On this year’s World Password Day, cybersecurity firm Kaspersky released a sweeping study on real-world password vulnerability, and the results offer little comfort: using a single consumer-grade high-end graphics card to brute-force MD5 password hashes, researchers were able to crack 60% of passwords within an hour, with nearly half — 48% — falling in under a minute.

The study, conducted by Kaspersky’s Digital Footprint Intelligence team, drew on a dataset of over 231 million unique passwords leaked from dark web forums between 2023 and 2026. This included 38 million new entries added since their prior study in 2024, making it one of the most comprehensive real-world password cracking analyses conducted to date. Researchers re-hashed these plaintext passwords using the MD5 algorithm and then ran cracking attempts on a single NVIDIA GeForce RTX 5090 graphics card.

The Hardware Driving the Threat

The RTX 5090, NVIDIA’s current flagship consumer GPU, is capable of computing MD5 hashes at a rate of 220 gigahashes — or 220 billion hashes — per second. That represents a 34% speed improvement over the RTX 4090, which was used in Kaspersky’s 2024 iteration of this study and managed 164 gigahashes per second. While the RTX 5090 carries a price tag of several thousand dollars, Kaspersky is quick to point out that hardware ownership is not the barrier it might appear to be.

“One hour is all an attacker needs to crack three out of every five passwords they’ve found in a leak.”

— Kaspersky Research Report, May 2026

Cloud computing marketplaces offer GPU rental at rates ranging from a few cents to a few dollars per hour. This means any attacker who obtains a database of MD5-hashed passwords from a breach can rent comparable cracking power on demand, without any upfront hardware investment. The cost of cracking the majority of a leaked password database may amount to only a handful of dollars.

The Human Factor: Predictability at Scale

Kaspersky’s analysis of over 200 million exposed credentials uncovered deeply entrenched patterns in how people choose passwords — patterns that attackers can exploit to dramatically narrow the search space before brute force even begins.

Common Password Patterns Identified (Kaspersky, 2026)
  • More than 50% of passwords end with one or more digits
  • 17% begin with a number
  • 12% include year-like numeric sequences (e.g., 1950–2030)
  • “1234” remains the most common numeric string used
  • Common word bases include: love, angel, star, magic, friend
  • The “@” symbol appears in 10% of passwords containing special characters
  • 3% include keyboard sequences such as “qwerty” or “1234”
  • Usage of the word “Skibidi” surged 36× from 2023 to 2026, tracking internet trends
  • 54% of passwords analyzed had previously appeared in earlier data leaks
  • Average password lifespan: 3–5 years — most users never change them

These patterns allow modern cracking tools — including dictionary attacks and rule-optimized algorithms trained on prior leak datasets — to prioritize the most statistically likely candidates first, significantly reducing the effective search space and cracking time far below what a purely random brute-force approach would require.

A Worsening Trend: 2024 vs. 2026

Kaspersky’s 2026 findings represent a modest but directionally troubling shift compared to their 2024 baseline. Two years ago, approximately 45% of passwords could be cracked in under a minute and 59% within an hour. In 2026, those figures have risen to 48% and 60% respectively.

Password crackability — Kaspersky comparison (MD5, RTX-class GPU)
Timeframe 2024 Study (RTX 4090) 2026 Study (RTX 5090) Change
Under 1 minute ~45% 48% ▲ +3%
Under 1 hour ~59% 60% ▲ +1%
Under 24 hours 68%

While the numerical improvement year-over-year is small, the structural trend is clear: GPU performance advances annually, while user password habits have remained largely stagnant. The gap between attacker capability and password resilience is widening in one direction only.

Why MD5 Is the Wrong Tool for Password Storage

MD5 was never designed as a password storage mechanism. Its central weakness in this context is not reversibility — MD5 hashes cannot be mathematically reversed — but speed. The algorithm was engineered to be extremely fast to compute, which is precisely what makes it dangerous when used for password hashing: attackers can test billions of candidate passwords per second until one produces a matching hash.

Modern alternatives specifically designed for password hashing — such as bcrypt, Argon2, and scrypt — deliberately introduce computational cost and memory hardness, making each individual hash attempt orders of magnitude slower. A single GPU cannot parallelise attacks against these algorithms nearly as effectively. The Kaspersky study’s central message is that any system still relying solely on MD5 to store passwords is operating with a security margin that has effectively expired.

Expert Perspectives: Rethinking Responsibility

“Passwords will not truly disappear for a considerable period, and the deployment of next-generation security technologies is extremely uneven. Many websites and services do not yet support them, forcing users to switch back and forth between traditional passwords and new solutions.”

Steven Furnell — Senior Member, IEEE; Professor of Cybersecurity, University of Nottingham

Furnell adds that many services fail to explain to users how to create passwords that meet modern standards, or simply do not enforce sufficiently strict password policies — allowing weak passwords to be set from the outset. In his view, the real message of World Password Day 2026 should not be another call for individual users to improve their security awareness, but an urgent directive to websites and service providers that still rely primarily on passwords to assume their due security responsibilities.

“Passwords must be integrated into a broader identity security strategy, rather than existing in isolation. Even strong passwords can be rendered ineffective if the identity and access management environment lacks unified governance, due to loose configurations, session hijacking, or privilege abuse.”

Chris Gunner — CISO for On-Demand, Thrive (Managed Service Provider)

Gunner recommends integrating multi-factor authentication with identity governance and endpoint protection to build a more complete zero-trust model — one that assumes any single authentication layer will eventually be breached, and constructs layered defences accordingly. In his view, the first authentication door will eventually be opened; what matters is how many doors lie behind it.

What This Means in Practice

The implications of the Kaspersky study extend well beyond individual password hygiene. For organisations that store user credentials, any database relying solely on MD5 hashing is effectively a liability — not a protected asset — the moment it is exfiltrated. The compute cost to crack the majority of its contents in 2026 is measured in dollars and hours, not months or expertise.

Protective Measures — What Experts Recommend
  • Replace MD5 with purpose-built slow hashing algorithms: bcrypt, Argon2, or scrypt
  • Enforce passwords of 16+ characters combining random letters, numbers, and symbols
  • Implement multi-factor authentication (MFA), preferring biometrics or hardware keys over SMS
  • Deploy passkeys wherever possible — they are phishing-resistant and cryptographically bound
  • Use a reputable password manager; avoid storing passwords in browsers
  • Never reuse passwords across services; the average leaked password persists 3–5 years
  • Service providers must enforce strict password policies at registration, not merely recommend them

Kaspersky has also noted that in real-world attack scenarios, adversaries are not limited to a single GPU. Cloud infrastructure allows attackers to scale horizontally — ten, a hundred, or even more GPUs can be rented simultaneously, reducing cracking times by corresponding orders of magnitude.

The broader consensus among security experts is unambiguous: the era in which MD5-hashed passwords provided meaningful protection is over. The question is no longer whether a leaked database can be cracked, but how quickly. Systemic change — at the level of platforms, developers, and regulators — is not optional. It is overdue.