Password cracking speed depends on the attack method, the hashing algorithm used to store the password, and the attacker's hardware. With specialized GPU rigs, attackers can try billions of passwords per second against poorly hashed databases.
Cracking Time Estimates
| Password Type | Example | Estimated Crack Time |
|---|---|---|
| 4-digit PIN | 7392 | Milliseconds |
| Common word | password | Instantly (dictionary attack) |
| 8 chars, lowercase | abcdefgh | Under 1 second |
| 8 chars, mixed + symbols | P@ssw0rd | Minutes to hours (common pattern) |
| 10 chars, fully random | kR7$qN2p | Days to months |
| 12 chars, random full ASCII | X9m#Lq2!pR4z | Centuries |
| 16 chars, random | 4rBn!Kx9mPw2@qLt | Effectively uncrackable |
Estimates assume 100 billion guesses/second (high-end GPU cluster) against bcrypt or Argon2 hashing. Against MD5 or SHA1, crack times are 1,000-10,000x faster.
Why Hashing Algorithm Matters
If a site stores passwords with weak hashing (MD5, SHA1), attackers can try trillions of guesses per second. Sites using modern algorithms (bcrypt, Argon2) with proper work factors slow guesses to thousands per second, adding years to any cracking attempt.
What Is the 8-4 Rule?
The "8-4" rule (8 characters with at least 1 uppercase, 1 lowercase, 1 number, 1 symbol) was an industry guideline from the 2000s. It is now outdated - 8 characters is too short regardless of complexity. NIST's current guidelines (SP 800-63B) recommend length over complexity, with 15+ characters as the minimum.
People Also Ask
- How fast can a password be hacked?
- A common 8-character password (with known patterns) can be cracked in minutes. A truly random 16-character password stored with bcrypt would take longer than the lifespan of the universe to brute-force.
Related: Password entropy | Create strong passwords | Password Generator