Study reveals 45% of passwords crackable within a minute

A study conducted by Kaspersky has unveiled that many online passwords are alarmingly vulnerable to being guessed by scammers within a minute. Out of 193 million passwords analysed, over 87 million could be compromised in less than a minute, while only 23% of the passwords had the resistance to withstand such attacks for over a year.

The research examined passwords that were compromised by infostealers and available on the darknet. According to the findings, a large proportion of these passwords were easy targets for brute force and smart guessing attacks. Kaspersky reported that their telemetry recorded more than 32 million attempts to attack users with password stealers in the year 2023.

During the analysis, 45% of the passwords could be guessed in under a minute. Breaking the data down further, it was found that 14% of passwords could be guessed within one minute to one hour, 8% within one hour to one day, 6% within one day to one month, and 4% could be compromised within one month to one year. Only a small fraction, 23%, were resistant enough to withstand such attacks for more than a year.

The study also identified common practices that make passwords weak. A significant 57% of the passwords analysed contained dictionary words, which diminishes their strength against automated guessing methods. Common vocabulary sequences included names such as "ahmed", "nguyen", and "kumar", popular words like "forever", "love", and "google", and standard passwords including "password", "qwerty12345", and "admin".

Yuliya Novikova, Head of Digital Footprint Intelligence at Kaspersky, elucidated the widespread issue of weak passwords. "The interesting thing is that attackers do not require deep knowledge or expensive equipment to crack passwords. For example, a powerful laptop processor will be able to find the correct combination for a password of 8 lowercase letters or digits using brute force in just 7 minutes. Additionally, modern video cards will cope with the same task in 17 seconds," she stated.

Novikova further commented on the human tendency to create predictable passwords. "Unconsciously, human beings create human passwords—containing the words from dictionary in their native languages, featuring names and numbers. Even seemingly strong combinations are rarely completely random, so they can be guessed by algorithms."

To address this vulnerability, Kaspersky recommends several measures for strengthening password policies. Users are encouraged to use password managers, which allow for the storage of long and unique passwords that are difficult to memorize individually. Additionally, using a different password for each service can mitigate the risk of multiple accounts being compromised if one password is stolen. The use of passphrases with unexpected words arranged in an unusual order, and avoidance of passwords derived from personal information such as birthdays or pet names, are also recommended practices.

Another pivotal recommendation is enabling two-factor authentication (2FA), which provides an additional layer of security beyond the password. Even if someone discovers the password, they would still require a second form of verification to access the account. Modern password managers often support the storage of 2FA keys and secure them using advanced encryption methods.

The study highlights the importance of employing robust security solutions that monitor for breaches and provide timely alerts for password changes. Implementing these strategies can significantly enhance the protection of user accounts against increasingly sophisticated cyber threats.