Kaspersky Study Exposes Critical Weakness: 60% of MD5 Password Hashes Crackable in Under an Hour

A security study by Kaspersky has revealed that 60 percent of passwords hashed with the deprecated MD5 algorithm can be cracked in under an hour using a single consumer-grade GPU, with nearly half falling in less than 60 seconds. Researchers tested more than 231 million unique passwords sourced from dark web leaks—38 million added since a previous study—against MD5 hashing using an Nvidia RTX 5090 graphics card. The findings, released on World Password Day, underscore how widely-used but outdated cryptographic protections have become dangerously inadequate against modern cracking capabilities.

The RTX 5090, priced at approximately $2,000, represents current-generation high-end hardware, yet the research highlights that aspiring attackers need not invest in expensive equipment. Cloud rental services allow bad actors to access comparable GPU power for just a few dollars, lowering the barrier for large-scale password cracking operations. The study demonstrates that MD5, a hashing algorithm first introduced in 1992 and officially deprecated since 2004, offers minimal protection against even moderately resourced adversaries.

The implications for organizations still relying on MD5 for password storage are significant. Beyond the cryptographic weakness of the algorithm itself, the research reinforces that password length and complexity remain critical factors—shorter, simpler passwords succumb to brute-force methods almost instantly. Security researchers recommend migrating to stronger hashing algorithms such as bcrypt, scrypt, or Argon2, combined with multi-factor authentication, to mitigate the risk of credential compromise.