Why is MD5 so easy to crack?

MD5 was originally designed for fast hash computations. Its speed enables attackers to perform brute-force attacks or dictionary attacks on a large scale within a short time. Additionally, research over the years has uncovered collision vulnerabilities, significantly compromising its security.

What steps can individuals take immediately?

First, check if critical services you use still rely on outdated hash algorithms like MD5 and advocate for changes where possible. At a personal level, use long, complex, and hard-to-guess passwords, and avoid reusing them across different services. Employing password managers and enabling multi-factor authentication (MFA) wherever possible are also effective measures.

How should companies respond?

Companies should adopt modern hash algorithms like bcrypt, scrypt, or Argon2, which have high computational costs and are difficult to crack even with specialized hardware. Instead of enforcing frequent password changes, they should focus on setting strong password requirements initially and establishing monitoring systems to detect suspicious login attempts.

Dev

60% of MD5-Hashed Passwords Can Be Cracked Within an Hour, GPU Advancements Accelerate the Threat

A Kaspersky investigation revealed that 60% of MD5-hashed passwords from over 231 million leaked credentials on the dark web can be cracked within an hour. GPU advancements are exposing password vulnerabilities.

May 8, 2026 2 min read Reviewed & edited by the SINGULISM Editorial Team

60% of MD5-Hashed Passwords Can Be Cracked Within an Hour, GPU Advancements Accelerate the Threat — Photo by FlyD on Unsplash

Shocking Findings on World Password Day

Cybersecurity company Kaspersky has unveiled research on World Password Day that highlights the limitations of password-based authentication systems. An analysis of over 231 million unique passwords leaked on the dark web revealed that 60% of passwords hashed using the MD5 algorithm could be cracked within just one hour.

The Reality of High-Speed Cracking with a Single GPU

For the analysis, Kaspersky used the Nvidia RTX 5090 graphics card to crack hashed passwords. The results showed that 48% of the passwords could be converted into plaintext within 60 seconds, and 60% within an hour. Kaspersky warned that attackers need only one hour to decode leaked password hashes, underscoring the severe risks involved.

While the RTX 5090 is an expensive GPU, Kaspersky emphasized that attackers do not need to own such hardware themselves. High-performance GPUs can be rented from cloud providers at minimal cost, making it easy to conduct hash-cracking operations. This trend highlights how technological advancements have drastically lowered barriers to entry for cybercriminals.

The Impact of Password “Predictability” on Vulnerabilities

One fundamental reason for the ease of cracking is the “predictability” of passwords themselves. Kaspersky’s analysis of over 200 million exposed passwords found clear patterns in the strings users often choose. Attackers leverage these patterns to optimize their cracking algorithms, significantly reducing the search space for possible combinations and accelerating cracking times.

Worsening Trends in Password Security

Kaspersky has conducted similar investigations in 2024 and plans to compare results with 2026 findings. Unfortunately, the ease of cracking passwords appears to be worsening, albeit slightly. “Attackers are speeding up their efforts thanks to increasingly powerful graphics processors every year. Unfortunately, passwords remain as vulnerable as ever,” said Kaspersky.

The Urgent Need to Move Beyond Password Dependency

The findings underscore the risks of relying solely on simple password hashing, like MD5, as a security model. In cases of data breaches, attackers can easily gain access to a large number of accounts.

Experts are calling for a swift shift towards alternative authentication technologies such as multi-factor authentication (MFA), biometric authentication, and passkeys. Some even suggest transforming “World Password Day” into “Password-Free Day.” While adopting strong and unique passwords and using password managers are still vital for individual users, the system-level paradigm shift towards more robust solutions is urgently needed.

Frequently Asked Questions

Why is MD5 so easy to crack?: MD5 was originally designed for fast hash computations. Its speed enables attackers to perform brute-force attacks or dictionary attacks on a large scale within a short time. Additionally, research over the years has uncovered collision vulnerabilities, significantly compromising its security.
What steps can individuals take immediately?: First, check if critical services you use still rely on outdated hash algorithms like MD5 and advocate for changes where possible. At a personal level, use long, complex, and hard-to-guess passwords, and avoid reusing them across different services. Employing password managers and enabling multi-factor authentication (MFA) wherever possible are also effective measures.
How should companies respond?: Companies should adopt modern hash algorithms like bcrypt, scrypt, or Argon2, which have high computational costs and are difficult to crack even with specialized hardware. Instead of enforcing frequent password changes, they should focus on setting strong password requirements initially and establishing monitoring systems to detect suspicious login attempts.

Source: The Register

SINGULISM Editorial Team — Reviewed & edited by the SINGULISM Editorial Team

Last updated: May 7, 2026

If you find any factual errors or inaccuracies, we will promptly publish a correction. Please contact us via the contact form to request a correction.

Comments

← Back to Home