- Modern hardware tests billions of guesses per second. Short passwords do not stand a chance.
- Each extra character multiplies the cracking time by the size of your character set.
- A 12 character random password with mixed types resists brute force for centuries today.
- But brute force is not the most common attack. Reuse and phishing matter more in real breaches.
You have probably seen the charts. Eight characters, six minutes. Twelve characters, two centuries. Twenty characters, longer than the universe has existed.
These numbers are real, and they explain almost everything about why password length matters. Let us walk through where the figures come from, what they mean in practice, and why brute force is not actually the threat you should worry about most.
The basic math
Every password lives in what cryptographers call a search space, the total set of possible passwords given certain rules. The bigger the space, the harder the search.
For a password using:
- Only lowercase letters: 26 possible characters per position.
- Lowercase plus uppercase: 52.
- Letters plus digits: 62.
- Letters, digits, and common symbols: roughly 95.
The search space is the character set size raised to the power of the password length. So a six character lowercase password has 26 to the 6th power, or about 309 million possibilities. A twelve character password using all 95 printable characters has more possibilities than there are atoms in a small mountain.
How fast can attackers search?
This is where the hardware comes in. A modern graphics card, the kind a gamer might have, can test billions of password guesses per second against a weakly hashed password file. A purpose built rig with eight high end GPUs can test hundreds of billions per second. Cloud computing brings this within reach for anyone with a credit card.
The speed depends heavily on how the password was hashed. A site using fast hashes like MD5 or SHA-1 falls quickly. A site using modern slow hashes like bcrypt or Argon2 is far harder to attack. You as a user have no control over which one was used. Length is your hedge against the worst case.
The real numbers, for 2025 hardware
Hive Systems publishes an annual chart based on current commercial cracking hardware. The 2025 version, assuming the worst case of fast hashing and modern GPUs, looks roughly like this:
These numbers shift every year as hardware gets faster. The trend is always the same: shorter passwords get weaker, longer passwords stay safe.
Why all lowercase can be fine, if it is long enough
Here is something that surprises people. A 20 character password made entirely of lowercase letters has more entropy than an 8 character password with mixed types and symbols. Length compounds faster than character variety.
This is the principle behind the passphrase. A string of five random English words, drawn from a list of 7,776 possibilities, gives roughly 64 bits of entropy, which puts it solidly out of reach of brute force. We get into the details in passphrase vs password.
If a password is at least 16 characters and not in any breach database or dictionary, brute force is no longer your problem. Phishing is.
Brute force is not the main threat
Here is the part that does not show up on the charts. In actual data breach reports, brute force attacks account for a surprisingly small share of compromises.
Verizon's 2024 Data Breach Investigations Report found brute force in only about 2% of analyzed breaches. The big causes are credential stuffing, where attackers use already leaked passwords against new sites, and phishing, where users hand over their passwords to a fake login page.
This is why a strong password is necessary but not sufficient. You also need:
- Uniqueness, so a leak from one site does not unlock the others.
- A way to check if your password has been exposed, covered in how to check if your password has been leaked.
- Two factor authentication, especially on email and financial accounts.
What this means in practice
Stop trying to game complexity rules. Pick length and randomness. Twelve characters of true random mixed types is a sensible floor. Sixteen is comfortable. Twenty is overkill for most things, which is exactly why it is a great default for a password manager generator.
Our generator defaults to 20 character random passwords for a reason. That length pushes brute force well past any practical horizon.
What about quantum computing?
You may have read that quantum computers will break passwords. The honest answer is more nuanced. Quantum computing threatens public key cryptography, the kind used to set up encrypted connections. Symmetric encryption and password hashing are mostly safe, with adjustments to key length.
For now, length and uniqueness are the only password concerns that should occupy your attention. Quantum computing is a problem for cryptographers, not for someone choosing a password for their email account.
The takeaway
Cracking time charts are useful for one reason: they make abstract numbers feel concrete. They show that an 8 character password is hopeless and a 20 character one is essentially uncrackable.
What they do not show is everything else. Reuse, phishing, malware, weak account recovery, lost devices. A great password is one piece of a system. Get it right, then move on to the rest.