Cybercriminals can guess almost half of all passwords in less than a minute. This and other - particularly disturbing - findings revealed a large-scale study carried out by Kaspersky experts on the resilience of 193 million passwords compromised by infostealers and available on the darknet to brute force and smart guessing attacks.
According to the research results, fraudsters could guess 45% of all analyzed passwords (87 million) within one minute. Kaspersky experts also revealed which character combinations are most often used when creating passwords. Only 23% (44 million) of the combinations proved durable enough – breaking them would take more than a year.
Kaspersky telemetry shows more than 32 million attempts to attack users with password stealers in 2023. These numbers show the importance of digital hygiene and timely password policies.
In June 2024, Kaspersky analyzed 193 million passwords in a new study, which were found in the public domain on various darknet resources. These results show that the majority of the revised passwords were not strong enough and could easily be cracked using smart guessing algorithms. Here's a breakdown of how quickly it can happen:
45% (87M) in less than 1 minute.
14% (27M) – from 1 minute to 1 hour.
8% (15M) – from 1 hour to 1 day.
6% (12M) – from 1 day to 1 month.
4% (8M) – from 1 month to 1 year.
Experts rated only 23% (44 million) of passwords as strong – breaking them would take more than 1 year.
In addition, the majority of examined passwords (57%) contain a word from the dictionary, which significantly reduces the strength of passwords. Among the most popular vocabulary sequences, several groups can be distinguished:
Names: “ahmed”, “nguyen”, “kumar”, “kevin”, “daniel”.
Popular words: “forever”, “love”, “google”, “hacker”, “gamer”.
Standard passwords: “password”, “qwerty12345”, “admin”, “12345”, “team”.
The analysis showed that only 19% of all passwords contain elements of a strong combination that is difficult to crack – an unlexicized word, lowercase and uppercase letters, as well as numbers and symbols, and did not contain any regular, lexicized word. At the same time, the study revealed that they could also guess 39% of such passwords using smart algorithms in less than an hour.
Most worrying, however, is that attackers don't need deep knowledge or expensive equipment to crack passwords. For example, a powerful laptop processor can find the correct combination for a password of 8 lowercase letters or digits using brute force in just 7 minutes. Moreover, modern graphics cards will cope with the same task in 17 seconds. In addition, smart password-guessing algorithms look at character substitutions (“e” with “3”, “1” with “!” or “a” with “@”) and popular sequences (“qwerty”, “12345”, “asdfg”).
In order to strengthen their password policy, users can use the following simple tips:
It's almost impossible to remember long and unique passwords for all the services you use, but with a password manager you can remember just one master password.
Use a different password for each service. That way, even if one of your accounts is stolen, the others won't be compromised.
Passphrases may be more secure when unexpected words are used. Even if you use common words, you can put them in an unusual order and make sure they are not related. There are also online services that will help you check if a password is strong enough.
It's best not to use passwords that can be easily guessed from your personal information, such as birthdays, names of family members, pets, or your own name. These are often the first guesses an attacker will try.
Enable two-factor authentication (2FA). Although not directly related to password strength, enabling 2FA adds an extra layer of security. Even if someone discovers your password, they'll need a second form of verification to access your account. Modern password managers store 2FA keys and secure them with the latest encryption algorithms.
Using a reliable security solution will strengthen your protection. It monitors the internet and the Dark Web and warns if your passwords need to be changed.
Source: in.gr
