MD5’s Demise: 60% of Real Password Hashes Fall in Under an Hour

Kaspersky's analysis of 231 million real leaked passwords shows 60% of MD5 hashes crack in under an hour on one GPU. The 2026 study reveals faster hardware and predictable human patterns driving the collapse. Providers must move to stronger algorithms and passkeys now.
MD5’s Demise: 60% of Real Password Hashes Fall in Under an Hour
Written by Dave Ritchie

One hour. That’s all it takes for attackers to expose three out of five passwords hashed with MD5. The finding comes from fresh research released today, timed perfectly for World Password Day. And the numbers reveal a system long past its expiration date.

Security firm Kaspersky examined more than 231 million unique passwords pulled from dark web leaks. These weren’t made-up test cases. They came from real breaches between 2023 and 2026, with 38 million added since the company’s last review. Researchers then hashed them using MD5. The result? A single modern GPU cracked 48 percent in under 60 seconds. Another 12 percent followed within the hour. Sixty percent total fell quickly.

But the details get worse. The Kaspersky study shows this marks a slight uptick from 2024, when 45 percent cracked in a minute and 59 percent in an hour. Hardware improvements explain much of the shift. An Nvidia RTX 5090 delivered 220 gigahashes per second on MD5. That’s 34 percent faster than the RTX 4090 used in the prior test. Attackers don’t even need to buy the card. Cloud rental fees run from pennies to a few dollars per hour.

Password patterns tell the real story. Analysis of over 200 million exposed credentials uncovered predictable habits. Fifty-three percent end with one or more digits. Seventeen percent start with a number. Twelve percent include year-like sequences between 1950 and 2030. “1234” remains the top numeric string. Common bases include “love,” “angel,” and “star.” Swear words appear often. Even internet memes like “Skibidi” surged 36-fold in usage from 2023 to 2026. Fifty-four percent of these passwords had shown up in earlier leaks. Their average lifespan stretches three to five years. Many users simply never change them.

The Register report on the study drives the point home. “One hour is all an attacker needs to crack three out of every five passwords they’ve found in a leak,” Kaspersky stated. Smart algorithms trained on leaked databases outperform pure brute force. They account for dictionary words, character substitutions, and common structures. Cracking an entire dataset takes little longer than testing one password. The system checks each guess against all hashes simultaneously.

MD5 was never built for this job. Designed decades ago for speed and integrity checks, it computes too quickly for password storage. Modern GPUs exploit that weakness without mercy. Salting helps somewhat yet fails against the raw speed. Rainbow tables and dictionary attacks finish the job on weak choices. Nearly any eight-character password collapses in less than 24 hours under these conditions.

Industry observers have warned for years. Yet adoption of stronger methods lags. The Register piece quotes Chris Gunner, CISO at Thrive. “Even a strong password can be undermined if the wider identity and access environment is not properly managed.” He pushes for pairing credentials with biometric second factors, MFA, identity governance, endpoint protection, and zero-trust principles to limit damage.

Steven Furnell, cybersecurity professor at the University of Nottingham, takes a broader view. “Many sites and services still don’t offer passkey support, so users will find themselves with a mixed login experience.” He argues the message on days like today should target providers, not just end users. Sites often fail to enforce strong requirements or provide better alternatives. Users get stuck with passwords whether they like it or not.

Recent coverage reinforces the trend. A Hive Systems report from late April updated cracking tables for 2026. Even with bcrypt at work factor 10, hardware advances shrink timelines. Strong random eight-character passwords still hold for months or years on single rigs. But budgets and clusters change the math fast. AI tools like PassGAN now guess 51 percent of common passwords in under a minute by focusing on human patterns rather than random noise.

Other tests echo the findings. Penetration testers at Hedgehog Security cracked 60.4 percent of 847 domain password hashes in roughly three hours using one GPU. Those accounts met standard complexity rules. Yet human behavior made them vulnerable. Tools such as Hashcat accelerate everything. One demonstration on LinkedIn recovered an eight-character password in about one second at 65 gigahashes per second.

So what replaces MD5? Experts point to memory-hard functions built for the task. Argon2id tops many lists for its resistance to GPU attacks. Bcrypt with sufficient work factors offers a solid alternative. Both slow down computation deliberately. They add computational cost that scales with hardware improvements. Salting must be unique per password. Peppering adds another layer. Yet implementation details matter. Poor configuration undermines the gains.

Password managers help at the user level. They generate long random strings. Sixteen to 20 characters become feasible. Services like Kaspersky Password Manager also support passkeys, which eliminate shared secrets entirely. Public keys live on servers. Private keys stay on devices. Phishing resistance improves dramatically. Major platforms now push passkey adoption, though rollout remains uneven.

Multi-factor authentication buys time. Authenticator apps beat SMS. Biometrics add friction for attackers. Still, these layers work best alongside strong hashing. A breach that spills MD5 hashes turns MFA into a speed bump rather than a wall if passwords fall instantly.

The numbers paint a clear picture. Twenty-three percent of tested passwords resisted cracking for more than a year. That leaves the vast majority exposed within weeks or months. Organizations storing legacy hashes face immediate risk. Migration projects carry their own headaches. Rate limiting, monitoring for anomalous access, and breach detection become essential stopgaps.

Hardware keeps advancing. GPU clusters and cloud resources lower the barrier. What required nation-state resources a decade ago now fits in a basement or rented instance. Attackers combine leaked datasets with automated tools. Infostealer malware feeds the pipeline with fresh credentials. The cycle accelerates.

Providers bear responsibility here. They control the login experience. They decide which hashing algorithms protect user data. They choose whether to support passkeys or enforce minimum lengths. Users can only work within those constraints. Education helps. Yet systemic change matters more.

The Kaspersky researchers put it bluntly. Attackers owe their success to ever-more-powerful graphics processors. Passwords, meanwhile, stay as weak as ever. The gap widens each year. MD5 belongs in the history books, not production databases. The question isn’t whether it will be abandoned. It’s how quickly organizations will act before the next batch of leaks exposes millions more.

Subscribe for Updates

CybersecurityUpdate Newsletter

The CybersecurityUpdate Email Newsletter is your essential source for the latest in cybersecurity news, threat intelligence, and risk management strategies. Perfect for IT security professionals and business leaders focused on protecting their organizations.

By signing up for our newsletter you agree to receive content related to ientry.com / webpronews.com and our affiliate partners. For additional information refer to our terms of service.

Notice an error?

Help us improve our content by reporting any issues you find.

Get the WebProNews newsletter delivered to your inbox

Get the free daily newsletter read by decision makers

Subscribe
Advertise with Us

Ready to get started?

Get our media kit

Advertise with Us