Are “8-Character Passwords” Virtually Useless Under Today’s Cracking Technology?

On World Password Day, May 7, 2026, cybersecurity firm Kaspersky published findings from an analysis of 231 million real passwords leaked onto the dark web between 2023 and 2026. The results were stark: 48% of those passwords could be cracked in under one minute, and 60% within one hour — using a single consumer-grade graphics card. For anyone still relying on an eight-character password, the numbers deliver an uncomfortable verdict.

How the Research Was Conducted

Kaspersky’s team re-hashed the plaintext passwords using the MD5 algorithm — still widely deployed despite its known weaknesses — and ran cracking attempts on a single NVIDIA GeForce RTX 5090 graphics card. The dataset expanded the firm’s 2024 study by an additional 38 million recently exposed credentials, sourced through its Digital Footprint Intelligence service.

Attackers in practice are not limited to a single GPU. Cloud platforms allow anyone to rent equivalent computing power by the hour, at costs ranging from a few cents to a few dollars. Ten or a hundred GPUs can be deployed in parallel, reducing cracking times by corresponding orders of magnitude. The financial barrier to a large-scale password cracking operation is, in 2026, effectively negligible.

The GPU Arms Race: RTX 4090 vs. RTX 5090

The acceleration is not purely theoretical. The RTX 4090, used in Kaspersky’s 2024 study, could attempt 164 billion MD5 hashes per second. The RTX 5090 raises that figure to 220 billion — a 34% improvement in a single GPU generation. As Nvidia and its competitors continue to push GPU performance forward, the effective lifespan of any password hashed with a fast algorithm like MD5 shortens with each hardware cycle.

Year-on-year, the share of vulnerable passwords has crept upward. In 2024, 45% could be cracked in under a minute and 59% within an hour. Both figures rose in 2026. The trend line runs in one direction only.

Length Is Everything — Until It Isn’t

Password length remains the single most important defensive variable, but the thresholds may surprise many users. Kaspersky’s data shows that 99.1% of 8-character passwords can be cracked within 24 hours. Moving to 10 characters reduces — but does not eliminate — the risk, with 89.1% still falling within the same window. Even 12-character passwords are not safe: 69.7% can be cracked in under a day. The security community’s current gold standard is 16 or more characters of random, non-repeating letters, numbers, and symbols.

Source: Kaspersky Digital Footprint Intelligence, May 2026 · Single RTX 5090 GPU · MD5 algorithm

Predictable Patterns Make Bad Passwords Worse

Raw length aside, human psychology consistently undermines password strength. Kaspersky found that 53% of leaked passwords end with one or more digits, while 17% begin with a number — patterns that attackers exploit by structuring their guessing algorithms to try these combinations first. Twelve percent contain year-like sequences between 1950 and 2030, suggesting that many users incorporate their birth year or account-creation year and leave it unchanged for years.

Among numeric strings, “1234” is the most common suffix. Keyboard-walk patterns such as “qwerty” appear in roughly 3% of passwords. The most frequently chosen special character is “@”, followed by periods and exclamation marks — all well-known to cracking dictionaries. Perhaps most vividly illustrating how rapidly internet culture seeps into password choices: use of the word “Skibidi” surged 36-fold between 2023 and 2026.

More than half of all analyzed passwords (54%) had been seen in prior leaks, underscoring the scale of reuse. Passwords containing year values were often dated between 2020 and 2024, consistent with Kaspersky’s estimate that most users retain passwords for three to five years before changing them — if they change them at all.

One Leak Can Compromise Many Accounts

The danger of reuse compounds well beyond a single service. When one platform suffers a breach, attackers can immediately attempt the same credentials across email providers, banks, and social networks — a technique known as credential stuffing. A password that would take months to crack in isolation becomes trivially useful the moment it appears in a leaked database, because matching a candidate hash against millions of records takes no longer than matching it against one.

What You Should Do Now

Passkeys in particular represent a structural improvement over passwords: rather than a shared secret that can be stolen from a server, they rely on a private key that never leaves your device. Even a successful phishing page cannot capture what is never transmitted. While passkey adoption remains uneven — many services do not yet support them — the momentum is accelerating across major platforms.

The broader message from Kaspersky’s 2026 research is not merely that individual users need to choose better passwords. It is that any service still storing credentials with fast hashing algorithms like MD5 is operating with security infrastructure that has functionally expired. The compute cost to crack the majority of a leaked MD5 password database in 2026 is measured in dollars and hours. For organisations, that is not a risk — it is a liability.