Introduction: The Password Hash Time Bomb

On World Password Day 2026, Kaspersky dropped a bombshell: 60% of MD5 password hashes can be cracked in under an hour using a single Nvidia RTX 5090 GPU. Worse, 48% fall in under 60 seconds. This isn't a theoretical risk—it's a present-day vulnerability that exposes millions of accounts to credential theft. For organizations still using MD5, the message is clear: your password security is an illusion.

Why MD5 Is a Strategic Liability

MD5 was never designed for password storage. It's a fast hashing algorithm, which makes it ideal for checksums but catastrophic for security. Modern GPUs can compute billions of MD5 hashes per second, enabling attackers to brute-force or dictionary-attack leaked hashes with minimal cost. Kaspersky's study, based on 231 million unique passwords from dark web leaks, shows that password predictability compounds the problem: common patterns allow attackers to optimize cracking algorithms, slashing time even further.

Who Gains? Who Loses?

Winners

  • GPU Manufacturers (Nvidia): The RTX 5090 becomes the de facto standard for password cracking, driving demand among security researchers and attackers alike.
  • Cybersecurity Consultancies (Thrive, etc.): CISO-for-hire services surge as organizations scramble to remediate MD5 usage and implement stronger authentication.
  • Passwordless Authentication Providers (FIDO2, biometrics): The study provides a powerful argument for ditching passwords entirely, accelerating adoption of passkeys and biometric MFA.

Losers

  • Legacy Enterprises: Any organization still using MD5 for password storage faces imminent breach risk. The cost of migration is high, but the cost of a breach is higher.
  • Users with Weak Passwords: Even with MD5, their passwords are cracked in seconds. The burden of password hygiene remains, but the system fails them.
  • Legacy System Vendors: Pressure to upgrade from MD5 increases migration costs and complexity, potentially eroding customer trust.

Second-Order Effects: The Ripple Across Industries

The Kaspersky study will trigger a cascade of consequences. First, regulatory bodies may tighten requirements for password hashing, potentially mandating algorithms like bcrypt or Argon2. Second, cyber insurance premiums will rise for organizations that fail to demonstrate modern password storage practices. Third, the password cracking industry—both ethical and malicious—will see a boost in tooling and cloud-based GPU rental services, lowering the barrier to entry for attackers.

Market Impact: The Shift to Passwordless

The password security market is at an inflection point. With MD5 effectively broken, organizations must either migrate to stronger hashing algorithms or adopt passwordless authentication. The latter is gaining traction: FIDO2 passkeys are supported by major platforms, and biometric MFA is becoming standard. However, as Steven Furnell notes, many sites still don't offer passkey support, leaving users with a mixed login experience. This inconsistency creates a window of vulnerability that attackers will exploit.

Executive Action: What to Do Now

  • Audit your password storage: Identify any systems still using MD5 or other fast hashing algorithms. Prioritize migration to bcrypt, Argon2, or PBKDF2.
  • Implement layered security: As Chris Gunner advises, pair passwords with biometric MFA, identity governance, and endpoint protection. Adopt a zero-trust model to limit lateral movement.
  • Accelerate passwordless adoption: Push for FIDO2 passkey support across your organization and with key vendors. Reduce reliance on passwords wherever possible.

Why This Matters

This is not a future problem. 60% of your users' passwords could be cracked in under an hour if your hashing is weak. The cost of inaction is a data breach, regulatory fines, and reputational damage. Act today.

Final Take

MD5 is dead. The Kaspersky study is the final nail in the coffin. Organizations that cling to legacy hashing are gambling with their security. The path forward is clear: migrate to strong hashing, embrace passwordless authentication, and treat every password as already compromised.



Source: The Register

Rate the Intelligence Signal

Intelligence FAQ

Legacy systems, especially older enterprise applications and databases, often hardcode MD5 hashing. Migration is costly and complex, leading many organizations to defer upgrades until a breach forces action.

Implement compensating controls: enforce strong password policies, require multi-factor authentication (preferably biometric), and monitor for leaked credentials. However, migration should be prioritized as a critical security initiative.

The RTX 5090's massive parallel processing power enables attackers to compute billions of MD5 hashes per second, reducing cracking time from days to minutes. Cloud rental makes this capability accessible to anyone for a few dollars.