Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Bad news — many of today's top passwords can be brute force cracked in less than an hour

Shadowed hands on a digital background reaching for a login prompt.

If you are not using random, computer-generated passwords, or one of the best password generators, chances are your logins can be cracked within an hour, research has warned.

A new report on password strength conducted recently by Kaspersky noted  the advancements in computer processing power made cracking passwords significantly easier. 

In their experiment, the researchers used a database of 193 million passwords, obtained from the dark web. These were hashed and salted, meaning they still needed to guess them.

Improving the algorithm

The researchers then used an Nvidia RTX 4090 GPU and tried to estimate the time needed to crack the passwords using different algorithms.

The gist of the research is that some eight-character passwords can be cracked as fast as 17 seconds. These passwords were composed of same-case English letters and digits, or 36 combinable characters. Looking at the entire database, it took the researchers less than an hour to crack more than half (59%) of the passwords. 

The researchers tried out different algorithms, including the vastly popular brute force attack. This method tries all possible password combinations, and while it’s less effective for longer passwords, and those with diverse character types, it was still able to crack many short and simple passwords easily. Then, they tried to improve on brute force, by having it consider certain character combinations, words, names, dates, and sequences.

With the most efficient algorithm, the researchers guessed 45% of passwords within a minute, 59% within an hour, and 73% within a month. Only a quarter (23%) of passwords would take longer than a year to crack. 

To better protect the accounts, Kaspersky recommends users go for random, computer-generated passwords, avoid meaningful words and names in passwords, and check the password strength with the best password managers

Finally, it recommends users ensure the passwords aren’t included in leaked databases by checking HaveIBeenPwned?, and make sure they’re using unique passwords for different websites.

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.