Skip to content

← All writing

How Long Would It Take to Crack Your Password? The Real Math

· by Andergrove Software

The scary "your password would be cracked instantly" charts are mostly marketing. The real answer depends on two numbers: how many possible passwords yours is drawn from (its entropy), and how many guesses an attacker can make per second. Get those right and one conclusion falls out every time: length beats complexity.

Here is the actual math, the difference between attacks that matter and attacks that do not, and a realistic table of crack times. You can test a candidate in the password strength checker as you read, all in your browser.

Entropy: strength measured in bits

Password strength is measured in bits of entropy, roughly the number of yes/no questions an attacker needs to pin your password down. For a randomly chosen password: 

entropy (bits) = length × log2(charset size)

Each extra character multiplies the number of possibilities by the size of the character set. So entropy grows linearly with length but only logarithmically with the character set. Adding one character helps far more than adding a whole new class of symbols. That single fact is why length wins.

Why length beats symbol-soup

P@ssw0rd! looks complex but is short and built from substitutions every cracking wordlist already knows. correct horse battery staple, four random common words, is longer, carries more genuine entropy, and is far easier to remember. Human "complex" passwords cluster on the same tricks (capital first letter, a digit and ! at the end), so attackers test those patterns first. Predictable complexity is weak; random length is strong.

Online vs. offline attacks

The guess rate depends entirely on where the attack happens.

  • Online attacks go through a login form and are slow. Rate limits, lockouts and network latency cap an attacker at a handful of guesses per second. Almost any non-trivial password survives this.
  • Offline attacks happen after a database leak. The attacker has the stored hashes and guesses locally on GPUs with no rate limit. Against a fast hash (MD5, plain SHA-256), a modern rig manages on the order of 100 billion guesses per second. Against a slow, purpose-built hash (bcrypt, scrypt, Argon2), the same rig manages only thousands per second, which is exactly why those functions exist. (See how passwords get stored in SHA-256 explained.)

The times below assume the offline, fast-hash case: the attacker's best realistic scenario, at 100 billion guesses per second, to search the whole space.

Realistic crack times

  • 8 lowercase letters (~38 bits): a few seconds.
  • 8 random printable characters (~53 bits): about 18 hours.
  • 12 lowercase letters (~56 bits): about 11 days.
  • 10 random printable characters (~66 bits): about 19 years.
  • A 5-word random passphrase (~65 bits): about 9 years, and you can actually remember it.
  • 12 random printable characters (~79 bits): roughly 170,000 years.
  • 16 random printable characters (~105 bits): longer than the universe has existed.

Two lessons jump out. Short passwords fall fast even with symbols, and a memorable multi-word passphrase beats a cryptic eight-character one on both strength and usability.

What to actually do

  • Use a password manager and let it generate long random passwords you never have to type or remember.
  • For the few you must memorise (your manager's master password, your laptop login), use a 5 to 6 word random passphrase.
  • Stop reusing passwords. The biggest real-world risk is not weak complexity, it is reuse: one leaked site exposes every account sharing that password. Unique passwords per site matter more than exotic symbols.
  • Turn on two-factor authentication wherever you can; it defeats a password that is guessed or leaked.

Test it (safely)

Paste a candidate into the Andergrove Password Strength checker to see its estimated entropy and crack time, then generate a long random one. Both run entirely in your browser, so nothing you type leaves the page. As a habit, test variations of the patterns above rather than a password you actually use anywhere.