ToolSec

๐Ÿ“Š Data Study

How Long Does It Take to Crack a Password? (2026 Data)

ยท 7 min read ยท Data as of June 2026

Key findings

  • Length matters far more than complexity: every extra character multiplies crack time, while adding one symbol only nudges it.
  • An 8-character password โ€” even with all symbol types โ€” falls in well under a day against a fast offline attacker.
  • A random 16-character password crosses into billions of years to brute-force, regardless of whether it uses symbols.
  • Numbers-only passwords are catastrophically weak: a 12-digit PIN-style password falls in about 10 seconds.
Character set 6 chars8 chars10 chars12 chars14 chars16 chars18 chars20 chars
Numbers only Instantly Instantly Instantly 10 seconds 16 minutes 1 day 115 days 31 years
Lowercase letters Instantly 2 seconds 23 minutes 11 days 20 years 13 thousand years 9 million years 6 billion years
Upper + lowercase Instantly 8 minutes 16 days 123 years 334 thousand years 905 million years 2 trillion years 10^15 years
Letters + digits Instantly 36 minutes 97 days 1 thousand years 3 million years 15 billion years 58 trillion years 10^17 years
All ASCII (~94) 6 seconds 16 hours 17 years 150 thousand years 1 billion years 11 trillion years 10^17 years 10^20 years
Estimated time to exhaust the keyspace of a random password, assuming an offline attacker making 100 billion guesses/second (10ยนยน/s) against a fast, unsalted hash. Computed from charsetlength รท rate.

What the table shows

Read across any row and the pattern jumps out: adding characters moves you from "instantly" to "billions of years" far faster than switching to a richer character set. Compare the Letters + digits row at 12 characters (about a thousand years) with the All ASCII row at 12 characters (about 150 thousand years) โ€” the symbols help, but jumping the Letters + digits password from 12 to 16 characters takes it to billions of years. Length wins.

Why length beats complexity

The size of the search space is charsetlength. Increasing the character set grows the base; increasing the length grows the exponent โ€” and exponents win decisively. Going from 8 to 16 characters doesn't double the difficulty, it squares it. This is the mathematical reason modern guidance (including NIST's) tells you to favour length, and why a long passphrase can beat a short string of symbols. We unpack the practical side in how to create a strong password.

The big caveat: this assumes a fast, unsalted hash

These figures model a brute-force attack at 100 billion guesses per second โ€” realistic for a fast, unsalted hash like raw MD5 or SHA-256 on modern GPUs. That makes them an upper bound on weakness. If a site stores passwords properly โ€” with a slow, salted algorithm like bcrypt or Argon2 โ€” the same attacker manages only thousands of guesses per second, making every number in this table vastly larger. Conversely, an online attack (guessing against a live login) is throttled to a handful of attempts, so it's far slower still.

The other big caveat: this assumes randomness

The table assumes a truly random password. Real human passwords are not random โ€” they use dictionary words, names, dates and predictable substitutions (P@ssw0rd), which attackers try first. A 12-character password built from two dictionary words has far less effective strength than the table suggests. That's why a generated random password is so much stronger than one you invent. Check your own with the password strength checker.

Practical takeaways

  • Use 16+ characters for anything important โ€” that's the line where brute force becomes hopeless.
  • Make it random. A generated password realises the full strength the table promises; a memorable one rarely does.
  • Never reuse passwords. Strength is irrelevant if the same password leaks from another site โ€” use a password manager.
  • Add MFA. Even a cracked password is stopped by two-factor authentication.

Methodology

This is a computed model, not a survey โ€” every value is reproducible. For a random password drawn uniformly from a character set of size C with length L, the number of possible passwords is CL. We divide that keyspace by an assumed attacker guess rate to get the time to exhaust it:

time = C^L / rate
  • Rate: 100 billion guesses/second (10ยนยน/s) โ€” a reference figure for a fast, unsalted hash on modern GPU hardware.
  • Character sets: numbers (10), lowercase (26), upper+lower (52), letters+digits (62), all printable ASCII (~94).
  • Calculation: performed with arbitrary-precision integers (BigInt) so the very large values are exact, then rounded for readability.

The same entropy model powers our password strength checker, and the computation is open in our codebase โ€” so you can verify or re-run it with different assumptions. Figures are an order-of-magnitude guide, not a precise prediction.

Sources & notes

Frequently asked questions

How long does it take to crack an 8-character password?

Against a fast offline attacker (100 billion guesses/second on an unsalted hash), even an 8-character password using all symbol types falls in well under a day. Eight characters is no longer enough โ€” aim for 16 or more.

Is a longer password better than a more complex one?

Yes. Length grows the search space exponentially, while adding a character type only grows the base. A random 16-character password reaches billions of years to brute-force even without symbols.

Are these crack times realistic?

They're an upper bound on weakness, assuming a fast unsalted hash. Sites that hash properly with bcrypt or Argon2 make attacks thousands of times slower, and the figures assume truly random passwords โ€” human-chosen ones are weaker.

Related tools

Related guides