Answer Brief
A new study by Kaspersky analyzing 231 million leaked passwords shows that 48% can be cracked in under a minute. Rapid advancements in consumer GPU hardware, specifically the shift to the NVIDIA RTX 5090, have dramatically reduced the time required to break simple hashes, rendering traditional eight-character passwords virtually useless against modern brute-force and AI-assisted attacks.
Executive Summary: A new study by Kaspersky analyzing 231 million leaked passwords shows that 48% can be cracked in under a minute. Rapid advancements in consumer GPU hardware, specifically the shift to the NVIDIA RTX 5090, have dramatically reduced the time required to break simple hashes, rendering traditional eight-character passwords virtually useless against modern brute-force and AI-assisted attacks.
Why It Matters
The rapid acceleration of hardware performance has fundamentally shifted the risk boundary for identity management. Kaspersky’s analysis of 231 million passwords leaked between 2023 and 2026 confirms that nearly half of the world's current password credentials are vulnerable to near-instantaneous compromise. This is not merely a theoretical risk; it represents a functional collapse of the eight-character password standard. As GPU performance reaches billions of hashes per second, the time required to exhaust a character space has shrunk from weeks to minutes.
Technically, the signal here is the commoditization of high-performance cracking. The transition from the RTX 4090 to the RTX 5090 has increased MD5 hashing capabilities by 34%, reaching 2.2 billion hashes per second. This compute power is no longer reserved for nation-state actors; it is available via cloud rental markets for minimal fees. This accessibility allows attackers to execute large-scale credential stuffing attacks using data harvested from the Dark Web with unprecedented efficiency, regardless of their local infrastructure limitations.
Technical Signal
For regional operations in East Asia, particularly Japan, Taiwan, and South Korea, this data is a wake-up call for infrastructure and security teams. These regions have high digital density and many legacy enterprise systems that still enforce or permit weak 8-10 character password policies. The local signal suggests that even 'regional' password trends—such as using specific local terms or dates—are being effectively mapped by AI-driven algorithms that recognize linguistic and keyboard-layout patterns like 'qwerty' or specific year ranges.
Affected teams include not only IT security but also DevOps and Cloud Infrastructure leads who must manage the risk of compromised administrative credentials. The study found that 54% of leaked passwords had appeared in previous breaches, indicating a persistent problem with password reuse across multiple services. If a single employee uses the same 8-character password for a personal account and a corporate cloud console, the organization’s entire infrastructure is essentially exposed within seconds of a leak.
Operational Impact
The risk boundaries are expanding because human-generated passwords are inherently non-random. Kaspersky observed that 12% of passwords include years, with 10% specifically using the range from 1990 to 2026. This predictability allows attackers to move away from pure brute force and toward highly optimized, algorithmic guessing. Even 12-character passwords, often considered 'safe,' now face a 69.7% crack rate within 24 hours under current performance tiers.
Readers should watch for a mandatory industry-wide shift toward MFA and Passkeys as the primary defense. The era of the character-based password as a standalone security measure is effectively over. Organizations must evaluate their current IAM (Identity and Access Management) policies and move to deprecate legacy authentication methods. Monitoring for account takeover (ATO) signals will become increasingly difficult as the initial 'breach' happens faster than most detection systems can trigger an alert on a brute-force attempt.
Event Type: security
Importance: high
Affected Companies
- Kaspersky
- NVIDIA
Affected Sectors
- Cloud Infrastructure
- Cybersecurity
- Identity and Access Management
Key Numbers
- Passwords Analyzed: 231 million
- Crackable under 1 minute: 48%
- Crackable under 1 hour: 60%
- RTX 5090 Hashing Speed: 2.2 billion MD5 hashes/sec
- 8-char crack rate (24h): 99.1%
Timeline
- Kaspersky gathers 231 million password samples from Dark Web leaks via Digital Footprint Intelligence.
- NVIDIA RTX 4090 achieves 1.64 billion MD5 hashes per second.
- Kaspersky releases updated analysis of password vulnerability based on latest GPU performance tiers.
- ITmedia reports on the implications of the study for enterprise security in East Asia.
Frequently Asked Questions
How long does it take to crack an 8-character password today?
According to Kaspersky's 2026 analysis, 99.1% of eight-character passwords can be cracked within 24 hours using modern consumer-grade GPUs like the RTX 5090. Approximately 48% of all analyzed passwords from recent leaks were cracked in less than one minute, highlighting the complete obsolescence of short character strings.
Why has password cracking speed increased so significantly?
The primary driver is the increase in GPU processing power. The RTX 5090 can process 2.2 billion MD5 hashes per second, a 34% increase over the previous generation. Combined with cloud-based rental models, attackers can access massive compute power for a few dollars to run exhaustive brute-force or AI-assisted dictionary attacks.
What common password patterns are attackers exploiting?
Attackers leverage predictable human patterns, such as starting with a capital letter (17% of samples) or ending with a number (53%). The study also noted a 36-fold increase in passwords referencing current pop culture memes like 'Skibidi' between 2023 and 2026, which are easily incorporated into specialized dictionary attacks.
What are the best alternatives to traditional passwords?
Security teams should prioritize Passkeys, which use public-key cryptography and are resistant to phishing. Additionally, implementing Multi-Factor Authentication (MFA/2FA) and transitioning to password managers that support complex, unique strings for every service is essential as simple character-based security continues to fail.