60% of MD5-Hashed Passwords Can Be Cracked in Under an Hour by a Single RTX 5090 — Kaspersky’s 2026 Research Sounds the Alarm
60% of MD5-Hashed Passwords Can Be Cracked in Under an Hour by a Single RTX 5090 — Kaspersky’s 2026 Research Sounds the Alarm
- 60% of MD5 Password Hashes Can Be Cracked in Under an Hour with a Single GPU
- Dirty Frag: Root Access on Every Major Linux Distribution — No Patch, No Warning
- Ubuntu 26.04 LTS (Resolute Raccoon): The Most Ambitious Ubuntu LTS in a Decade
- Proton Mail: Data Transferred to FBI Again!
- How Close Are Quantum Computers to Breaking RSA-2048?
- How to Prevent Ransomware Infection Risks?
- What is the best alternative to Microsoft Office?
60% of MD5-Hashed Passwords Can Be Cracked in Under an Hour by a Single RTX 5090 — Kaspersky’s 2026 Research Sounds the Alarm
A new Kaspersky study analyzing over 231 million leaked real-world passwords finds that modern GPUs have made MD5-based password storage dangerously obsolete — and attackers don’t even need to own the hardware.
in under 1 hour
in under 60 seconds
RTX 5090 GPU
On World Password Day, Kaspersky’s Digital Footprint Intelligence team published research that lays bare just how badly the gap between attacker capability and everyday password hygiene has widened. Testing a database of more than 231 million unique passwords — drawn from real dark-web leaks spanning 2023 to 2026 — against a single consumer GPU, researchers found that 60% of MD5-hashed passwords could be recovered in under one hour, and nearly half (48%) fell within 60 seconds.
The dataset is the largest Kaspersky has tested to date, expanded by 38 million new entries since their 2024 iteration. Researchers re-hashed the plaintext passwords with the MD5 algorithm and then ran cracking attempts using a single NVIDIA GeForce RTX 5090 graphics card. The results track a troubling trend: in 2024, the comparable figure was 59% cracked within an hour. One year later, hardware has improved; password habits have not.
Why MD5 Is So Vulnerable to GPU Attacks
MD5 was designed as a fast general-purpose hashing algorithm — a property that makes it catastrophically unsuitable for password storage. Because it produces results at extreme speed, modern GPUs can exploit that throughput to try billions of candidate passwords per second, comparing each resulting hash against a stolen database. The RTX 5090 achieves approximately 220 gigahashes (220 billion hashes) per second on MD5 — a 34% improvement over the RTX 4090, which managed 164 gigahashes per second in the 2024 study.
Passwords remain as weak as ever, while cracking them becomes faster and easier with every year.
— Kaspersky Digital Footprint Intelligence, May 2026It is important to note that this attack scenario assumes an attacker has already obtained a database of hashed passwords — for example, through a data breach — and is working offline. Cracking passwords through live login attempts is a separate, much slower threat. Nevertheless, large-scale database breaches are a regular occurrence, making offline cracking a highly realistic risk.
The “17 Seconds” Figure: Context Matters
A frequently cited figure in earlier reporting stated that the RTX 4090 could crack an “8-character complex password” in 17 seconds. That claim requires careful qualification. According to Kaspersky’s own 2024 Securelist analysis, the 17-second figure applies only to 8-character passwords composed of same-case letters and digits — a relatively limited 36-character set. A fully complex 8-character password incorporating uppercase, lowercase, numbers, and symbols takes the RTX 4090 approximately 59 minutes under MD5 — not 17 seconds. The distinction matters: password complexity still provides meaningful protection even against fast hardware, though complexity alone is no longer sufficient.
GPU Cracking Speed: RTX 4090 vs. RTX 5090 on MD5
| GPU | MD5 Speed | % Cracked ≤ 1 min | % Cracked ≤ 1 hr |
|---|---|---|---|
| RTX 4090 (2024 study) | 164 GH/s | 45% | 59% |
| RTX 5090 (2026 study) | 220 GH/s | 48% | 60% |
Attackers Don’t Need to Own the Hardware
Perhaps the most underappreciated finding is the low barrier to entry. While an RTX 5090 retails for several thousand dollars, cloud platforms allow anyone to rent equivalent GPU compute by the hour — at costs ranging from a few cents to a few dollars per hour. Since cracking 60% of a leaked password database can take under an hour with a single GPU, the financial cost to an attacker is negligible. The research also notes that attackers can parallelize across multiple rented GPUs, accelerating results by orders of magnitude.
Predictable Passwords Make It Worse
Beyond raw hardware speed, Kaspersky’s analysis of human password patterns amplifies the threat. Of the 200+ million credentials studied: 53% end with one or more digits; 17% begin with a number; 12% include year-like sequences between 1950 and 2030; and the numeric string “1234” remains the most common suffix. Common base words include “love,” “angel,” and “star.” Even newer internet slang — such as “Skibidi” — surged 36-fold in usage, showing users reach for pop culture rather than randomness when choosing passwords.
What Service Providers Should Do
Kaspersky’s guidance is unambiguous: abandon MD5 entirely for any password storage purpose. The algorithm was never designed for this use, and the mismatch between its speed-oriented design and the slow-by-design requirements of secure password hashing is irreparable by any configuration tweak. Service providers should migrate to purpose-built password hashing functions — specifically bcrypt or Argon2 — which are deliberately slow to compute and can be tuned to stay one step ahead of improving hardware. Unlike MD5, a bcrypt-hashed complex 8-character password can take a single RTX 4090 approximately 99 years to exhaust.
What Users Can Do
For individuals, the most effective defense remains a simple principle: one account, one password. A leaked password from one service should never unlock another. Length matters more than substitution tricks — a genuinely random 16-character password made up of mixed characters is vastly harder to crack than a memorable word with a number appended. Kaspersky recommends using a dedicated password manager to generate and store truly random, unique credentials for every account. The company has also updated its Kaspersky Password Generator with free password generation for this purpose.
| Algorithm | Design Purpose | Time to Crack 8-char complex (single RTX 4090) | Suitable for Passwords? |
|---|---|---|---|
| MD5 | Fast hashing | ~59 minutes | No — never use |
| bcrypt | Slow password hashing | ~99 years | Yes — recommended |
| Argon2 | Memory-hard password hashing | Extremely long | Yes — recommended |
The Bottom Line
GPU performance grows every year. Password habits do not improve at the same pace. Each new generation of consumer graphics hardware narrows the window of safety for weak or mid-strength passwords protected by fast hash algorithms. Kaspersky’s 2026 study is the most comprehensive real-world evidence yet that MD5 password storage is not merely outdated — it is effectively no protection at all for the majority of passwords people actually choose. The technical fix is well-understood; what remains is the will to deploy it.
