Summary of Kaspersky's 2026 Password Security Research
Source: Kaspersky Blog

⚠️ Methodological note: The cracking tests in this study were conducted exclusively on MD5 hashes — a fast, outdated algorithm that is not recommended for password storage. Modern services use slow key derivation functions such as bcrypt, Argon2, or scrypt, which would make these numbers far less alarming. The results therefore reflect a worst-case scenario (a leak from a poorly configured service), not the reality of all production systems.

The Findings: A Sobering Reality Check

Kaspersky has released an updated study on real-world password strength, analyzing 231 million unique passwords from dark web leaks collected between 2023 and 2026. The results are grim: 48% of passwords can be cracked in under a minute, and 60% fall within an hour. Compared to the 2024 edition of this research (45% and 59% respectively), things have gotten slightly worse — and the trend shows no sign of reversing.

How Passwords Get Cracked

Passwords are almost never stored in plain text — they're converted into cryptographic hashes. To recover the original password, attackers use several techniques:

  • Brute force: every possible character combination is tested sequentially.
  • Rainbow tables: pre-computed databases matching hashes to known passwords.
  • Smart cracking: algorithms trained on previous leaks that prioritize likely combinations — dictionary words, common substitutions (a → @, s → $), and typical structures like word + number + special character.

Hardware is also accelerating the threat: the RTX 5090 used in this study reaches 220 billion MD5 hashes per second — a 34% jump over the RTX 4090 from 2024. Renting GPU power in the cloud costs only a few cents to a few dollars per hour, making large-scale attacks accessible to virtually anyone.

The Patterns That Give Passwords Away

Analysis of over 200 million passwords reveals just how predictable human behavior is:

  • 53% of passwords end with one or more digits.
  • 12% contain a sequence resembling a year between 1950 and 2030.
  • 10% specifically include a year between 1990 and 2026 — likely a birth year or account creation year.
  • The most popular numeric combo is, unsurprisingly, "1234".
  • Keyboard sequences like qwerty or ytrewq appear in 3% of passwords.
  • The most-used special character is @, followed by . and !.
  • Emotionally charged words are common: love, angel, star, life, team
  • A notable cultural data point: the word "Skibidi" (from the viral Skibidi Toilet meme) saw a 36-fold increase in passwords between 2023 and 2026.

Passwords That Age Poorly

Over 54% of passwords found in recent leaks had previously appeared in earlier breaches. Many users simply don't update their credentials for years. Analysis of embedded dates within passwords suggests the average password lifespan is 3 to 5 years — more than enough time for modern cracking algorithms to compromise even moderately complex passwords. Reusing the same password across multiple accounts amplifies the risk further: a single leak becomes a skeleton key.

How to Protect Yourself

  1. Use a password manager — let it generate and store long, random, unique passwords for every service.
  2. Never store passwords in plain text — not in notes, chat apps, or documents.
  3. Don't rely on browser-saved passwords — modern malware can extract them in seconds.
  4. Switch to passkeys wherever possible — a cryptographic alternative to passwords that is phishing-resistant by design, since it's tied to a specific domain.
  5. Enable two-factor authentication (2FA) — prefer authenticator apps over SMS-based codes.
  6. Practice good digital hygiene — avoid pirated software, suspicious links, and keep a robust security solution up to date.

Source: Kaspersky research, May 2026 — based on 231 million unique passwords from dark web leaks (2023–2026).