๐ Data Study
How Long Does It Take to Crack a Password? (2026 Data)
By Justin Le
ยท 7 min read ยท Data as of June 2026 Key findings
- Length matters far more than complexity: every extra character multiplies crack time, while adding one symbol only nudges it.
- An 8-character password โ even with all symbol types โ falls in well under a day against a fast offline attacker.
- A random 16-character password crosses into billions of years to brute-force, regardless of whether it uses symbols.
- Numbers-only passwords are catastrophically weak: a 12-digit PIN-style password falls in about 10 seconds.
| Character set | 6 chars | 8 chars | 10 chars | 12 chars | 14 chars | 16 chars | 18 chars | 20 chars |
|---|---|---|---|---|---|---|---|---|
| Numbers only | Instantly | Instantly | Instantly | 10 seconds | 16 minutes | 1 day | 115 days | 31 years |
| Lowercase letters | Instantly | 2 seconds | 23 minutes | 11 days | 20 years | 13 thousand years | 9 million years | 6 billion years |
| Upper + lowercase | Instantly | 8 minutes | 16 days | 123 years | 334 thousand years | 905 million years | 2 trillion years | 10^15 years |
| Letters + digits | Instantly | 36 minutes | 97 days | 1 thousand years | 3 million years | 15 billion years | 58 trillion years | 10^17 years |
| All ASCII (~94) | 6 seconds | 16 hours | 17 years | 150 thousand years | 1 billion years | 11 trillion years | 10^17 years | 10^20 years |
What the table shows
Read across any row and the pattern jumps out: adding characters moves you from "instantly" to "billions of years" far faster than switching to a richer character set. Compare the Letters + digits row at 12 characters (about a thousand years) with the All ASCII row at 12 characters (about 150 thousand years) โ the symbols help, but jumping the Letters + digits password from 12 to 16 characters takes it to billions of years. Length wins.
Why length beats complexity
The size of the search space is charsetlength. Increasing the
character set grows the base; increasing the length grows the
exponent โ and exponents win decisively. Going from 8 to 16 characters
doesn't double the difficulty, it squares it. This is the mathematical reason modern
guidance (including NIST's) tells you to favour length, and why a long passphrase can
beat a short string of symbols. We unpack the practical side in
how to create a strong password.
The big caveat: this assumes a fast, unsalted hash
These figures model a brute-force attack at 100 billion guesses per second โ realistic for a fast, unsalted hash like raw MD5 or SHA-256 on modern GPUs. That makes them an upper bound on weakness. If a site stores passwords properly โ with a slow, salted algorithm like bcrypt or Argon2 โ the same attacker manages only thousands of guesses per second, making every number in this table vastly larger. Conversely, an online attack (guessing against a live login) is throttled to a handful of attempts, so it's far slower still.
The other big caveat: this assumes randomness
The table assumes a truly random password. Real human passwords are
not random โ they use dictionary words, names, dates and predictable substitutions
(P@ssw0rd), which attackers try first. A 12-character password built from
two dictionary words has far less effective strength than the table suggests.
That's why a generated random password is so much stronger than one you invent. Check
your own with the
password strength checker.
Practical takeaways
- Use 16+ characters for anything important โ that's the line where brute force becomes hopeless.
- Make it random. A generated password realises the full strength the table promises; a memorable one rarely does.
- Never reuse passwords. Strength is irrelevant if the same password leaks from another site โ use a password manager.
- Add MFA. Even a cracked password is stopped by two-factor authentication.
Methodology
This is a computed model, not a survey โ every value is reproducible. For a random password drawn uniformly from a character set of size C with length L, the number of possible passwords is CL. We divide that keyspace by an assumed attacker guess rate to get the time to exhaust it:
time = C^L / rate
- Rate: 100 billion guesses/second (10ยนยน/s) โ a reference figure for a fast, unsalted hash on modern GPU hardware.
- Character sets: numbers (10), lowercase (26), upper+lower (52), letters+digits (62), all printable ASCII (~94).
- Calculation: performed with arbitrary-precision integers (BigInt) so the very large values are exact, then rounded for readability.
The same entropy model powers our password strength checker, and the computation is open in our codebase โ so you can verify or re-run it with different assumptions. Figures are an order-of-magnitude guide, not a precise prediction.
Sources & notes
- Model: keyspace = charset^length รท guess rate (computed with BigInt; reproducible in our open codebase)
- NIST SP 800-63B โ Digital Identity Guidelines (length over complexity)
- Assumed attack rate reflects fast unsalted-hash GPU cracking; slow salted hashes (bcrypt/Argon2) are far slower to attack
Frequently asked questions
How long does it take to crack an 8-character password?
Against a fast offline attacker (100 billion guesses/second on an unsalted hash), even an 8-character password using all symbol types falls in well under a day. Eight characters is no longer enough โ aim for 16 or more.
Is a longer password better than a more complex one?
Yes. Length grows the search space exponentially, while adding a character type only grows the base. A random 16-character password reaches billions of years to brute-force even without symbols.
Are these crack times realistic?
They're an upper bound on weakness, assuming a fast unsalted hash. Sites that hash properly with bcrypt or Argon2 make attacks thousands of times slower, and the figures assume truly random passwords โ human-chosen ones are weaker.