According to a report released this week by Kaspersky based on a study of 193 million compromised passwords being sold on online black markets, 57% of passwords contain a word that can be easily found in dictionaries used by password-cracking groups.
The most common words include "password"; "qwerty12345"; "admin"; "12345"; "team", or names like "ahmed"; "nguyen"; "kumar"; "kevin"; and "daniel."
Among these, "nguyen" is the most common surname in Vietnam. In other cases, many Vietnamese also carry the first name as "Nguyen."
Kaspersky experts say that attackers often use brute force attacks (guessing passwords by trying numerous combinations until the correct one is found) or smart guessing attacks. Therefore, common words found in dictionaries significantly weaken password strength and reduce cracking time.
The study found that 87 million out of 193 million passwords, equivalent to 45%, were cracked in less than a minute, 14% took an hour, and only 4% took hackers a year to find.
Kaspersky also emphasized that with basic methods like those mentioned above, attackers do not need specialized knowledge or advanced equipment to crack passwords.
A dedicated laptop processor can accurately find an eight-character password combination of lowercase letters or numbers using brute force in seven minutes. With an integrated graphics card, the process can be completed in 17 seconds.
Many people tend to replace characters, such as turning "admin" into "@dmin" or "password" into "pa$$word," hoping it will be harder for hackers to guess.
However, experts say this approach does not significantly strengthen passwords, as they remain common words found in dictionaries and are frequently added to hackers' smart algorithms.
In February, a Vietnamese security group used a similar method to identify Wi-Fi network passwords and found that nearly 50% could be easily cracked using guessing methods.
Common password strings like 12345678, 88888888, 66668888, camonquykhach (Cam on quy khach, which means "Thank you, customers"), and hoilamgi (hoi lam gi, which means "why asking") were among the most used.
In 2023, Kaspersky detected over 32 million attacks on users using malware to steal passwords.
"This number highlights the importance of maintaining good cybersecurity habits and regularly changing passwords," the experts said.
Yuliya Novikova, Head of Digital Footprint Intelligence at Kaspersky, noted that people "unconsciously" tend to create simple passwords, often dictionary words in their native language, like personal names and numbers, making them easily guessable by algorithms.
"The most reliable solution is to create random passwords using modern, trusted password managers," she advised.
To enhance password strength, experts suggest users employ password managers, use different passwords for different services, and avoid using personal information like birthdays or personal names, as these are the first choices attackers try when cracking passwords.
Additionally, enabling two-factor authentication is recommended to provide an extra layer of security even if the password is compromised.