In June 2024, Kaspersky analyzed 193 million passwords found publicly available on darknet resources and found that almost half of them (45%, or 87 million) could be guessed by fraudsters in less than a minute.
Most of the analyzed passwords can be easily compromised using smart algorithms: to select 14% of them (27 million), scammers will need no more than an hour, 8% (15 million) – no more than a day. Smart selection algorithms can take into account the replacement of characters ("e" to "3", "1" to "!", "a" to "@") and know popular combinations ("qwerty", "12345", "asdfg"). Only 23% (44 million) of the combinations turned out to be strong enough: it would take more than a year to crack them.
The majority of analyzed passwords (57%) contain an existing dictionary word, which significantly reduces their resistance to cracking. Most often people use names ("ahmed", "nguyen", "kumar", "kevin", "daniel"), popular words ("forever", "love", "google", "hacker", " gamer", "password", "admin", "team"), common combinations ("qwerty12345", "12345").
“Criminals do not require deep knowledge or expensive equipment to guess passwords. Computing power can be rented in cloud services; large budgets are not required for this. Fraudsters often use special programs called information stealers to steal credentials. According to our team’s research, over the past five years, they have been used to compromise logins and passwords for 443 thousand sites around the world, and in the .ru zone, 2.5 million pairs of logins and passwords were stolen in the same way. An effective method of protecting credentials from such attacks remains the use of password managers. Such applications, firstly, allow you to create the most hacking-resistant, completely random combinations, and secondly, ensure their safe storage,” explains Yulia Novikova, head of the Kaspersky Digital Footprint Intelligence service.
Company experts remind you of the rules for creating and storing passwords:
- It’s difficult to remember long and unique passwords for all the services you use, but if you use a password manager, you only need to remember the master password;
- use different passwords for each service. In this case, even if access to one of the accounts is stolen, the others will not be compromised;
- passphrases will be more secure if you use unexpected words, and if you do use regular words, you can put them in an unusual order and make sure they are not related. There are online services that help you check whether the password you create is strong enough;
- do not include personal data in passwords, such as birthdays, names of family members, names of pets or your own name, attackers “break” such combinations very quickly;
- enable two-factor authentication in all services where possible. While it doesn't directly relate to password strength, enabling 2FA adds an extra layer of security. Modern password managers store 2FA keys and protect them using the latest encryption algorithms;
- use a reliable security solution: it will notify you if a leak occurs and remind you to change your password.