How Long Does It Take to Crack Your Password? (The Answer Will Bother You)

Modern password-cracking hardware can test billions of combinations per second. Not millions — billions. A single consumer GPU running cracking software can attempt 10–100 billion password guesses per second against a stolen hash, depending on the hashing algorithm used to store it.

That number changes how you should think about passwords. Most advice people follow — use a capital letter, add a number, throw in an exclamation point — was designed for a slower era. Against modern hardware, "Password1!" takes about 25 minutes to crack. Against a good dictionary attack, it takes seconds.

Here's what actually determines how long your password survives — and what the timeline actually looks like.

The Math Behind Cracking Time

Password strength comes down to one variable: the total number of possible combinations an attacker has to try before they find yours. That number is determined by two things:

• Character set size — how many possible characters per position (26 for lowercase, 62 for mixed alphanumeric, 95 for full printable ASCII)
• Password length — how many positions exist

Total combinations = Character set size ^ Password length

Lowercase only (26 chars):
  8 characters  → 208 billion combinations
  12 characters → 95 quadrillion combinations
  16 characters → 43 sextillion combinations

Full character set (95 chars):
  8 characters  → 6.6 quadrillion combinations
  12 characters → 540 quintillion combinations
  16 characters → 44 septillion combinations

Against hardware doing 100 billion guesses per second, 208 billion combinations lasts about 2 seconds. 95 quadrillion lasts about 11 days. 44 septillion would take longer than the age of the universe.

This is why length is everything. Adding one character multiplies the search space by the entire character set size. Adding a symbol to an 8-character password adds some combinations. Adding a 9th character multiplies the entire search space by 95.

How Long Passwords Actually Take to Crack in 2026

These estimates assume a dedicated offline attack — an attacker who has obtained a hashed password database and is running cracking hardware locally. Online attacks are rate-limited and much slower. Offline attacks are what happen after data breaches.

The jump from 8 characters to 12 characters is not incremental — it's the difference between "crackable this decade" and "practically uncrackable by any current technology."

Dictionary Attacks: Why "Clever" Passwords Aren't

Brute force — trying every possible combination — is the last resort of password cracking, not the first. Real attacks start with dictionary attacks: pre-compiled lists of words, names, phrases, leaked passwords, and common substitutions that are tested in seconds before a single character is brute-forced.

These lists contain billions of entries compiled from actual leaked passwords across decades of data breaches. They include:

• Every word in every major language
• Common name and surname combinations
• Every password ever leaked in major data breaches
• Common substitutions: a→@, e→3, o→0, s→$, i→1
• Standard appended patterns: word + year, word + !, word + 123
• Keyboard walks: qwerty, 1qaz2wsx, zxcvbn

"P@ssw0rd!" is not clever — it's in every dictionary list. "Summer2024!" was cracked the moment someone first used it. Any password that follows a predictable human pattern gets tested in the dictionary phase before a single brute force attempt is made.

This is why generating a truly random password matters. Human "randomness" is not random — it has patterns that attackers are explicitly trained to exploit.

What Truly Strong Passwords Look Like

There are two approaches that actually work:

1. Long, random character strings. A 16+ character password with random uppercase, lowercase, numbers, and symbols is computationally infeasible to crack. A good password generator produces these instantly with no memorization required — because you store them in a password manager, not your head.

2. Passphrases. Four or more unrelated words randomly selected and strung together provide very high entropy while remaining memorable. The key word is "randomly selected." "My dog is named Biscuit" is not a passphrase — it's a sentence that follows grammar and uses personal information. "Lamp Gravel Suitcase Thunder" is a passphrase.

The worst of both worlds is a short, patterned complex password: 8 characters, capital at the start, number and symbol at the end. This format is what most password requirements push users toward — and it produces passwords that are both difficult to remember and relatively easy to crack.

Generate a cryptographically random password →

The Reuse Problem Is Worse Than the Weakness Problem

A technically strong password reused across multiple sites is dangerous in a way that strength alone can't fix. When any one of those sites suffers a data breach — and breaches happen constantly — attackers get the password in plain text or in a crackable hash. They then test it against every other major service automatically.

This is called credential stuffing, and it's one of the most common attack vectors in use today. It requires no cracking at all — the password is just tried directly on other services after a breach exposes it.

The practical implication: a unique password per site, even a moderately strong one, is more secure in practice than a single very strong password used everywhere. The only viable way to maintain unique passwords at scale is a password manager.

Why 2FA Matters Even With a Strong Password

Two-factor authentication (2FA) changes the threat model entirely. Even if an attacker has your exact password — through a breach, phishing, or a successful crack — they cannot log in without the second factor.

For email, banking, and any account used as a recovery option for other accounts, enable 2FA regardless of how strong your password is. Email especially: if an attacker owns your inbox, they can reset credentials for everything else tied to it. It becomes the master key.

Frequently Asked Questions

How long does it take to crack an 8-character password?

An 8-character password using only lowercase letters can be cracked in under an hour with modern hardware. Add uppercase, numbers, and symbols, and that time extends to days — but still falls within reach of dedicated attackers. Length matters far more than complexity. An 8-character password is not considered secure by 2026 standards regardless of character variety.

What makes a password hard to crack?

Length is the dominant factor — each additional character multiplies the possible combinations exponentially. A 16-character password using only lowercase letters has more possible combinations than a 10-character password using every character type. Randomness is also critical — predictable patterns like "Password1!" are tested early in dictionary attacks long before any brute force begins.

What is a brute force attack?

A brute force attack systematically tries every possible character combination until it finds the correct password. Modern GPUs can attempt billions of combinations per second against an offline hash. Dictionary attacks are faster variants that try known words, common substitutions, and leaked password lists before resorting to full brute force.

Is a long password better than a complex one?

Yes, generally. A 20-character lowercase passphrase is mathematically stronger than a 10-character mix of random symbols and numbers. Password entropy grows faster with length than with character set size. Four random unrelated words strung together can produce a highly secure, memorable password that outperforms a shorter complex string.

Does using special characters make your password much safer?

Somewhat — but far less than length, and only when used randomly. Substituting @ for "a" or 3 for "e" provides almost no security benefit: these patterns are built into every dictionary attack tool. True randomness — not patterned substitution — is what makes special characters valuable.