You have probably seen a viral chart claiming a hacker can break your password instantly or that it would take billions of years. Both can be true, depending on a few details most charts gloss over. The honest answer to how long it takes to crack a password comes down to simple math: how many possible combinations exist, and how many guesses an attacker can make per second.
In this guide you will see how length and character variety change crack time, why a typical 8-character password fails fast against modern hardware, and roughly what length actually resists a brute-force attack today. We will keep the math friendly and the numbers grounded in current cracking benchmarks.
How brute-force cracking actually works
A pure brute-force attack means trying every possible combination until one matches. The total number of combinations is the size of the character set raised to the power of the password length. In plain terms:
combinations = (character set size) ^ (password length)
The character set is the pool of symbols you draw from:
- Digits only (0-9): 10 possible characters
- Lowercase letters: 26
- Upper + lowercase: 52
- Upper + lower + digits: 62
- Upper + lower + digits + symbols: roughly 95 on a standard keyboard
The exponent is what matters most. Adding one character to the length multiplies the total combinations by the entire character set size, while switching from letters to letters-plus-symbols only changes the base. That is why length beats complexity almost every time. If you want the deeper math behind why this works, our explainer on password entropy breaks it down step by step.
The other half of the equation: guesses per second
Combinations alone do not tell you crack time. You also need the attacker's guess rate. This varies enormously:
- Online attacks (typing guesses into a live login form) are slow. Rate limiting, lockouts, and network latency can cap an attacker at a handful of guesses per second or less.
- Offline attacks are the dangerous case. If attackers steal a database of password hashes in a breach, they can guess against their own hardware at full speed, with no rate limit. Modern consumer GPUs, especially when chained together or rented from cloud providers, can attempt enormous numbers of guesses per second.
The popular crack-time charts you see online, such as the widely cited Hive Systems table, model the offline scenario against fast, modern GPU hardware and a weak, fast hashing algorithm. That is a deliberately pessimistic worst case, which is exactly what you want when judging whether a password is future-proof.
Crack-time estimates are order-of-magnitude guides, not promises. A 'centuries' rating means brute force is impractical, not that your account is safe from phishing, malware, or reused-password attacks.
Time to crack a password by length
Here is a representative breakdown for a randomly generated password under an offline GPU attack on a fast hash. Figures are rounded to convey scale, not pinpoint accuracy, and real numbers shift every year as hardware gets faster.
| Length | Digits only | Lowercase letters | Upper + lower + digits | All character types (~95) |
|---|---|---|---|---|
| 6 | Instant | Instant | Seconds | Minutes |
| 8 | Instant | Seconds | Hours | Days to weeks |
| 10 | Instant | Hours | Years | Centuries |
| 12 | Seconds | Years | Centuries | Millions of years |
| 14 | Minutes | Centuries | Millions of years | Billions of years |
| 16 | Hours | Millions of years | Billions of years | Effectively uncrackable |
Two patterns jump out. First, moving down a row (adding length) buys you far more time than moving right (adding character types). Second, a digits-only password is a trap at any reasonable length, which is why PINs rely on hardware lockouts rather than raw strength.
A worked example: why 8 characters fails fast
Take an 8-character password using upper, lower, and digits (62 characters). The math is 62^8, which is about 218 trillion combinations. That sounds huge, and against a slow online login it would take ages. But split across modern GPU hardware in an offline attack, hundreds of billions or even trillions of guesses per second are achievable against weak hashes, so the full keyspace can be exhausted in hours, not years.
Now add four characters. An 62^12 password has roughly 3.2 quintillion combinations, about 15,000 times more than the 8-character version. The same hardware now needs centuries. You did not add exotic symbols; you just made it longer. This is the core reason a long, memorable passphrase beats a short complex password: four or five random words give you length and entropy that a cramped 8-character string can never match.
The catch: most passwords are not random
Every number above assumes a truly random password. Real people rarely pick random strings, and attackers know it. Instead of blind brute force, they run smarter attacks:
- Dictionary attacks try common words, names, and known passwords first.
- Rule-based attacks apply human habits: capitalize the first letter, add a year, swap
afor@, append!. - Credential stuffing skips cracking entirely and reuses passwords already exposed in past breaches.
So P@ssw0rd1! is 10 characters with all four character types, which the table would rate as very strong. In reality it falls in seconds because it is a predictable pattern attackers test early. The crack-time math only protects you if your password has no guessable structure. To see how these techniques fit together, read our breakdown of how hackers steal passwords, and avoid the common password mistakes that make crack-time estimates meaningless.
What length actually resists brute force today
Modern guidance leans on length over complexity. The U.S. National Institute of Standards and Technology (NIST), in its SP 800-63B digital identity guidelines, sets an absolute minimum of 8 characters for user-chosen passwords but strongly recommends supporting much longer ones, allowing maximums of at least 64 characters and screening new passwords against known breached lists. Notably, NIST no longer pushes mandatory complexity rules or forced periodic resets, because those tend to produce predictable patterns rather than genuine strength.
For practical purposes:
- 12 characters, random, mixed types is a reasonable floor for everyday accounts.
- 16+ characters or a 4 to 6 word random passphrase is the sweet spot for important accounts and master passwords. The Diceware method generates exactly this kind of high-entropy, human-friendly passphrase.
- Unique per site, because length means nothing if the same password leaks somewhere else.
You can generate strings or passphrases at these lengths instantly with our free password and passphrase generator, and pick something both strong and memorable using our guide to strong passwords that are easy to remember.
Length is necessary but not sufficient
A long random password defeats brute force, but brute force is rarely how accounts actually get breached. Phishing, malware, and reused credentials bypass the math entirely. That is why layered defenses matter: a password manager lets you use long unique passwords everywhere without memorizing them, two-factor authentication blocks logins even when a password leaks, and you should periodically check whether your passwords have appeared in a breach.
Key takeaways
- Crack time = combinations / guess rate. Length raises combinations exponentially, which is why it matters most.
- An 8-character password, even with mixed characters, can fall in hours to days against an offline GPU attack on weak hashes.
- 12 characters is a sensible minimum, and 16+ characters or a multi-word passphrase resists brute force for the foreseeable future.
- The math only holds for random passwords. Predictable patterns like
P@ssw0rd1!crack in seconds regardless of length. - Pair strong length with uniqueness, a password manager, and 2FA, because brute force is only one of many ways accounts get compromised.
This article is general security education, not personalized advice. Use it to understand the trade-offs, then choose protections that fit how you actually use your accounts.