CybersecurityHacking

MD5 Password Hashes Cracked in Under an Hour

Analyst 207||Source: TheRegister
High-end graphics card sits on a clean, neutral-colored surface in a brightly-lit setting.

"One hour is all an attacker needs to crack three out of every five passwords they've found in a leak," Kaspersky noted.

Kaspersky's MD5 experiment: 231 million passwords, one RTX 5090

On World Password Day researchers at security firm Kaspersky published a test that quantifies how quickly password hashes can fall. They took a dataset of more than 231 million unique passwords — including 38 million added since Kaspersky's previous study — and hashed them with MD5. Using a single Nvidia RTX 5090 graphics card, Kaspersky found that 60 percent of those password hashes could be cracked in less than an hour, and a full 48 percent in under 60 seconds.

Kaspersky noted that the RTX 5090 is "not exactly your run-of-the-mill desktop graphics processor given its price," but also pointed out that would-be attackers can rent such hardware from a cloud provider and crack hashes "for a few bucks." The company compared the results to its 2024 iteration and found that passwords in 2026 were a bit easier to crack — "not by much," Kaspersky says, "only a few percent" — but still moving in the wrong direction.

Why MD5 and password predictability make cracking fast

The core technical takeaway Kaspersky emphasizes is simple and stark: fast hashing algorithms such as MD5 are no longer safe if attackers obtain the hashes. Much of the improvement in cracking speed comes down to two factors named by Kaspersky — more powerful graphics processors and predictable human password choices.

In an analysis of more than 200 million exposed passwords Kaspersky found repeatable patterns that attackers can exploit to optimize cracking algorithms, significantly reducing the time needed to hit the correct character combinations. "Attackers owe this boost in speed to graphics processors, which grow more powerful every year," Kaspersky explained. "Unfortunately, passwords remain as weak as ever."

Advice from Chris Gunner (Thrive) and Steven Furnell (University of Nottingham)

Practitioners quoted in the coverage offered concrete guidance that aligns with Kaspersky's findings. Chris Gunner, a CISO‑for‑hire at managed service provider Thrive, told the outlet that passwords should not be discarded entirely but must be only "one part of a broader identity-based security strategy." He recommended pairing passwords with a second factor — "preferably biometric" — and joining MFA controls with identity governance and endpoint protection so gaps between systems are reduced. Gunner also recommended establishing a broader zero trust model to restrict lateral movement after an account compromise.

Steven Furnell, a senior IEEE member and cybersecurity professor at the University of Nottingham, pushed the message beyond individual users to the services that still require passwords. Furnell said World Password Day messaging "ought not to be to the users, who often have no choice but to use passwords anyway, but to the sites and providers that are requiring them to do so." He noted many sites still don't offer passkey support, leaving users with a mixed login experience, and added that users are often not taught how to create a good modern password while sites sometimes fail to enforce adequate password requirements.

What this means for security teams, service providers, and end users

  • Security teams and CISOs: Kaspersky's result is a practical deadline — hashes stored with fast algorithms can be broken quickly with commodity cloud GPU rentals. Teams should ensure stronger hashing and layered identity controls, and consider the identity governance, endpoint protections, and zero‑trust measures recommended by Chris Gunner.
  • Service providers and site operators: As Steven Furnell warned, providers that continue to force password-only logins risk leaving users exposed; adding passkey support where feasible and enforcing stronger password requirements are concrete steps called out in the reporting.
  • End users: Passwords remain ubiquitous and, the coverage notes, they are unlikely to disappear soon. Where possible, enable multifactor authentication — Gunner specifically recommends biometric second factors — and expect a mixed experience as adoption of passkeys and other modern options remains uneven.

Bottom line: an organizational responsibility to add another locked door

Kaspersky's math is blunt: with modern GPUs and predictable human behavior, "one hour" can be enough for attackers to take over a large share of leaked accounts. The company and the practitioners quoted converge on the same conclusion — individual passwords are weak when used alone, and organizations need to provide additional layers of identity and access control. As the story puts it, even properly hashed passwords are unlikely to hold long against today's cracking capabilities, making it an "organizational responsibility to ensure there's yet another locked door behind the first one."

Link to the original story: https://www.theregister.com/security/2026/05/07/60-of-md5-password-hashes-are-crackable-in-under-an-hour/5234954

Emerging ThreatsKasperskyNvidiaPassword CrackingWeak PasswordsMD5RTX 5090Hash CrackingPassword Security
Related Intelligence

Continue Reading

Blurred office interior with computer workstations and a glass paperweight on a shelf.

UK Museums Exposed to Rising Cybersecurity Threats

The UK's cultural treasures are under threat from rising cybersecurity risks, with a recent report criticizing the Department for Culture, Media and Sport for being reactive rather than proactive in protecting national galleries and museums. This vulnerable stance puts priceless artifacts and historical exhibits at risk of being compromised.

Analyst 207
Person sitting at laptop with system restore interface on screen, hands paused on keyboard.

Microsoft Rolls Out Windows 11 Update with Point-in-Time Restore Feature

Microsoft's latest Windows 11 update is here, bringing with it a game-changing feature: Point-in-time restore, which lets you snap your PC back to a previous state in just minutes. With this update, you can easily turn back the clock and get your computer up and running smoothly again.

Analyst 207
Dimly lit network server room with rows of generic computer servers and equipment racks.

Squidbleed Vulnerability Exposes Decade-Old Flaw in Popular Proxy Server

A 29-year-old memory leak in the popular Squid proxy server, dubbed Squidbleed, could silently expose sensitive data, including login credentials and session tokens, to hackers in certain setups. This shocking vulnerability, rooted in a 1997 code commit, highlights the importance of regularly updating and securing even the most trusted systems.

Analyst 207
Secure server room with rows of computer servers and networking equipment.

Trump Order Accelerates Federal Post-Quantum Crypto Migration by 2030

The clock is ticking: by December 31, 2030, federal agencies must upgrade their cryptography to protect high-value assets from the looming threat of quantum computers, with digital signatures following suit by December 31, 2031. This executive order accelerates the migration to post-quantum cryptography, compressing the government's previous timeline by four to five years.

Analyst 207