Kaspersky report exposes critical flaws in 193 million passwords

Joy Agwunobi

In an age where cybersecurity is becoming increasingly critical, Kaspersky, a leading cybersecurity firm, has released a startling report revealing that nearly half of the passwords analysed can be cracked in less than a minute.

The report, based on an in-depth analysis of a massive dataset of compromised English-language passwords obtained from the darknet, uncovered the strength of these 193 million passwords, and how well they could withstand brute force and smart guessing attacks, revealing important insights into the state of password security in today’s digital age.

According to the analysis,more than 45 percent of the passwords (87 million) were found to be highly vulnerable to guesswork attacks, with the majority (23%) being secure enough to require over a year of cracking efforts. This suggests that a significant number of users are not utilising sufficiently robust passwords, putting their accounts at great risk of compromise.

In addition, Kaspersky’s telemetry data revealed over 32 million attempts to attack users with password stealers in 2023 alone.  This data points to the widespread and persistent threat that weak passwords pose to individuals and organisations alike.

The Kaspersky study showed that most of the reviewed passwords are not strong, often containing common words, names, or dates and can be easily compromised using smart guessing algorithms. The report further provided a breakdown of how quickly passwords can be cracked to include 45 per cent  (87 million) in less than one minute; 14 percent  (27 million) between one minute and one hour; eight percent  (15 million) between one hour and a day; six percent  (12 million) between one day and a month; and four percent  (8 million) between one month and a year.

Furthermore, the report found that a majority of the examined passwords (57%) contain a word from the dictionary, which ultimately  reduces their strength. It noted the most common vocabulary sequences to include:

Names: “ahmed”, “nguyen”, “kumar”, “kevin”, “daniel”.

Popular words: “forever”, “love”, “google”, “hacker”, “gamer”.

Standard passwords: “password”, “qwerty12345”, “admin”, “12345”, “team”.

The analysis showed that only 19 percent  of all passwords exhibit signs of being strong, incorporating a non-dictionary word, a mix of lowercase and uppercase letters, as well as numbers and symbols. However, even among these, 39 percent  could be guessed using smart algorithms in less than an hour.

According to the report,  attackers do not need deep knowledge or expensive equipment to crack passwords. It stated that  a powerful laptop processor can find the correct combination for a password of eight lowercase letters or digits using brute force in just seven minutes.  The research further revealed that advanced technologies have made it even easier for hackers to crack weak passwords. With today’s powerful video cards, brute-force attacks can take mere seconds to find a match. Furthermore, smart guessing algorithms are getting more sophisticated, taking into account common character substitutions (e.g., “e” with “3”, “1” with “!”, “a” with “@”) and popular sequences (like “qwerty”, “12345”, “asdfg”), making it easier to guess weak passwords.

To strengthen passwords, the report urged users to adopt robust password security practices, including:using strong unique passwords for each account;enabling two-factor authentication; regularly updating and changing passwords; utilising password managers.

The findings of the Kaspersky report underscore the crucial role of password diversity. It noted that by having a unique password for every online account, users can prevent one compromised password from opening the door to all their accounts. The report also highlighted the potential strength of passphrases, which are more secure when made up of multiple, random words. Considering this factor,it advised that arranging these words in an unusual sequence and making sure they are not connected in any way can significantly boost security, even if common words are used.

The report advises caution against easily guessable passwords that are based on personal information, such as birthdays, family members’ names, pet names, or even one’s own name, which can often be the first attempts by attackers. With the difficulty of remembering multiple complex passwords for various services, the report recommends using a password manager, like Kaspersky Password Manager, which enables users to remember just one master password, while the manager securely stores and fills in the unique passwords for each service.

According to Yuliya Novikova, head of digital footprint intelligence at Kaspersky, people tend to create passwords that are inherently “human” in nature, often featuring dictionary words, names, and numbers from their native languages. She noted that even strong combinations are rarely completely random, making them vulnerable to algorithms.

Novikova recommended using reliable password managers like Kaspersky Password Manager to generate completely random passwords, which can securely store large volumes of data and provide robust protection for user information.