New research from Kaspersky has revealed that every year, hundreds of millions of real user passwords leak onto the dark web.

It noted that passwords have remained as weak as ever, while cracking them has become faster and easier each year.

Specifically, Kaspersky said that today, 60 per cent of passwords can be cracked in less than an hour, noting that two years ago, that figure was 59 per cent.

“But the truly frightening part is something else: nearly half of all passwords (48 per cent) are cracked in less than a minute!”

The firm revealed that there have been persistent weaknesses and predictability in user password behaviour, particularly as AI is increasingly being used by hackers to exploit predictable security habits.

Kaspersky experts analysed 231 million unique passwords from major password leaks between 2023 and 2026.

The security firm said it revisited existing research conducted in 2024 to provide new stats for World Password Day, observed on May 7, 2026.

The 2024 database was expanded by an additional 38 million real passwords posted by attackers on dark web forums.

While stressing that to crack 60 per cent of these passwords, a hacker needs only an hour and a few dollars in their pocket, it noted that more than 50 per cent of leaked passwords end with a number, and the “@” symbol appears in 10 per cent of cases.

According to the latest data, the findings point to highly predictable structures, widespread reuse of common patterns, and growing concerns about how quickly modern passwords can be compromised.

According to Kaspersky, “in 2024, 45 per cent of passwords can be cracked in less than a minute, but in 2026, it has climbed to 48 per cent. In less than an hour, 59 per cent were crackable in 2024, currently, 60 per cent; in less than 24 hours, it was 67 per cent in 2024, but currently, it has risen to 68 per cent of passwords.”