It only takes a minute, to crack your world.

According to the research results conducted by Kaspersky experts, 45% of all passwords analyzed (87M) could be guessed by scammers within a minute. The team also uncovered the most commonly used character combinations when creating passwords. Only 23% (44M) of combinations turned out to be tough enough to stop scammers, with their cracking taking more than a year.

Kaspersky telemetry highlights more than 32 million attempts to attack users with password stealers in 2023 alone. These numbers underline the critical importance of digital hygiene and active password policies. 

In June 2024, Kaspersky analyzed 193M passwords in a new study, which were found in the public domain on various darknet resources. Its’ results indicate that the majority of the passwords reviewed were not nearly strong enough and could be easily compromised by using smart guessing algorithms. Here is the breakdown of how fast it can happen: 

• 45% (87M) in less than 1 minute. 
• 14% (27M) – from 1 min to 1 hour. 
• 8% (15M) – from 1 hour to 1 day. 
• 6% (12M) – from 1 day to 1 month.  
• 4% (8M) – from 1 month to 1 year. 

Experts identified only 23% (44M) of passwords as persistent – compromising them would take more than 1 year. 

The majority of the examined passwords (57%) contain a word from the dictionary, which experts agree significantly reduces a passwords’ strength. Among the most popular vocabulary sequences, several groups can be distinguished: 

Names: "ahmed", "nguyen", "kumar", "kevin", "daniel". 

Popular words: "forever", "love", "google", "hacker", "gamer". 

Standard passwords: "password", "qwerty12345", "admin", "12345", "team". 

The analysis showed that only 14% of all passwords contain signs of a strong, difficult to crack combination - lowercase and uppercase letters, as well as numbers and symbols and did not contain a standard dictionary word. The study revealed that 76% of such passwords are strong. The analysis showed that only 19% of all passwords contain signs of a strong combination – a non-dictionary word, lowercase and uppercase letters, as well as numbers and symbols. At the same time, the study revealed that 39% of such passwords could also be guessed using smart algorithms in less than an hour.  

Perhaps the most concerning thing though, is that attackers do not require deep knowledge or expensive equipment to crack passwords. A standard powerful laptop processor will be able to find the correct combination for password of 8 lowercase letters or digits using brute force in just 7 minutes. And modern video cards will cope with the same task in 17 seconds. In addition, smart algorithms for guessing passwords easily decipher character replacements such as "e" with "3", "1" with "!" or "a" with "@" as well as popular sequences like "qwerty", "12345", "asdfg". 

‘Unconsciously, human beings create “human” passwords – containing the words from dictionary in their native languages, featuring names, numbers. Etc, things that are easy for our busy brains to recall easily. Even seemingly strong combinations are rarely completely random, so they can be guessed by algorithms. Given that, the most dependable solution is to generate a completely random password using modern and reliable password managers. 

Such apps can securely store large volumes of data, providing comprehensive and robust protection for user information’. Commented Yuliya Novikova, Head of Digital Footprint Intelligence at Kaspersky.  

In order to strengthen your password policy, users can use following simple tips:  

• It’s best not to use passwords that can be easily guessed from your personal information, such as birthdays, names of family members, pets, or your own name. These are often the first guesses an attacker will make. 
• Enable two-factor authentication (2FA). While not directly related to password strength, enabling 2FA adds an extra layer of security. Even if someone discovers your password, they would still need a second form of verification to access your account. Modern password managers store 2FA keys and secure them with the latest encryption algorithms.  
• It’s nearly impossible to memorize long and unique passwords for all the services you use, but with a password manager you can memorize just one master password. 
• Use a different password for each service. That way, even if one of your accounts gets stolen, the rest won’t go with it. 
• Passphrases might be more secure when using unexpected words. Even if you are using common words, you can arrange them in an odd order and make sure they are unrelated. There are also online services, that will help you to check if a password is strong enough.  
• Using a reliable security solution will enhance your protection. It monitors the Internet and Dark Web, warns if your passwords need to be changed.  

About the study 

Our research was conducted on the basis of 193M passwords found publicly available on various darknet resources. The study can be found by clicking the link in the Kaspersky Daily post. Additional information can be found in the research material on Securelist. 

Within the survey Kaspersky experts used the following password guessing algorithms: 

• Bruteforce – bruteforce is a method for guessing a password that involves systematically trying all possible combinations of characters until the correct one is found. 
• Zxcvbn – is an advanced scoring algorithm available on GitHub. For an existing password, the algorithm determines its scheme. Next, the algorithm counts the number of required iterations of the search for each element of the scheme. So, if the password contains a word, then finding it will take a number of iterations equal to the length of the dictionary. Having searching time for each schema element we could count password strength. 
• Smart guessing algorithm – is a learning algorithm. Based on user passwords dataset, it could calculate the frequency of various characters combinations. Then it could generate trials from most frequent variants and its combination to least frequent.