60% of MD5 Password Hashes Are Crackable in Under an Hour

The Kaspersky study underscores how commodity hardware has outpaced legacy password protection. By leveraging a single Nvidia RTX 5090—a GPU that costs several thousand dollars but can be rented for a few dollars per hour—researchers cracked the majority of MD5‑hashed passwords in under an hour. This capability dramatically lowers the barrier for cybercriminals, turning what once required a dedicated cracking farm into a cloud‑based service. The findings serve as a stark reminder that fast, unsalted hash functions no longer meet modern security expectations.

Beyond raw computing power, the analysis highlights the role of human‑chosen password patterns. Over 200 million leaked credentials revealed common structures that attackers can pre‑filter, shaving seconds off each guess. Even as password policies have tightened, many users still rely on predictable phrases, capitalization, and numeric suffixes, making the hash‑cracking process more efficient. The modest increase in crackability from 2024 to 2026 reflects both improved GPU performance and the persistent weakness of password composition.

Security leaders are responding by advocating layered defenses. Multi‑factor authentication—especially biometric factors—adds a barrier that GPUs cannot bypass, while zero‑trust architectures limit lateral movement after a credential breach. Identity governance, endpoint protection, and emerging passkey standards further reduce reliance on passwords alone. As organizations modernize their identity stacks, the industry is likely to see a gradual shift away from MD5 and similar fast hashes toward memory‑hard algorithms and password‑less solutions, reinforcing resilience against ever‑more powerful cracking tools.