Scammers can hack your password in less than a minute: How to prevent it

Kaspersky specialists conducted a comprehensive analysis on the strength of 193 million English passwords that were compromised by infostealers and found on the darknet. The study revealed that 45% of the passwords (87M) could be guessed by cybercriminals within a minute, while only 23% (44M) were strong enough to resist attacks that would take over a year to crack. Additionally, Kaspersky experts identified the most commonly used character combinations in passwords.

Kaspersky’s data shows that there were over 32 million attempts to steal passwords from users in 2023. These figures underscore the importance of maintaining good digital hygiene and implementing effective password policies.

The findings from the Kaspersky research reveal that most of the passwords analyzed were not sufficiently secure and could be easily hacked using intelligent guessing techniques. Here is a detailed breakdown of how quickly this can occur:

• 45% (87M) in less than 1 minute.
• 14% (27M) – from 1 min to 1 hour.
• 8% (15M) – from 1 hour to 1 day.
• 6% (12M) – from 1 day to 1 month.
• 4% (8M) – from 1 month to 1 year.

Experts identified only 23% (44M) of passwords as resistant – compromising them would take more than 1 year. Furthermore, the majority of the examined passwords (57%) contain a word from the dictionary, which significantly reduces the passwords’ strength. Among the most popular vocabulary sequences, several groups can be distinguished:

• Names: “ahmed”, “nguyen”, “kumar”, “kevin”, “daniel”.
• Popular words: “forever”, “love”, “google”, “hacker”, “gamer”.
• Standard passwords: “password”, “qwerty12345”, “admin”, “12345”, “team”.

The analysis indicated that merely 19% of all passwords exhibit signs of a strong combination – a non-dictionary term, lowercase and uppercase letters, numbers, and symbols. Interestingly, the research also found that 39% of such passwords could potentially be guessed using intelligent algorithms in under an hour.

It is noteworthy that attackers do not necessarily need extensive expertise or costly tools to crack passwords. For instance, a high-performance laptop processor can determine the correct combination for an 8-character password consisting of lowercase letters or digits through brute force in just 7 minutes. Modern graphics cards can accomplish the same task in a mere 17 seconds. Furthermore, intelligent algorithms for password guessing take into account character substitutions (“e” with “3”, “1” with “!” or “a” with “@”) and common sequences (“qwerty”, “12345”, “asdfg”).

“Subconsciously, individuals tend to create ‘human’ passwords – incorporating words from dictionaries in their native languages, including names and numbers. Even seemingly strong combinations are seldom entirely random, making them susceptible to algorithmic guessing. Therefore, the most reliable approach is to generate a completely random password using contemporary and trustworthy password managers. Applications like Kaspersky Password Manager can securely store vast amounts of data, delivering comprehensive and robust protection for user information,” remarked Yuliya Novikova, Head of Digital Footprint Intelligence at Kaspersky.

To enhance password security, users can adhere to these straightforward guidelines:

• It is advisable to create a unique password for each service you use. By doing so, in the event that one of your accounts is compromised, the others will remain secure.
• Passphrases can offer enhanced security when incorporating unexpected words. Even if you opt for common words, you can mix them up in an unconventional manner to ensure they are not related.
• Avoid using passwords that can be easily guessed based on personal information such as birthdays, family members’ names, pets, or your own name. Attackers often try these as their initial guesses.
• While it may be challenging to remember lengthy and distinct passwords for all your services, utilizing a password manager like Kaspersky can help. With this solution, you only need to remember one master password.
• Implement two-factor authentication (2FA) for an added layer of security. Although not directly linked to password strength, 2FA requires a second form of verification even if someone obtains your password. Modern password managers can securely store 2FA keys.

Enhance your security by using a trusted solution like Kaspersky Premium, which monitors online activities and alerts you if passwords need to be updated. For further details, refer to the research material on Securelist and Kaspersky Daily post.