SimpleCalc.co
Home/Blog
Date, Time & Productivity

Password Security: How Long Would It Take to Crack Yours?

18 August 2025|SimpleCalc|9 min read
Password strength meter showing time to crack

A weak password can be cracked in seconds. A strong one could take centuries. The difference? Password length and complexity.

If your password is "password" or "123456", a hacker's computer can crack it in milliseconds. If it's a 12-character random string with uppercase, lowercase, numbers, and symbols, it would take billions of years to brute-force. How do you know which side of the line you're on? And what makes a password genuinely unbreakable?

This guide shows you exactly how password length and complexity affect crack time, why most "security advice" misses the point, and how to generate passwords you'll never need to remember.

How Fast Can Hackers Crack Passwords?

The short answer: faster than you think.

A modern computer can test millions of password guesses per second. A GPU (graphics processor) can test billions. A password of 6 characters using only lowercase letters—26 possible characters—gives you 26^6 = 308 million possibilities. A GPU testing 1 billion guesses per second cracks that in under a second.

Here's the breakdown for single-character-set passwords:

  • 6-character password (lowercase only): ~300 milliseconds
  • 8-character password (lowercase only): ~7 seconds
  • 10-character password (lowercase only): ~3 minutes
  • 12-character password (lowercase only): ~2 hours

Add uppercase letters (52 possible characters) and those times multiply. A 12-character password using uppercase and lowercase jumps from 52^12 = 390 trillion possibilities to hours of cracking time.

Add numbers (62 possible characters) and you're at 62^12 = 3.2 quadrillion possibilities. Hours become days.

Add special characters (!@#$%^&*) and you reach 94 possible characters per position. A 12-character password of mixed case, numbers, and symbols? [STAT NEEDED: exact GPU crack time for 94^12]. The practical answer: longer passwords beat complexity. A 16-character password of lowercase letters (26^16 = 45 quadrillion possibilities) takes longer to crack than a 10-character password with every special character added.

This is why the National Institute of Standards and Technology (NIST) recommends length over complexity. They've updated password guidance several times: the old "change every 90 days" rule is dead. The new rule: make it long, make it unique to each site, and use a password manager so you don't need to remember it.

Why Complexity Matters Less Than You'd Think

The conventional wisdom: uppercase, lowercase, number, symbol. The reality: length beats everything.

Consider two passwords:

  • Password A: "Tr0pic@lSunset" (14 characters, mixed case, number, symbol)
  • Password B: "correcthorsebatterystaple" (25 lowercase characters)

Password A looks stronger. Password B is actually uncrackable in practical terms. At 26^25, you'd need more processing power than exists on Earth.

Why? Because adding complexity only multiplies the possible character set. A password that's 8 characters with symbols is 8 characters against an alphabet of 94. Extend it to 14 characters with symbols and it's still 14 characters against 94. But a simple 25-character lowercase password is 25 characters against an alphabet of 26—the length compounds faster than the complexity multiplies.

Think of it this way: would you rather have a combination lock with 10 positions and 10 possible digits each (10 billion combinations), or a lock with 15 positions and only 2 possible digits each (32,768 combinations)? The first one is stronger, even though it sounds weaker. Length is the superpower.

The practical rule: 12 characters of random letters and numbers beats 8 characters of mixed case and symbols. Every time.

How Passwords Actually Get Cracked

Brute-force guessing is slow. Hackers rarely use it. They use faster methods.

Dictionary attacks: Hackers have lists of millions of real passwords leaked from previous breaches. They test those first. If you used "dragon2024" or "summer123!", they'll find it in seconds. They don't need to compute 94^12—they just check known passwords.

Rainbow tables: Pre-computed hashes of common passwords. If your password hashes match one in the table, it's cracked instantly.

Social engineering: Calling you pretending to be IT support. Getting your password from a colleague. This beats maths entirely.

Credential reuse: You use the same password on Netflix and your bank. Netflix gets breached, hackers try that password everywhere. That's why unique passwords matter more than unguessable ones.

Keyboard patterns: "qwerty" or "123456" or walking across the keyboard like "asdfgh". Hackers check these first, because they account for thousands of real passwords.

Personal information: If your password contains your name, pet's name, anniversary, or favourite football team, it's vulnerable to targeted guessing.

The crack-time math above assumes random, unique passwords tested by brute force. Real-world passwords crack faster because people are predictable.

Common Password Mistakes That Get You Cracked

1. Reusing passwords across sites One breached site (there are thousands per year) exposes your password everywhere. Even a "strong" password used on Netflix, your email, and your bank is a liability if Netflix gets breached. Hackers will try it everywhere.

2. Password variations "Netflix2024!", "Netflix2025!", "Netflix!" — hackers recognize these patterns. They run "base word + year" against millions of variations. Unique passwords are actually more secure because they're not variations of anything.

3. Predictable substitutions "P@ssw0rd" looks strong. Hackers try common substitutions ($, 0, 1, 3, 4, 5, 7, 8, 9 replacing O, I, E, A, S, T, B, G, Z) first. These are in every password-cracking dictionary.

4. Padding short passwords Starting with a strong core ("dragon") then adding numbers ("dragon2024") or symbols ("dragon!"). Hackers crack "dragon" and add variations. The core is the vulnerability.

5. Using words from the dictionary Even if it's 25 characters long, if it's real words, the crack time is much shorter. Hackers check dictionary words before random characters because most people default to comprehensible phrases.

Building an Unbreakable Password

The easiest rule: let a password manager generate one for you.

If you use a password manager (1Password, Bitwarden, LastPass), you don't need to remember or create passwords. It generates a random 16- or 20-character string of uppercase, lowercase, numbers, and symbols. You remember one strong master password. Everything else is random gibberish.

This solves the problem entirely: no reuse, no patterns, no dictionary words, no social engineering (hackers can't guess random strings). The master password itself should be long. "correct-horse-battery-staple" (with hyphens, 29 characters) is uncrackable. So is any 20+ character nonsense string.

If you must create a password manually:

  • Minimum 12 characters. Better: 16+.
  • Mix case, numbers, symbols — only because sites require it. Length does the real work.
  • No words, even scrambled. Use truly random characters.
  • Unique to each site. Never reuse.

If you last changed a critical password months ago and can't remember when, use our calculator to find days between two dates — that tells you how long since you updated it.

Tools for Stronger Security

Your first step: use a password manager. Second step: enable two-factor authentication (2FA) on important accounts. A 12-character password plus 2FA is far more secure than a 20-character password without it.

Two-factor adds a second proof: something you know (password) + something you have (phone, security key, authenticator app). Even if a password is cracked, the attacker needs your phone too.

For checking if your password has been in a breach, visit Have I Been Pwned — it's maintained by security researcher Troy Hunt and searches millions of leaked password databases. If your email appears, change that password everywhere it's used immediately. (This is why reusing passwords is dangerous.)

The UK National Cyber Security Centre also recommends password managers as a best practice. Security doesn't require remembering complex rules—just three habits: use a password manager, use unique passwords, and turn on 2FA.

Frequently Asked Questions

How long does it really take to crack my password? If your password is in a leaked database or dictionary, seconds. If it's random and long (16+ characters), billions of years at current computing speeds. The formula is roughly: crack_time = alphabet_size^password_length / guesses_per_second. A 16-character random password of mixed characters gives you 94^16 ≈ 475 quadrillion possibilities. At 1 billion guesses per second, that's [STAT NEEDED: years]. Practically: use a password manager and stop worrying about the maths.

Is "password" actually a bad password? Yes. It's been the #1 most-used password on the internet for over a decade. So have "123456", "password123", "qwerty", and "admin". If you're using one of these, change it immediately. These are literally the first ones attackers try.

Should I change my password every 90 days? No. NIST updated this guidance in 2017. Frequent changes make people choose weaker, predictable variants ("winter2024" → "winter2025"). Change your password only if: a site you use is breached, you suspect compromise, or you're reusing it across multiple sites (switch to a password manager instead). Otherwise, leave it alone.

Does a password manager make me less secure? No. It makes you vastly more secure because it lets you use truly random, unique passwords on every site. The master password is the single point of failure, but if that's long and random, it's more secure than remembering 50 weak variations of the same password. Use 2FA on your password manager's account.

What's better: a password manager or writing passwords down? A password manager. Passwords on sticky notes or in a notebook are physical security risks—anyone with access to your desk can read them. A password manager encrypted with a strong master password is far better. Physical notes are only worse than reusing the same password everywhere.

Can two-factor authentication replace a strong password? No, they work together. 2FA is a second line of defence. A weak password is still a liability if someone guesses it. A strong password alone is better than a weak password with 2FA, but the best combination is both: strong password plus 2FA equals nearly unbreakable.

How often are passwords actually cracked? Often. [STAT NEEDED: recent breach statistics—millions per year]. Your email address has probably appeared in at least one breach (check at haveibeenpwned.com). This isn't hypothetical. It's why unique passwords and 2FA matter—not for preventing guessing, but for limiting damage if a site you use is breached.

What's the difference between a "strong" password and an "unbreakable" one? A strong password is hard to guess—maybe 12 characters with mixed case. An unbreakable password is random and unique. "MyDog2024!" looks strong but breaks in minutes if MyDog is real. A password manager's auto-generated string like "kR9$mL2@xQpV7w" is unbreakable because it's not based on anything real. Let the computer generate it, and stop trying to make passwords "memorable"—that's what password managers are for.

password securitystrong passwordpassword generator
Back to all articles