A new analysis conducted by Kaspersky has revealed that most passwords can be breached in far less time than we imagine, at a low cost and with minimal effort, thanks to a smart algorithm that systematically guesses passwords. According to the study, the algorithm managed to crack 59% of 193 million real passwords in less than 60 minutes, and 45% in less than 60 seconds.
The study relied on what is known as a "Brute-force Attack," which tests all possible combinations of a password until a match is found. However, Kaspersky security expert Antonov explains that "smart guessing algorithms are trained on a database containing common passwords to calculate the frequency of different character combinations, choosing the most common ones first and then moving to less common combinations."
Although these attacks are common due to their simplicity, they are not the most efficient when discussing password cracking algorithms. When we consider that the vast majority of everyday passwords share similar characteristics—including combinations of dates, names, dictionary words, and keyboard sequences—adding these elements to the smart guessing process significantly accelerates the operation.
Kaspersky's study revealed that in terms of the percentage of passwords that can be breached within any time frame using each method, 10% of the analyzed password list was cracked in under a minute, and this percentage rose to 45% when smart guessing was added to the algorithm. For the time frame between one minute to one hour, the difference was noted at 20% versus 59%.
Due to our human nature of habituation, we are very poor at choosing strong passwords. The reality is that the passwords we choose are rarely truly random. We rely on all the elements that smart guessing algorithms are designed to detect: names and common phrases, significant dates—whether personal or historical—and patterns, lots of patterns.
To illustrate how predictable our choices can be, a YouTube channel took a sample of over 200,000 people and asked them to choose a "random" number between 1 and 100. Most people gravitated toward a relatively small set: 7, 37, 42, 69, 73, and 77. According to Kaspersky, even when trying to choose a random string of characters, the majority of people prefer the center of the keyboard to select letters.
According to Antonov, "smart algorithms make it easy to crack most passwords that contain dictionary sequences, and they even detect character substitutions." In other words, using p@ssw0rd instead of password will not slow the algorithm down at all.