A new study from Kaspersky shows that scammers can guess 45% of all passwords in less than a minute. Researchers looked at 193 million passwords found on the dark web and discovered that only 23% (44 million) of them were strong enough to resist being cracked for over a year. The study also highlighted the most common character combinations used in creating passwords.

Kaspersky’s data reveals more than 32 million attempts to attack users with password stealers in 2023, emphasizing the need for good digital hygiene and up-to-date password policies.

In June 2024, Kaspersky analyzed 193 million passwords from various darknet sources. The findings revealed that most passwords were weak and could be easily cracked using smart guessing algorithms. Here’s how quickly passwords can be broken down:

• 45% (87M) in less than 1 minute.
• 14% (27M) – from 1 min to 1 hour.
• 8% (15M) – from 1 hour to 1 day.
• 6% (12M) – from 1 day to 1 month.
• 4% (8M) – from 1 month to 1 year.

Resistant Passwords

Only 23% (44 million) of the passwords were deemed resistant, taking over a year to crack. Most of the analyzed passwords (57%) included a dictionary word, significantly reducing their strength. Among the most common sequences were:

• Names: “ahmed,” “nguyen,” “kumar,” “kevin,” “daniel.”
• Popular words: “forever,” “love,” “google,” “hacker,” “gamer.”
• Standard passwords: “password,” “qwerty12345,” “admin,” “12345,” “team.”

The study showed that only 19% of all passwords displayed signs of a strong combination—non-dictionary words, a mix of lowercase and uppercase letters, numbers, and symbols. However, in less than an hour, 39% of these “strong” passwords could still be guessed using smart algorithms.

Weak password? Easy attacks

Cracking passwords doesn’t require deep knowledge or expensive equipment. For example, a powerful laptop processor can brute-force an 8-character lowercase password in just 7 minutes, while modern video cards can do it in 17 seconds. Smart algorithms take into account character replacements (“e” with “3”, “1” with “!” or “a” with “@”) and popular sequences (“qwerty,” “12345,” “asdfg”).

“Unconsciously, human beings create ‘human’ passwords – containing the words from dictionary in their native languages, featuring names and numbers, etc.,” said Yuliya Novikova, head of Digital Footprint Intelligence at Kaspersky. “Even seemingly strong combinations are rarely completely random, so they can be guessed by algorithms. Given that, the most dependable solution is to generate a completely random password using modern and reliable password managers. Such apps can securely store large volumes of data, providing comprehensive and robust protection for user information.”

Tips for Strengthening Your Password Policy:

• Use a different password for each service to ensure that the others remain secure even if one account is compromised.
• Use passphrases with unexpected words arranged in an unusual order. There are online services that help check password strength.
• Avoid using easily guessed passwords based on personal information like birthdays, names of family members, pets, or your own name.
• Enable two-factor authentication (2FA). While not directly related to password strength, 2FA adds an extra layer of security.
• Even if someone discovers your password, they would still need a second verification form to access your account. Modern password managers can store 2FA keys and secure them with the latest encryption algorithms.
• Memorizing long and unique passwords for all services is nearly impossible, but a password manager allows you to remember just one master password.
• Using a reliable security solution enhances your protection by monitoring the internet and dark web and warning you if your passwords need to be changed.

About the study

The research was based on 193 million passwords publicly available on various darknet resources. You can find the study in this Kaspersky Daily post and more information on Securelist.

Kaspersky experts used the following password-guessing algorithms:

• Bruteforce – bruteforce is a method for guessing a password that involves systematically trying all possible combinations of characters until the correct one is found.
• Zxcvbn – is an advanced scoring algorithm available on GitHub. For an existing password, the algorithm determines its scheme. Next, the algorithm counts the number of required search iterations for each scheme element. So, if the password contains a word, then finding it will take several iterations equal to the length of the dictionary. Having searched for time for each schema element, we could count password strength.
• Smart guessing algorithm – is a learning algorithm. Based on the user password dataset, it could calculate the frequency of various character combinations. Then, it could generate trials from the most frequent variants and their combination to the least frequent.

Image by Freepik