MD5 Passwords Cracked in Minutes: 60% of Hashes Broken

Passwords stored using a common hashing method may be far less secure than many website owners assume. According to a report by The Register, citing research from security firm Kaspersky, 60% of MD5-hashed passwords from a dataset of over 231 million unique passwords can reportedly be cracked using a single consumer graphics card in under one hour. A full 48% can reportedly be broken in under 60 seconds.

The research was published on 7 May 2026, though it is worth noting that The Register's article is a secondary source reporting on Kaspersky's findings. Specific methodology details may differ in the original Kaspersky report.

What the research found

According to The Register, Kaspersky researchers used a single Nvidia RTX 5090 graphics card to test how quickly MD5 password hashes could be cracked. The dataset contained over 231 million unique passwords.

The core finding, as reported by The Register, is that passwords protected only by fast hashing algorithms such as MD5 are no longer safe if attackers obtain them in a data breach. Two factors reportedly drive this: password predictability and increasingly powerful graphics processors.

Kaspersky is quoted as saying: "One hour is all an attacker needs to crack three out of every five passwords they've found in a leak."

The research also reportedly compared results to a similar study Kaspersky ran in 2024. According to The Register, passwords are described as being "a few percent" easier to crack in 2026 than they were then, though the exact figures from the 2024 study are not stated in the source.

Why this matters for small businesses

If your website stores user passwords, the way those passwords are protected behind the scenes matters enormously. Many older website platforms and plugins still use MD5 to hash passwords, which this research suggests is no longer adequate.

This is not about a fine or a regulator taking action. It is about the practical risk to your customers if your website is ever involved in a data breach. Weak password storage means attackers could access your customers' accounts quickly, and potentially use the same passwords to access other services they use.

If you are unsure how your website stores passwords, it is worth checking with your web developer or hosting provider. You can also review our security checklist for small businesses and check whether any of your WordPress plugins have known vulnerabilities.

What does this mean for your website?

If your website has user accounts or a login area, the way passwords are stored is a technical decision that has real consequences for your customers' safety. Ask your developer or platform provider whether your site uses a modern, slow hashing algorithm rather than MD5. Taking this step is a straightforward way to reduce risk without waiting for a regulator to require it.