About 65 percent of Russian user passwords are six or eight characters long and rely on digits or a mix of lowercase letters with numbers. In practical terms, such passwords can be cracked in under a minute by modern machine brute force. This finding comes from a study conducted by the RTM Group, a company specializing in information security services, a full copy of which is available to editors at socialbites.ca.
To illuminate this issue, RTM Group researchers examined nearly 50 million username and password pairs that had appeared on the darknet between January 2022 and May 2023. The goal of the study was to assess password strength across different user groups, including individuals, small businesses, and mid- to large-sized enterprises, to determine how everyday habits translate into real security risks.
As noted earlier, the weakest passwords are frequently those chosen by ordinary users to safeguard personal accounts. In about half of the cases, small businesses also rely on similarly weak or moderately complex combinations. The remaining half tend to feature more robust patterns that include a mix of lowercase and uppercase letters alongside a higher count of digits. According to RTM Group, automated password-cracking systems now test up to 300 billion combinations per second, which means even moderately complex passwords can be compromised within minutes in the right conditions.
Experts observe a clear correlation between password strength and organizational size. The most resilient passwords appeared among workers at large corporations, yet these robust credentials constituted only around five percent of all cases. Those strong passwords typically exceeded 12 characters and incorporated a range of special symbols such as brackets, percentage signs, currency symbols, and other non-alphanumeric characters, making them considerably harder to crack.
Security professionals emphasize that the adoption of complex password policies within organizations greatly influences outcomes. When companies enforce specifics about minimum length and the required diversity of characters, the time needed to crack passwords increases dramatically—from days or weeks to years, depending on the exact composition and length of the password.
Another factor driving password-cracking speed is the rising power of graphics processing units used in these tasks. In previous years, an eight-character password composed of numbers and letters in various configurations was deemed secure by the RTM Group. Today, those same passwords can be broken in a matter of hours. The latest guidance from RTM Group points to the growing security value of passwords that span 16 characters and include a broad set of special characters. Even a simple example, such as a password like “34,” underscores how much more challenging modern systems can render guesses when longer strings and diverse characters are involved.
Historically, cybersecurity researchers have tracked notable campaigns tied to state-sponsored groups. One such example involves Cozy Bear, a Russian-linked actor previously linked to a deception campaign that targeted diplomats in Kiev using BMW-related advertisements. While the specifics of such operations evolve, the underlying lesson remains clear: attackers continually adapt, exploiting gaps in password hygiene and user behavior to breach otherwise protected accounts. This reality reinforces the need for stronger authentication practices and ongoing user education, especially within organizations that handle sensitive information and credentials.