{"id":22905,"date":"2024-06-18T07:32:15","date_gmt":"2024-06-18T11:32:15","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/?p=22905"},"modified":"2024-06-18T15:41:08","modified_gmt":"2024-06-18T11:41:08","slug":"password-can-be-hacked-in-one-hour","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/password-can-be-hacked-in-one-hour\/22905\/","title":{"rendered":"How hackers can crack your password in an hour"},"content":{"rendered":"<p>Although <a href=\"https:\/\/www.kaspersky.com\/blog\/kaspersky-international-password-day-2024\/51095\/\" target=\"_blank\" rel=\"noopener nofollow\">World Password Day<\/a>, held annually on the first Thursday in May, has passed, our \u2014 and we hope your \u2014 fascination with password security continues. Instead of analyzing artificial \u201ctest-tube\u201d passwords created for lab studies, we stayed in the real world \u2014 examining actual passwords leaked on the dark web. The results were alarming: 59% of these passwords could be cracked in less than an hour \u2014 and all it takes is a modern graphics card and a bit of know-how.<\/p>\n<p>Today\u2019s post explains how hackers crack passwords and how to counter it (spoiler alert: use <a href=\"https:\/\/me-en.kaspersky.com\/premium?icid=me-en_bb2022-kdplacehd_acq_ona_smm__onl_b2c_kdaily_lnk_sm-team___kprem___\" target=\"_blank\" rel=\"noopener\">reliable protection<\/a> and <a href=\"https:\/\/me-en.kaspersky.com\/password-manager?icid=me-en_kdailyplacehold_acq_ona_smm__onl_b2c_kasperskydaily_wpplaceholder____kpm___\" target=\"_blank\" rel=\"noopener\">automatically check your passwords for leaks<\/a>).\n<\/p>\n<h2>The usual way to crack passwords<\/h2>\n<p>\nFirst, let\u2019s clarify what we mean by \u201ccracking a password\u201d. We\u2019re talking about cracking the password\u2019s <a href=\"https:\/\/en.wikipedia.org\/wiki\/Hash_function\" target=\"_blank\" rel=\"nofollow noopener\">hash<\/a> \u2014 a unique sequence of characters representing the password. Companies typically store user passwords in one of three ways:\n<\/p>\n<ul>\n<li>This is the simplest and clearest way: if a user\u2019s password is, say, <em>qwerty12345<\/em>, then it\u2019s stored on the company server as <em>qwerty12345<\/em>. If a data breach occurs, the hacker needs only enter the password with the corresponding username to log in. That is, of course, if there\u2019s no two-factor authentication (2FA), but even then, cybercriminals can sometimes intercept <a href=\"https:\/\/www.kaspersky.com\/blog\/when-two-factor-authentication-useless\/51434\/\" target=\"_blank\" rel=\"noopener nofollow\">one-time passwords<\/a>.<\/li>\n<li>This method utilizes hashing algorithms like <a href=\"https:\/\/en.wikipedia.org\/wiki\/MD5\" target=\"_blank\" rel=\"nofollow noopener\">MD5<\/a> and <a href=\"https:\/\/en.wikipedia.org\/wiki\/SHA-1\" target=\"_blank\" rel=\"nofollow noopener\">SHA-1<\/a> to transform each password into a unique hash value in the form of a fixed-length string of characters, which is stored on the server. When the user enters their password, the system converts the input sequence of characters into a hash, and compares it to the one stored on the server. If they match, the password is correct. Here\u2019s an example: if your password is that same <em>qwerty12345<\/em>, then \u201ctranslated\u201d into SHA-1, it looks like this: <em>4e17a448e043206801b95de317e07c839770c8b8<\/em>. Hackers obtaining this hash would need to decrypt it back to <em>qwerty12345<\/em> (this is the \u201cpassword cracking\u201d part), for example, by using <a href=\"https:\/\/en.wikipedia.org\/wiki\/Rainbow_table\" target=\"_blank\" rel=\"nofollow noopener\">rainbow tables<\/a>. A cracked password can then be used to access not only the compromised service but potentially other accounts where the <a href=\"https:\/\/www.kaspersky.com\/blog\/never-reuse-passwords-story\/24808\/\" target=\"_blank\" rel=\"noopener nofollow\">password was reused<\/a>.<\/li>\n<li>\n<strong>Hashed with salt.<\/strong> Nothing to do with a tasty dish from a takeaway, this method adds a random sequence of data, known as a <a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/salt\/\" target=\"_blank\" rel=\"noopener\">salt<\/a>, to each password before hashing. A salt can be static or generated dynamically. A <em>password+salt<\/em> sequence is fed into the algorithm, which results in a different hash. Thus, pre-computed rainbow tables become useless to hackers. Using this method of storing passwords makes them much more difficult to crack.<\/li>\n<\/ul>\n<p>\nFor our study, we formed a database of 193 million leaked passwords in plaintext. Where did we get them all from? <span style=\"text-decoration: line-through\">You have to know where to look.<\/span> We found them on the dark web, where such \u201ctreasures\u201d are often freely available. We used this database to check user passwords for possible leaks \u2014 but rest assured we don\u2019t store or even see any passwords. You can read more about the <a href=\"https:\/\/www.kaspersky.com\/blog\/how-secure-is-your-password-manager\/47034\/\" target=\"_blank\" rel=\"noopener nofollow\">internal structure<\/a> of the password vault in our <a href=\"https:\/\/me-en.kaspersky.com\/password-manager?icid=me-en_kdailyplacehold_acq_ona_smm__onl_b2c_kasperskydaily_wpplaceholder____kpm___\" target=\"_blank\" rel=\"noopener\">Kaspersky Password Manager<\/a> and how, without knowing your passwords, <a href=\"https:\/\/www.kaspersky.com\/blog\/kaspersky-international-password-day-2024\/51095\/\" target=\"_blank\" rel=\"noopener nofollow\">we match them against leaked ones<\/a>.\n<\/p>\n<h2>The cost of password cracking<\/h2>\n<p>\nModern GPUs are the best tool for analyzing a password\u2019s strength. For example, the RTX 4090 paired with the password recovery tool <a href=\"https:\/\/hashcat.net\/hashcat\/\" target=\"_blank\" rel=\"nofollow noopener\">hashcat<\/a> achieves a rate of <a href=\"https:\/\/gist.github.com\/Chick3nman\/32e662a5bb63bc4f51b847bb422222fd\" target=\"_blank\" rel=\"nofollow noopener\">164 billion hashes per second (GH\/s)<\/a> for salted <a href=\"https:\/\/en.wikipedia.org\/wiki\/MD5\" target=\"_blank\" rel=\"nofollow noopener\">MD5<\/a> hashes.<\/p>\n<p>Let\u2019s imagine an 8-character password using both Latin letters (either all lowercase or all uppercase) and digits (36 possible characters per position). The number of possible unique combinations is 2.8 trillion (calculated by raising 36 to the power of eight). A powerful CPU boasting processing power of <a href=\"https:\/\/gist.github.com\/Chick3nman\/fdf7f9ddcc0a65f6725aefede99ada4e\" target=\"_blank\" rel=\"nofollow noopener\">6.7 GigaHashes per second (GH\/s<\/a>), could brute-force such a password in seven minutes. But the aforementioned RTX 4090 manages it in just 17 seconds.<\/p>\n<p>While such a hi-end GPU costs <a href=\"https:\/\/www.digitaltrends.com\/computing\/gpu-price-tracking\/\" target=\"_blank\" rel=\"nofollow noopener\">slightly south of US$2,000<\/a>, even attackers unable to get hold of one can easily rent computing power for just a <a href=\"https:\/\/lambdalabs.com\/service\/gpu-cloud\" target=\"_blank\" rel=\"nofollow noopener\">few dollars per hour<\/a>. But what if they rent a dozen RTX 4090s all at once? That would pack enough power to process massive hash database leaks with ease.\n<\/p>\n<h2>59% of passwords crackable in under an hour<\/h2>\n<p>\nWe tested password strength using both brute-force and smart-guessing algorithms. While brute force iterates through all possible combinations of characters in order until it finds a match, smart guessing algorithms are trained on a passwords data-set to calculate the frequency of various character combinations and make selections first from the most common combinations and down to the rarest ones. You can read more about used algorithms in <a href=\"https:\/\/securelist.com\/password-brute-force-time\/112984\/\" target=\"_blank\" rel=\"noopener\">the full version of our research<\/a> on Securelist.<\/p>\n<p>The results were unnerving: a staggering 45% of the 193 million real-world passwords we analyzed (that is, 87 million passwords!) could be cracked by the smart algorithm in less than a minute, 59% within an hour, 67% within a month, and a mere 23% of passwords could be considered truly strong \u2014 needing more than a year to crack.\n<\/p>\n<table>\n<tbody>\n<tr>\n<td rowspan=\"2\" width=\"208\"><strong>Cracking time<\/strong><\/td>\n<td style=\"text-align: center\" colspan=\"2\"><strong>Percentage of passwords crackable using the given method<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center\" width=\"208\"><strong>Brute force<\/strong><\/td>\n<td style=\"text-align: center\" width=\"208\"><strong>Smart guessing<\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"208\"><strong>Under a minute<\/strong><\/td>\n<td style=\"text-align: center\" width=\"208\">10%<\/td>\n<td style=\"text-align: center\" width=\"208\">45%<\/td>\n<\/tr>\n<tr>\n<td width=\"208\"><strong>1 minute to 1 hour<\/strong><\/td>\n<td style=\"text-align: center\" width=\"208\">+10% (20%)<\/td>\n<td style=\"text-align: center\" width=\"208\">+14% (59%)<\/td>\n<\/tr>\n<tr>\n<td width=\"208\"><strong>1 hour to 1 day<\/strong><\/td>\n<td style=\"text-align: center\" width=\"208\">+6% (26%)<\/td>\n<td style=\"text-align: center\" width=\"208\">+8% (67%)<\/td>\n<\/tr>\n<tr>\n<td width=\"208\"><strong>1 day to 1 month<\/strong><\/td>\n<td style=\"text-align: center\" width=\"208\">+9% (35%)<\/td>\n<td style=\"text-align: center\" width=\"208\">+6% (73%)<\/td>\n<\/tr>\n<tr>\n<td width=\"208\"><strong>1 month to 1 year<\/strong><\/td>\n<td style=\"text-align: center\" width=\"208\">+10% (45%)<\/td>\n<td style=\"text-align: center\" width=\"208\">+4% (77%)<\/td>\n<\/tr>\n<tr>\n<td width=\"208\"><strong>Over 1 year<\/strong><\/td>\n<td style=\"text-align: center\" width=\"208\">+55% (100%)<\/td>\n<td style=\"text-align: center\" width=\"208\">+23% (100%)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\nIt\u2019s important to note that cracking all passwords in the database doesn\u2019t take much more time than cracking just one (!). At each iteration, having calculated the hash for the next combination of characters, the attacker checks whether the same one exists in the general database. If it does, the password in question is marked as \u201ccracked\u201d, after which the algorithm continues to guess other passwords.\n<\/p>\n<h2>Why smart guessing algorithms are so effective<\/h2>\n<p>\nHumans are predictable. We rarely choose truly random passwords, and our attempts at generating them pale in comparison to machines. We rely on common phrases, dates, names, and patterns \u2013 precisely what smart cracking algorithms are designed to exploit.<\/p>\n<p>Moreover, the human brain is such that if you ask a sample of folks to pick a number between one and a hundred, most will choose\u2026 the same numbers! The YouTube channel Veritasium <a href=\"https:\/\/www.youtube.com\/watch?v=d6iQrh2TK98&amp;t=253s\" target=\"_blank\" rel=\"noopener nofollow\">surveyed<\/a> more than 200,000 people and found the most popular numbers to be 7, 37, 42, 69, 73, and 77.<\/p>\n<div id=\"attachment_51487\" style=\"width: 1717px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2024\/06\/18153343\/password-can-be-hacked-in-one-hour-01.jpg\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-51487\" class=\"size-full wp-image-51487\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2024\/06\/18153343\/password-can-be-hacked-in-one-hour-01.jpg\" alt=\"Results of the Veritasium survey\" width=\"1707\" height=\"956\"><\/a><p id=\"caption-attachment-51487\" class=\"wp-caption-text\">Results of the Veritasium survey. <a href=\"https:\/\/www.youtube.com\/watch?v=d6iQrh2TK98&amp;t=253s\" target=\"_blank\" rel=\"nofollow noopener\">Source<\/a><\/p><\/div>\n<p>Even when attempting random character strings, we tend to favor keys in the middle of the keyboard. Around 57% of all the passwords we analyzed were found to contain a dictionary word or frequent symbol combination. Worryingly, 51% of these passwords could be cracked in less than a minute, 67% in under an hour, and only 12% took more than a year. However, at least just a few passwords consisted of a dictionary word only (which could be cracked within a minute). See <a href=\"https:\/\/securelist.com\/password-brute-force-time\/112984\/\" target=\"_blank\" rel=\"noopener\">the Securelist post<\/a> for more about the password patterns we encountered.<\/p>\n<p>Smart algorithms make short work of most passwords that contain dictionary sequences. And they even catch character substitutions \u2014 so writing \u201cpa$$word\u201d instead of \u201cpassword\u201d or \u201c@dmin\u201d instead of \u201cadmin\u201d won\u2019t make the password much stronger. Using popular words and number sequences is equally risky. In 4% of the passwords we examined, the following cropped up somewhere:\n<\/p>\n<ul>\n<li>12345<\/li>\n<li>123456<\/li>\n<li>love<\/li>\n<li>12345678<\/li>\n<li>123456789<\/li>\n<li>admin<\/li>\n<li>team<\/li>\n<li>qwer<\/li>\n<li>54321<\/li>\n<li>password<\/li>\n<\/ul>\n<h2>Recommendations<\/h2>\n<p>\nThe takeaways from our hands-on study:\n<\/p>\n<ul>\n<li>Many user passwords aren\u2019t strong enough; 59% of them can be cracked in an hour.<\/li>\n<li>Using meaningful words, names, and standard character sequences in your password significantly reduces password guessing time.<\/li>\n<li>The least secure password is one that consists entirely of numbers or only words.<\/li>\n<\/ul>\n<p>\nTo keep your accounts safe, consider the following simple recommendations:\n<\/p>\n<ul>\n<li>Generate strong passwords using <a href=\"https:\/\/me-en.kaspersky.com\/password-manager?icid=me-en_kdailyplacehold_acq_ona_smm__onl_b2c_kasperskydaily_wpplaceholder____kpm___\" target=\"_blank\" rel=\"noopener\">Kaspersky Password Manager<\/a>.<\/li>\n<li>If you decide to create a password yourself, use <a href=\"https:\/\/www.youtube.com\/shorts\/Y850Cx5Zc7M\" target=\"_blank\" rel=\"nofollow noopener\">mnemonic passphrases<\/a> rather than meaningful word combinations, names, or dictionary sequences.<\/li>\n<li>Never <a href=\"https:\/\/www.kaspersky.com\/blog\/never-reuse-passwords-story\/24808\/\" target=\"_blank\" rel=\"noopener nofollow\">reuse passwords across different sites<\/a>, because not all companies store user data securely.<\/li>\n<li>Never <a href=\"https:\/\/www.kaspersky.com\/blog\/how-to-store-passwords-securely\/48784\/\" target=\"_blank\" rel=\"noopener nofollow\">save passwords in browsers<\/a>.<\/li>\n<li>Keep your passwords safely stored in a <a href=\"https:\/\/me-en.kaspersky.com\/password-manager?icid=me-en_kdailyplacehold_acq_ona_smm__onl_b2c_kasperskydaily_wpplaceholder____kpm___\" target=\"_blank\" rel=\"noopener\">password manager<\/a> and create a crack-proof primary password for it.<\/li>\n<li>Check how crack-resistant your password is with <a href=\"https:\/\/password.kaspersky.com\/\" target=\"_blank\" rel=\"noopener\">Password Checker<\/a> or directly in your <a href=\"https:\/\/me-en.kaspersky.com\/password-manager?icid=me-en_kdailyplacehold_acq_ona_smm__onl_b2c_kasperskydaily_wpplaceholder____kpm___\" target=\"_blank\" rel=\"noopener\">Kaspersky Password Manager<\/a>. It will identify weak and duplicate passwords, check all your passwords against compromised databases, and alert you if a match is found.<\/li>\n<li>Utilize <a href=\"https:\/\/me-en.kaspersky.com\/premium?icid=me-en_bb2022-kdplacehd_acq_ona_smm__onl_b2c_kdaily_lnk_sm-team___kprem___\" target=\"_blank\" rel=\"noopener\">Kaspersky Premium<\/a> to continually monitor in the background all accounts linked to your and family members\u2019 phones or email addresses for data leaks.<\/li>\n<li>Enable <a href=\"https:\/\/www.kaspersky.com\/blog\/what-is-two-factor-authentication\/48289\/\" target=\"_blank\" rel=\"noopener nofollow\">2FA<\/a> wherever possible. Incidentally, <a href=\"https:\/\/me-en.kaspersky.com\/password-manager?icid=me-en_kdailyplacehold_acq_ona_smm__onl_b2c_kasperskydaily_wpplaceholder____kpm___\" target=\"_blank\" rel=\"noopener\">Kaspersky Password Manager<\/a> also lets you save 2FA tokens and generate one-time codes.<\/li>\n<\/ul>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"kpm-download\">\n","protected":false},"excerpt":{"rendered":"<p>Almost six out of ten passwords can be cracked in less than an hour using either a modern graphics card or cloud services. All it costs is a few dollars and some free time. How this is possible and what to do about it is the topic of our study.<\/p>\n","protected":false},"author":2761,"featured_media":22908,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1225,1486],"tags":[1449,82,1021,2601,1183,187,43],"class_list":{"0":"post-22905","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-privacy","8":"category-threats","9":"tag-breaches","10":"tag-hacking","11":"tag-kaspersky-password-manager","12":"tag-kaspersky-premium","13":"tag-leaks","14":"tag-passwords","15":"tag-privacy"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/password-can-be-hacked-in-one-hour\/22905\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/password-can-be-hacked-in-one-hour\/27588\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/password-can-be-hacked-in-one-hour\/11743\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/password-can-be-hacked-in-one-hour\/30259\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/password-can-be-hacked-in-one-hour\/27738\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/password-can-be-hacked-in-one-hour\/27453\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/password-can-be-hacked-in-one-hour\/30120\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/password-can-be-hacked-in-one-hour\/28999\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/password-can-be-hacked-in-one-hour\/37700\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/password-can-be-hacked-in-one-hour\/12474\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/password-can-be-hacked-in-one-hour\/51469\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/password-can-be-hacked-in-one-hour\/21965\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/password-can-be-hacked-in-one-hour\/22708\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/password-can-be-hacked-in-one-hour\/31367\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/password-can-be-hacked-in-one-hour\/36587\/"},{"hreflang":"nl","url":"https:\/\/www.kaspersky.nl\/blog\/password-can-be-hacked-in-one-hour\/29189\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/password-can-be-hacked-in-one-hour\/27904\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/password-can-be-hacked-in-one-hour\/33732\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/password-can-be-hacked-in-one-hour\/33396\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/passwords\/","name":"passwords"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/22905","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2761"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=22905"}],"version-history":[{"count":3,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/22905\/revisions"}],"predecessor-version":[{"id":22910,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/22905\/revisions\/22910"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/22908"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=22905"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=22905"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=22905"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}