Kaspersky: 45% of 193 million analysed passwords can be guessed by scammers within one minute

Kaspersky recently (June 2024) conducted a large-scale study on passwords used by everyday people. To be precise, the cybersecurity firm researched 193 million passwords found on the Dark Web to see how they would withstand brute-force and smart guessing attacks by hackers and scammers.

Guessing passwords in under a minute? Really?

Given how it’s a cybersecurity company publishing its findings, it’s no surprise that the results aren’t promising. Out of the 193 million passwords it was able to grab, it was able to get through them at the following speeds:

• 45% (87 million) were cracked in less than one minute
• 14% (27 million) took anywhere from a minute to one hour
• 8% (15 million) needed a day at most
• 6% (12 million) up to a month
• 4% (8 million) took one month to a year

That only adds up to ~77%. What about the rest?

Kaspersky said that only 23% (44 million) of the passwords it found are “resistant”. These passwords require over a year to crack via brute force or smart guessing algorithms.

Don’t use the dictionary

Another Kaspersky finding showed that 57% of passwords examined contain a word that can be found in the dictionary, which the company claimed would significantly reduce a password's strength. So, don't do that.

The following are the most popular sequences. Are you one of them?

• Names: such as “ahmed”, “nguyen”, “kumar”, “kevin”, “daniel” (editorial note: shoutout to all the Kevin Nguyens)
• Popular words: not surprisingly, “forever”, “love”, “google”, “hacker”, “gamer” (editorial note: ya’ll don’t go as hard as you think you do; sit back down)
• “Standard” passwords: such as “password”, “qwerty12345”, “admin”, “team”, and more

Kaspersky said only 19% of all passwords have a “strong combination”: they contain a non-dictionary word, lower and uppercase letters, numbers, and symbols. However, 39% of these passwords can be figured out by algorithms in less than one hour.

Is it easy for hackers to guess passwords?

As it turns out, there’s a relatively low entry barrier to getting the tools needed to run password-guessing algorithms.

Kaspersky said that attackers do not require deep knowledge or expensive equipment to succeed. The bad actor only needs “a powerful laptop processor” to guess passwords with eight characters (lowercase or digits) in just seven minutes. 

Most smart-guessing algorithms are also capable of replacing some commonly used substitutes, such as replacing “a” with the “@” symbol or “1” with an exclamation mark.

How can we strengthen our passwords?

Here are a few tips, courtesy of Kaspersky and us:

• Password managers can help you reduce memorisation. If anything, you should read HWZ’s guide on password managers first.
• Every service, account, or login you use should have a different password to minimise the mass theft of your accounts. This is also why a password manager helps with "remembering" passwords.
• Use passphrases instead of passwords. Instead of making scammers and hackers guess words, you can create long phrases unique to you (i.e. unusual order, a weird memory you have)
• Use a secure and verified password checker to test the strength of your passwords. Most cybersecurity firms, like Kaspersky, has one.
• Avoid using personal information in passwords. Birthdays, pet names, and family members are usually the first port of call for hackers.
• Two-factor authentication (2FA) adds an extra layer of work for hackers because it requires another clearance step after correctly guessing your password. If the service offers 2FA, use it.

If you want to protect your online and digital accounts better, consider reading HWZ's seven-part Cybersecurity Safety Content Basics Special series. Part 4 specifically discusses password security and passkeys that users can act on.

Source: Kaspersky (blog), Kaspersky (Secure List)

Our articles may contain affiliate links. If you buy through these links, we may earn a small commission.