Password Security in 2026: How Long to Crack Every Combination
See exact brute-force crack times for 4-20 character passwords. An RTX 4090 cracks 8-char passwords in 22 min. Full table + defense guide.
A single RTX 4090 GPU cracks MD5 hashes at 165 billion attempts per second (Hashcat Benchmarks, 2024). Rent eight of them on a cloud cluster and that number jumps past a trillion. Your “strong” 8-character password? It survives about 22 minutes. Your 6-character one? Gone before you finish reading this sentence.
This post lays out the exact math. You’ll see a full brute-force time table covering 4 to 20 characters across three character sets, so there’s no ambiguity about what “strong enough” actually means. We also cover the attack methods you’re actually facing, why length beats complexity, and the defenses that work right now.
Key Takeaways
- An 8-character password with mixed case and digits falls in ~22 minutes on a single modern GPU.
- Jumping to 16 characters pushes brute-force time past 9,000 years, even against fast hash algorithms.
- 86% of breaches involve stolen or weak credentials (Verizon DBIR, 2024). Length is the cheapest fix.
- Passkeys and hardware 2FA eliminate password cracking entirely for accounts that support them.
Generate a Strong Password Right Now
Before we get into the math, here’s the tool. It runs locally in your browser using the Web Crypto API. Nothing gets transmitted.
How Does Brute-Force Password Cracking Work?
Brute-force cracking tests every possible character combination until the correct one matches. A single NVIDIA RTX 4090 processes roughly 165 billion MD5 hashes per second (Hashcat Benchmarks, 2024), making short passwords trivially breakable. The math is straightforward: total combinations divided by guesses per second equals time to crack.
The formula
Take the number of possible characters (the “charset size”), raise it to the power of the password length, and divide by the attacker’s hash rate. For example, an 8-character password using lowercase letters only has 26^8 = 208 billion combinations. At 165 billion guesses per second, that’s 1.3 seconds.
Sounds bad? It gets worse. Attackers don’t use one GPU. Cloud cracking rigs with 8-16 GPUs are common. State-level adversaries run thousands. And MD5 is a fast hash, which is exactly the problem.
Why the hash algorithm matters
Not all hashing is equal. MD5 and SHA-1 are “fast” hashes, designed for speed. That’s a gift to attackers. Bcrypt, scrypt, and Argon2 are “slow” hashes, deliberately expensive to compute. A bcrypt hash with a work factor of 12 runs roughly 100,000 times slower than MD5 on the same hardware. The table below assumes MD5, because that represents the worst case you’re likely to encounter. Many sites still store passwords with fast hashes. If a site uses bcrypt, your password buys you orders of magnitude more time, but you can’t know which hash a service uses until their database leaks.
How Long Does It Take to Crack a Password? (Full Table)
According to Hive Systems’ 2024 password table, which models a cluster of twelve RTX 4090 GPUs against MD5 hashes, a 12-character password using only lowercase letters still falls in about 200 years. Add uppercase, digits, and symbols and that same length balloons to 2 million years. Length combined with character diversity is the only reliable defense.
| Length | Lowercase Only (26) | Mixed Case + Digits (62) | Full Charset (95) |
|---|---|---|---|
| 4 chars | Instant | Instant | Instant |
| 5 chars | Instant | Instant | Instant |
| 6 chars | Instant | 1 second | 7 seconds |
| 7 chars | 2 seconds | 1 minute | 11 minutes |
| 8 chars | 34 seconds | 1 hour | 17 hours |
| 9 chars | 15 minutes | 3 days | 2 months |
| 10 chars | 6 hours | 6 months | 17 years |
| 11 chars | 7 days | 30 years | 1,600 years |
| 12 chars | 200 days | 2,000 years | 150,000 years |
| 13 chars | 14 years | 120,000 years | 15 million years |
| 14 chars | 370 years | 7 million years | 1.4 billion years |
| 16 chars | 250,000 years | 29 billion years | 12 trillion years |
| 18 chars | 170 million years | 28 trillion years | Beyond heat death |
| 20 chars | 117 billion years | Beyond heat death | Beyond heat death |
Citation capsule: A 12-character password using the full 95-character ASCII set takes approximately 150,000 years to brute-force on a cluster of twelve RTX 4090 GPUs running against MD5 hashes, according to Hive Systems’ 2024 password table. Jumping to 16 characters pushes that estimate to 12 trillion years.
How to read this table
The “Full Charset (95)” column includes lowercase, uppercase, digits, and symbols. That’s the column to aim for if your password manager generates random strings. But notice something critical: a 16-character lowercase-only password (250,000 years) still massively outperforms an 8-character full-charset password (17 hours).
Length always wins. Complexity helps, but it’s a multiplier on top of length, not a substitute for it.
These times assume random passwords
Dictionary words, keyboard patterns like “qwerty123”, and common substitutions like “p@ssw0rd” get cracked in seconds regardless of length. Attackers try these patterns first using rule-based attacks and dictionaries containing billions of known passwords.
What Are the Most Common Password Attack Methods?
Credential stuffing now accounts for 29% of all web application attacks (Akamai State of the Internet Report, 2024). Brute force is only one tool in an attacker’s kit, and it’s rarely the first one tried. Understanding all four major attack types explains why password hygiene isn’t just about length.
Brute force
Pure brute force tests every possible combination sequentially. It’s the slowest method and only practical against short passwords or fast hashes. Modern GPU clusters make it viable up to about 10-11 characters against MD5. Beyond that, entropy wins.
Dictionary and rule-based attacks
Attackers start with wordlists containing billions of previously leaked passwords. Tools like hashcat apply “rules” on top: capitalize the first letter, append a number, swap a for @. This cracks most human-chosen passwords in minutes, because we’re all more predictable than we think.
What makes dictionary attacks so effective isn’t the dictionary itself. It’s that humans follow patterns. We’ve analyzed password dumps and the same structural templates appear endlessly: Word + 2-4 digits, Name + birth year, Keyboard walk + symbol. Random generation breaks these templates entirely.
Rainbow tables
Rainbow tables are precomputed hash-to-password mappings. If the service doesn’t “salt” its hashes (adding random data before hashing), an attacker can look up a hash instantly rather than computing it. Modern best practices mandate salted hashes, but legacy systems still get caught without them.
Credential stuffing
This is the most common real-world attack. Attackers take username/password pairs from one breach and try them on other services. No cracking required. It works because Google/Harris Poll research (2019) found 65% of people reuse passwords across multiple sites. That number hasn’t improved much.
password breach checker
What Makes a Password Truly Strong?
Password strength is measured in entropy, the number of bits of randomness. NIST Special Publication 800-63B (NIST, 2020) recommends a minimum of 8 characters but notes that longer passwords provide “substantially greater” security. In practice, security researchers recommend 14-16 characters minimum for anything important.
Length is the dominant variable
Every additional character multiplies the search space by the charset size. Going from 8 to 16 characters with a 95-character set doesn’t double the difficulty. It multiplies it by 95^8, which is roughly 6.6 quadrillion times harder. No amount of clever character substitution compensates for a short password.
Randomness eliminates shortcuts
Humans are terrible random generators. We pick words we know, dates that matter to us, patterns our fingers remember. Attackers exploit this with targeted attacks. A truly random 12-character password has about 79 bits of entropy. A “clever” 12-character password a human invented might have 30-40 bits in practice.
The passphrase alternative
Four to six randomly selected words from a large dictionary (like the EFF dice word list) give you 50-78 bits of entropy with far better memorability. “timber clock prism wander” is both easier to type and harder to crack than “P@$$w0rd!23”.
Character diversity is a multiplier, not a foundation
Adding symbols increases the charset from 62 to 95 characters. That’s a 1.5x multiplier per character position. Adding one more character of length gives you a 95x multiplier. If you had to choose between a 14-character alphanumeric password and a 12-character password with symbols, pick the longer one.
Citation capsule: NIST SP 800-63B recommends against complexity requirements (mandatory symbols, mixed case) and instead emphasizes password length and screening against known breached passwords (NIST, 2020). Forced complexity rules lead to predictable patterns that attackers exploit. We’ve found that most users who arrive at our password generator already know their current password is weak. The issue isn’t awareness. It’s friction. People need the generation and storage workflow to be faster than reusing an old password. That’s why we built the generator to copy to clipboard in one click.
Should You Use a Password Manager?
A Security.org survey (2024) found that 36% of Americans now use a password manager, up from 21% in 2022. Adoption is climbing fast, and for good reason: a password manager eliminates the two biggest risks, weak passwords and password reuse, in one step.
What they solve
A password manager generates a unique random password for every account, stores them encrypted, and auto-fills them at login. You memorize one master passphrase. The manager handles everything else.
This is not optional advice for security enthusiasts. It’s the baseline. Without a manager, the human brain cannot maintain unique random passwords for the 80+ online accounts an average person has (NordPass, 2024).
Choosing one
Three solid options:
- Bitwarden - open source, free tier, audited. Best for most people.
- 1Password - polished UX, family sharing, Watchtower breach alerts. Best for families.
- KeePassXC - fully offline, open source. Best for privacy maximalists.
Your master password should be a 5-6 word randomly generated passphrase that you memorize and never store digitally. This is the one password you can’t recover.
Are Passkeys Replacing Passwords?
The FIDO Alliance reported over 15 billion accounts now support passkey authentication (FIDO Alliance, 2025). Passkeys use public-key cryptography stored on your device, eliminating passwords, phishing, and credential stuffing in one move. They’re the most significant authentication shift in decades.
How passkeys work
Your device generates a unique cryptographic key pair for each service. The private key never leaves your device. Authentication happens via biometrics (fingerprint, face) or device PIN. There’s nothing to crack, nothing to phish, nothing to stuff.
Current limitations
Passkey support is growing but uneven. Google, Apple, Microsoft, GitHub, and major financial institutions support them. Smaller services often don’t. You’ll need passwords alongside passkeys for at least the next few years.
The practical advice: enable passkeys everywhere they’re available, and keep your password manager for everything else.
Citation capsule: The FIDO Alliance reports over 15 billion accounts now support passkey authentication (FIDO Alliance, 2025), using device-stored cryptographic keys that eliminate password cracking, phishing, and credential stuffing attacks entirely.
Why Is Two-Factor Authentication Your Best Safety Net?
Microsoft’s security team reported that 99.9% of compromised accounts did not have multi-factor authentication enabled (Microsoft Security Blog, 2019). That stat is old because the conclusion hasn’t changed. 2FA works. Even if an attacker cracks or steals your password, the second factor stops them cold.
Ranking 2FA methods
Not all second factors are equal. Here’s the hierarchy from strongest to weakest:
| Method | Phishing Resistant? | SIM-Swap Proof? | Convenience |
|---|---|---|---|
| Hardware key (YubiKey, Titan) | Yes | Yes | Tap and done |
| Authenticator app (TOTP) | No | Yes | 30-second codes |
| Push notification | No | Yes | One tap, but fatigue risk |
| SMS code | No | No | Better than nothing |
Where to start
Enable 2FA on your email first. Email is the skeleton key: password resets for almost every other service go through it. If your email is compromised, everything else falls.
After email: banking, cloud storage, social media, password manager. In that order.
Hardware keys are cheaper than you think
A YubiKey costs around $25-$55. For the price of a mediocre dinner, you get phishing-proof authentication that works across hundreds of services. Buy two (one backup) and register both.
The Bottom Line
Password security in 2026 comes down to four actions. Use a password manager to generate unique random passwords of 16+ characters for every account. Enable 2FA, preferably with a hardware key or authenticator app, on every service that supports it. Switch to passkeys as services adopt them. And check your existing passwords against breach databases regularly.
The brute-force table makes the math undeniable. An 8-character password is not a password. It’s a speed bump. A 16-character random password buys you billions of years. The difference is one checkbox in your password manager’s settings.
Frequently Asked Questions
How long does it take to brute-force a 12-character password?
With the full 95-character set (mixed case, digits, symbols), a 12-character random password takes roughly 150,000 years to brute-force on a cluster of twelve RTX 4090 GPUs running against MD5 hashes (Hive Systems, 2024). Using only lowercase letters drops that to about 200 days. Length and charset both matter.
Is an 8-character password still safe?
No. An 8-character password using mixed case and digits falls in roughly one hour on modern GPU hardware (Hashcat Benchmarks, 2024). Even with the full 95-character set, it lasts only about 17 hours. Security researchers now recommend 14-16 characters minimum for any account you care about.
Do special characters make passwords harder to crack?
They help, but less than adding length. Special characters expand the charset from 62 to 95, a 1.5x increase per character position. Adding one extra character of length gives you a 95x increase. A 14-character alphanumeric password is stronger than a 10-character password with symbols. Prioritize length, then add complexity.
Are password managers safe?
Reputable password managers encrypt your vault with a zero-knowledge architecture, meaning even the company can’t read your passwords. Bitwarden and 1Password have both passed independent security audits. The risk of a manager breach is far lower than the near-certainty of password reuse across dozens of accounts. The Security.org 2024 survey found 36% of Americans now use one.
Will passkeys replace passwords completely?
Not yet. The FIDO Alliance reports over 15 billion passkey-capable accounts (FIDO Alliance, 2025), but adoption is uneven across smaller services. Passkeys will likely become the default for major platforms within 2-3 years. For everything else, you’ll still need strong passwords stored in a manager. The transition period demands both.