Kaspersky: 60% of MD5 Password Hashes Crackable in Under One Hour

Kaspersky researchers found that 60% of MD5-hashed passwords can be cracked in under an hour using a single Nvidia RTX 5090 GPU ^[1].

This discovery highlights a critical vulnerability for any organization still using the Message Digest 5 (MD5) algorithm to store user credentials. As consumer hardware becomes more powerful, legacy encryption methods that were once considered sufficient are now trivial for attackers to bypass during data breaches.

The findings were released May 7, 2026, to coincide with World Password Day ^[1]. The research indicates that 48% of these password hashes can be cracked in less than one minute ^[1]. The speed of the attack is attributed to the nature of MD5 as a fast hashing algorithm, which allows high-end hardware to test millions of combinations per second.

According to the research, the Nvidia RTX 5090 GPU is particularly effective for this task. One report noted that gaming GPUs like the RTX 5090 outperform enterprise security tools by 63% when cracking these specific passwords ^[4].

"The bottom line is that passwords protected only by fast hashing algorithms such as MD5 are no longer safe if attackers obtain them in a data breach," a Kaspersky researcher said ^[1].

The research lab emphasized that MD5 is unsuitable for password storage because it lacks the computational complexity required to resist modern brute-force attacks. Once a database of hashes is leaked, the lack of "salt," or slow-hashing mechanisms, makes the data an easy target for automated tools.

"Just in time for World Password Day, Kaspersky is reminding everyone that outdated hashing algorithms such as MD5 remain among the worst choices for storing passwords," a TechSpot author said ^[3].