How Long Does It Take to Crack a Password?
The chart, and the simple math behind it
The honest answer is: it depends almost entirely on two things — how long the password is and which characters it uses. Below is a reference chart assuming a fast offline attack (about 10 billion guesses per second, realistic for a modern GPU rig against leaked hashes).
Password crack-time chart
| Length | Lowercase only | + Upper + Numbers | All types + symbols |
|---|---|---|---|
| 8 | instant | minutes | hours |
| 10 | minutes | days | years |
| 12 | weeks | centuries | millions of years |
| 16 | millennia | billions of years | effectively forever |
Estimates for a brute-force attack at ~10 billion guesses/second. Real-world times vary with hardware and hashing method.
Why length wins
Each character you add doesn't add to the difficulty — it multiplies it. A password drawn from 94 possible characters has 94 combinations at length 1, 94×94 at length 2, and so on. That's why going from 8 to 16 characters isn't twice as strong — it's astronomically stronger. Length is the single most powerful lever you have.
Why character variety matters too
Using only lowercase letters gives an attacker just 26 possibilities per character. Add uppercase (52), numbers (62), and symbols (~94) and each position becomes far harder to guess. Combine long and varied and you reach the "effectively forever" column.
Test your own password
Want to see where your password lands? Paste it into our password strength checker — it estimates the crack time instantly, entirely in your browser. Nothing is sent anywhere. If it comes back weak, our password generator will build you a strong one in a click.