A 2026 Kaspersky analysis of 231 million leaked passwords reveals 60% of MD5-hashed credentials can be cracked in under an hour with a single consumer GPU, highlighting widespread non-compliance with GDPR and CCPA security requirements that mandate appropriate password storage practices.
Security researchers at Kaspersky released a study on World Password Day 2026 that underscores the fragility of legacy password hashing practices, finding that 60 percent of MD5-hashed passwords can be cracked in under an hour using a single Nvidia RTX 5090 graphics card. The analysis, which examined 231 million unique passwords sourced from dark web leaks, including 38 million new entries added since a 2024 iteration of the same study, reveals that password security has stagnated even as consumer and enterprise reliance on passwords remains near universal. Cybersecurity advocates have long called for the retirement of World Password Day, arguing it places undue burden on users rather than addressing systemic failures in authentication security.
The experiment simulated real-world attack conditions by hashing the leaked password dataset with MD5, a hashing algorithm first published in 1992 under RFC 1321 that has been cryptographically compromised since 2004. Using a single RTX 5090, a high-end consumer GPU released in 2025, researchers cracked 48 percent of hashes in under 60 seconds, with 60 percent falling within an hour. Kaspersky noted that attackers do not need to own such hardware, as cloud providers offer RTX 5090 instances for rental at rates low enough to make large-scale cracking affordable for even low-budget malicious actors.
The 2026 results represent a slight regression from 2024 findings, with cracking speeds improving by several percentage points year over year. Kaspersky attributes this trend to two factors: steady increases in GPU processing power, and persistent password predictability. Analysis of the leaked password dataset found widespread use of common patterns, dictionary words, and simple character substitutions that allow attackers to optimize cracking algorithms and reduce guess times.
Legal Basis for Compliance Enforcement
Under data protection frameworks including the EU General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), organizations that store user passwords are required to implement appropriate technical measures to protect personal data. GDPR Article 32 mandates that controllers and processors implement measures "appropriate to the risk, including encryption of personal data" and "pseudonymization of personal data." MD5 has been explicitly rejected as unsuitable for password hashing by standards bodies including NIST since 2010, as outlined in NIST SP 800-131A, as its fast processing speed and known collision vulnerabilities make it trivial to crack with modern hardware. Using MD5 for password storage therefore constitutes a violation of GDPR Article 32, as it fails to meet the threshold of appropriate security.
CCPA regulations require businesses to implement and maintain reasonable security procedures and practices to protect personal information from unauthorized access, destruction, use, modification, or disclosure. The California Privacy Protection Agency has explicitly noted that using obsolete encryption or hashing algorithms fails this reasonableness standard, leaving businesses liable for breaches involving compromised credentials.
Organizations found non-compliant with GDPR security requirements can face fines of up to 4 percent of their global annual revenue or €20 million, whichever is higher, in addition to mandatory breach notifications if compromised password hashes are exposed. Under CCPA, businesses that fail to implement reasonable security measures for personal information are liable for statutory damages of $100 to $750 per affected consumer per incident, with intentional violations drawing additional fines of up to $7,500 per violation from the California Privacy Protection Agency.
Impact on Users and Companies
Affected parties include the hundreds of millions of users whose passwords are stored with MD5 hashing by service providers, many of whom are unaware their credentials are protected by obsolete algorithms. For users, cracked password hashes enable credential stuffing attacks, where attackers use leaked credentials to access other accounts where users have reused passwords, leading to identity theft, financial fraud, and unauthorized access to sensitive personal data.
For companies, reliance on MD5 creates regulatory liability, reputational harm, and increased risk of costly data breaches. Small and medium-sized businesses are disproportionately affected, as they often lack the resources to audit and update legacy authentication systems. Breaches involving MD5-hashed passwords also trigger mandatory notification requirements: GDPR requires controllers to notify supervisory authorities within 72 hours of becoming aware of a breach, and affected users without undue delay if the breach is likely to result in high risk to their rights and freedoms.
Required Changes for Compliance
Cybersecurity experts argue that the study highlights the need for immediate action from both regulators and service providers. Chris Gunner, CISO-for-hire at managed service provider Thrive, said passwords should not be eliminated entirely but must be integrated into broader identity-based security strategies. "Even a strong password can be undermined if the wider identity and access environment is not properly managed," Gunner said. He recommends pairing passwords with multi-factor authentication, preferably biometric, as the most difficult factor for attackers to bypass. MFA should be combined with identity governance and endpoint protection to reduce gaps between systems, and organizations should adopt zero trust models that restrict lateral movement from compromised accounts.
Steven Furnell, senior IEEE member and professor of cybersecurity at the University of Nottingham, said World Password Day messaging has historically focused on user behavior, but responsibility should shift to service providers. "Passwords aren’t going anywhere for a long while, and inconsistent adoption of new security technologies will mean users are left at risk as certain providers fail to adapt," Furnell said. He noted that many sites still do not offer passkey support, a passwordless authentication standard developed by the FIDO Alliance, leaving users with inconsistent login experiences. Providers must enforce adequate password requirements, guide users on creating secure credentials, and accelerate adoption of passkeys to reduce reliance on vulnerable password systems.
Regulators including EU data protection authorities and the California Privacy Protection Agency should update guidance to explicitly ban the use of broken hashing algorithms like MD5 for password storage, and prioritize enforcement actions against non-compliant organizations. Companies must audit their current password storage practices immediately, migrate to slow, salted hashing algorithms including Argon2, bcrypt, or scrypt, and accelerate rollout of passwordless authentication options. Users should enable MFA on all accounts where available, avoid password reuse, and use password managers to generate unique, complex credentials for each service.
Comments
Please log in or register to join the discussion