Microsoft Authenticator, rather than SMS for 2FA, as they are more secure.
Read more: How to Protect Your Accounts with Two-Factor Authentication
Use a reliable anti-malware solution
Invest in a security suite that includes dark web monitoring. Keep your security software updated to ensure you're protected against the latest threats. Take advantage of features that alert you to potential password leaks or compromises.
I recommend Bitdefender Ultimate Security and McAfee Total Protection for an anti-malware program. With the Biden administration’s recent announcement that they plan on banning the sale of Kaspersky Lab’s antivirus software in the U.S., we cannot recommend Kaspersky’s products.
Be wary of phishing attempts
Being wary of phishing attempts is crucial in maintaining password security. Never enter your password on a site you've reached via an email link. Always double-check the URL before entering login credentials. Use your password manager to reach sites to avoid manually entering passwords on potentially fake sites.
Secure your home network
Securing your home network is an often-overlooked aspect of password security. Use a strong, unique password for your WiFi router. Enable WPA3 encryption on your router. Regularly update your router's firmware to patch any security vulnerabilities.
Final thoughts
The Kaspersky study serves as a stark reminder of the vulnerabilities of passwords. As Yuliya Novikova, head of Digital Footprint Intelligence at Kaspersky, notes, "Even seemingly strong combinations are rarely completely random, so they can be guessed by algorithms." By implementing the basic password hygiene and utilizing tools like password managers, you can significantly reduce the risk of your passwords being cracked and your accounts hacked.
[Image credit: Concept of passwords for sale on the Dark Web generated by DALL-E]
For the past 20+ years, Techlicious founder Suzanne Kantra has been exploring and writing about the world’s most exciting and important science and technology issues. Prior to Techlicious, Suzanne was the Technology Editor for Martha Stewart Living Omnimedia and the Senior Technology Editor for Popular Science. Suzanne has been featured on CNN, CBS, and NBC.
