https://www.kaspersky.com/blog/passwords-hacking-research-2026/55743
New research from Kaspersky, released on World Password Day 2026, delivers a wake-up call for organisations still relying on MD5 hashing to protect user credentials. Analyzing a dataset of more than 231 million unique passwords sourced from dark web leaks, including 38 million newly added since the firm’s previous study, Kaspersky found that a single Nvidia RTX 5090 graphics card can crack 60 percent of MD5-hashed passwords in under an hour, with 48 percent crackable in less than 60 seconds. Compounding the concern, aspiring cybercriminals don’t even need to own such hardware, as cloud providers make high-powered GPUs readily available for rent at minimal cost, dramatically lowering the barrier to large-scale credential cracking operations.
The research highlights two converging forces driving the deteriorating state of password security. First, GPU processing power continues to grow year over year, making brute-force and dictionary attacks increasingly fast and affordable. Second, and perhaps more troublingly, human password behaviour has barely improved, Kaspersky’s analysis of over 200 million exposed passwords revealed persistent patterns and predictability that attackers routinely exploit to optimise cracking algorithms and slash the time required to compromise accounts. Compared to Kaspersky’s 2024 iteration of the same study, passwords are actually slightly easier to crack in 2026, representing movement in entirely the wrong direction.