Bad news — many of today’s top passwords can be brute force cracked in less than an hour

If you’re using simple passwords, you’re in trouble

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

If you are not using random, computer-generated passwords, or one of thebest password generators, chances are your logins can be cracked within an hour, research has warned.

A newreporton password strength conducted recently by Kaspersky noted  the advancements in computer processing power made cracking passwords significantly easier.

In their experiment, the researchers used a database of 193 million passwords, obtained from the dark web. These were hashed and salted, meaning they still needed to guess them.

Improving the algorithm

The researchers then used anNvidiaRTX 4090 GPU and tried to estimate the time needed to crack the passwords using different algorithms.

The gist of the research is that some eight-character passwords can be cracked as fast as 17 seconds. These passwords were composed of same-case English letters and digits, or 36 combinable characters. Looking at the entire database, it took the researchers less than an hour to crack more than half (59%) of the passwords.

The researchers tried out different algorithms, including the vastly popular brute force attack. This method tries all possible password combinations, and while it’s less effective for longer passwords, and those with diverse character types, it was still able to crack many short and simple passwords easily. Then, they tried to improve on brute force, by having it consider certain character combinations, words, names, dates, and sequences.

With the most efficient algorithm, the researchers guessed 45% of passwords within a minute, 59% within an hour, and 73% within a month. Only a quarter (23%) of passwords would take longer than a year to crack.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

To better protect the accounts, Kaspersky recommends users go for random, computer-generated passwords, avoid meaningful words and names in passwords, and check the password strength with thebest password managers.

Finally, it recommends users ensure the passwords aren’t included in leaked databases by checking HaveIBeenPwned?, and make sure they’re using unique passwords for different websites.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Nokia confirms data breach leaked third-party code, but its data is safe

Rising AI threats are making firms turn back to human intelligence

Black Friday is here: Sony XM5 over-ears drop to their lowest-seen price – act fast!