60% of MD5 Password Hashes Crackable in Under an Hour, Kaspersky Study Finds
Kaspersky researchers found that 60% of MD5 password hashes from a dataset of 231 million leaked passwords can be cracked in under an hour using a single Nvidia RTX 5090 GPU, with 48% cracked in under 60 seconds.
A new study from Kaspersky reveals that the vast majority of password hashes protected by the MD5 algorithm can be cracked in under an hour using a single modern graphics card. Analyzing a dataset of over 231 million unique passwords sourced from dark web leaks, researchers found that 60% of MD5 hashes could be cracked in less than an hour using an Nvidia RTX 5090 GPU, with 48% cracked in under 60 seconds. The findings underscore the inadequacy of fast hashing algorithms like MD5 against modern GPU-powered attacks.
The study, released on World Password Day, highlights that password predictability and increasingly powerful graphics processors are driving the trend. Kaspersky noted that common patterns in passwords allow attackers to optimize cracking algorithms, significantly reducing the time needed to guess character combinations. "One hour is all an attacker needs to crack three out of every five passwords they've found in a leak," the researchers stated.
Compared to a similar study in 2024, passwords are actually slightly easier to crack in 2026, though only by a few percent. "Attackers owe this boost in speed to graphics processors, which grow more powerful every year," Kaspersky explained. "Unfortunately, passwords remain as weak as ever." The researchers emphasized that aspiring cybercriminals don't even need their own RTX 5090, as they can easily rent one from a cloud provider for a few dollars.
The implications are clear: passwords protected only by fast hashing algorithms such as MD5 are no longer safe if attackers obtain them in a data breach. The study calls for a shift away from reliance on passwords alone. Chris Gunner, a CISO-for-hire at Thrive, told The Register that passwords should be paired with a second factor, preferably biometric, and integrated into a broader zero-trust model. "Even a strong password can be undermined if the wider identity and access environment is not properly managed," Gunner said.
Senior IEEE member and University of Nottingham cybersecurity professor Steven Furnell added that the responsibility should not fall solely on users. "Many sites and services still don't offer passkey support, so users will find themselves with a mixed login experience," Furnell explained. He urged sites and providers to enforce adequate password requirements and adopt stronger authentication methods. The study serves as a stark reminder that as GPU power continues to increase, the security of legacy hashing algorithms will only deteriorate further.