Guide

⏱️ How Long Does It Take to Crack a Password in 2026?

By Ateeq Y Tanoli, BestPasswordGenerator.org · 10 July 2026 · 9 min read
Bottom Line Up Front: In 2026, an 8-character all-lowercase password can be brute-forced in about two seconds, but a 16-character password mixing upper- and lower-case letters, numbers, and symbols would take longer than the age of the universe. The single biggest factor is not which symbols you use — it is length, followed by how the website stored your password. Aim for 16+ random characters and a unique password on every account.

Password cracking time is how long it takes an attacker to guess a password by systematically trying every possible combination (a brute-force attack) or by testing lists of known and leaked passwords. In 2026 that time ranges from instant for short, simple passwords to trillions of years for long, randomly generated ones. This guide shows exactly where your password falls and how to move it into the "not in your lifetime" column.

The numbers below answer three questions people ask most: what determines cracking time, why it matters even if you think no one is targeting you, and how to build a password that is mathematically infeasible to crack. Every figure is tied to a stated assumption or a named source so you can verify it.

Password Cracking Time by Length and Character Type (2026)

The table below shows the worst-case time to brute-force a password that has been stolen from a website and stored with a fast, weak hash (such as unsalted MD5 or SHA-1, which are still found in real breaches). It assumes a modern cracking rig running roughly 100 billion guesses per second — achievable today with a handful of consumer GPUs. Times are rounded to the nearest meaningful unit.

Length Numbers only
(0-9)
Lowercase
(a-z)
Upper + lower + digits
(a-z A-Z 0-9)
All ASCII + symbols
(95 characters)
8Instantly2 seconds36 minutes18 hours
10Instantly23 minutes3 months19 years
1210 seconds11 days1,000 years170,000 years
161 day14,000 years15 billion years14 trillion years
2032 years6 billion years220 quadrillion years1+ sextillion years

Two patterns jump out. First, each extra character multiplies the cracking time — adding one symbol-set character to a 12-character password can turn a thousand years into hundreds of thousands. Second, a long simple password beats a short complex one: a 16-character lowercase password (14,000 years) is far tougher than an 8-character password crammed with symbols (18 hours). That is exactly why modern guidance prioritises length.

Key takeaway: "Length matters far more than complexity — a long random passphrase generated by a password generator beats a short, symbol-heavy one," as summarised from NIST Special Publication 800-63B, the U.S. government's Digital Identity Guidelines.

Why the Hashing Algorithm Changes Everything

The table above assumes the worst case: a website that stored your password with a fast hash. But cracking time depends just as much on how the site protected your password as on the password itself. When a company is breached, attackers rarely get plaintext passwords — they get a database of hashes and try to reverse them offline. How fast they can do that depends entirely on the algorithm:

That difference is enormous. Against bcrypt, the well-regarded Hive Systems 2025 Password Table (built by running twelve NVIDIA RTX 5090 GPUs against bcrypt hashes) found that an 8-character all-lowercase password takes roughly three weeks to crack, while an 8-character password using upper- and lower-case letters, numbers, and symbols would take about 164 years. The very same 8-character password stored as unsalted MD5 would fall in well under a minute. You never get to choose which algorithm a website uses — which is the whole reason length and uniqueness are your only reliable defences.

The Math Behind It: Password Entropy

Every cracking-time estimate comes from one idea: entropy, measured in bits. Entropy is the number of guesses an attacker would need, expressed as a power of two. The formula for a randomly generated password is:

bits of entropy = length × log₂(size of character set)

Each additional bit doubles the number of possible passwords, so every bit doubles the cracking time. Some reference points:

PasswordCharacter setApprox. entropyVerdict
8 chars, lowercase26~38 bitsWeak
12 chars, all types95~79 bitsStrong
16 chars, all types95~105 bitsVery strong
4-word random passphrase~52 bitsFair
6-word random passphrase~78 bitsStrong

Security researchers generally treat anything above ~75 bits of entropy as safe against brute force for the foreseeable future. The catch is the word random: entropy math only holds if a machine picked the characters. "P@ssw0rd123!" looks complex but has almost no real entropy, because attackers try predictable substitutions first. That is why a random password generator beats anything a human invents.

Most Passwords Are Never Brute-Forced — They Are Stolen

Here is the uncomfortable truth the cracking table does not show: the majority of accounts are never brute-forced at all. According to the 2025 Verizon Data Breach Investigations Report, stolen credentials were the initial access point in 22% of all breaches, and Microsoft reports blocking more than 7,000 password attacks every second. Attackers do not need to crack a 14-trillion-year password if you reused it on a site that already leaked it.

That is why the two habits that actually protect you are length and uniqueness. A password that is long enough to survive brute force but reused across ten sites is only as safe as the weakest of those ten sites. Check whether your own logins have already appeared in a breach using a service like Have I Been Pwned, and never reuse a password that shows up.

🔐 The realistic way to have uncrackable passwords everywhere

No one memorises a different 16-character random string for 100 accounts. A password manager generates and stores maximum-entropy passwords for you, so every login gets a unique one that would take billions of years to crack. NordPass uses XChaCha20 encryption and a zero-knowledge architecture, and its generator produces passwords well past the 79-bit "strong" threshold in one click.

Get NordPass →

Affiliate link — we may earn a commission at no extra cost to you.

How to Build a Password That Takes Billions of Years to Crack

Putting the math into practice, here is exactly how to land in the safe column of the table:

  1. Make it at least 16 characters. Length is the highest-leverage lever you have. Sixteen random characters push you past 100 bits of entropy regardless of hashing.
  2. Let a machine choose the characters. Use a password generator so the result is genuinely random, not a human pattern an attacker will guess first.
  3. Use a unique password on every account. This neutralises credential stuffing — the attack that actually drains accounts.
  4. Prefer a passphrase if you must memorise one. Five or six random words (for example, a master password for your manager) reach strong entropy while staying typeable. See password vs passphrase for the trade-offs.
  5. Turn on MFA or passkeys. Even a cracked or stolen password is far less useful when a second factor blocks the login.
  6. Store everything in a password manager. It is the only sustainable way to keep dozens of long, unique passwords without reuse.

Frequently Asked Questions

Can a quantum computer crack my password instantly?

Not in 2026. Quantum computers threaten certain public-key encryption schemes, but brute-forcing a password hash is a different problem. Grover's algorithm could theoretically halve the effective bits of entropy — meaning a 128-bit password would behave like a 64-bit one — but practical quantum hardware capable of this does not exist yet. A 16-character random password remains safe.

Is a 12-character password still enough?

For a site using modern hashing (bcrypt or Argon2), a 12-character random password with mixed characters is strong. But because you cannot control how a website stores it, 16 characters gives you a comfortable safety margin against fast-hash breaches.

Does adding symbols really help?

Symbols expand the character set from 62 to 95, which helps — but far less than adding length. Going from 12 to 16 characters multiplies cracking time far more than sprinkling in punctuation. Use both, but never trade length for symbols.

Sources and Methodology

Cracking times in the main table are calculated from first principles: total combinations (character-set size raised to the password length) divided by an assumed rate of 100 billion guesses per second, representing an offline attack on a fast, weak hash. Figures attributed to specific organisations are cited inline:

Note on methodology: Real-world cracking times vary enormously with the hashing algorithm a service uses. The main table reflects a worst-case fast-hash scenario; a password stored with bcrypt or Argon2 would take billions of times longer to crack than the values shown.

More Password Security Tools

🔑 SecureKeyGen⚔️ TitanPasswords🔐 Free Strong Password⚡ Instant Password🗝️ Iron Vault Keys🔑 Random Pwd Tool👨‍👩‍👧‍👦 Safe Pass Builder👪 Trusty Password
We use cookies to improve your experience. Learn more

🛡️ Security Picks This Week

Hand-picked security tools — updated weekly.

YubiKey 5 NFC

YubiKey 5 NFC

Hardware security key — phishing-proof 2FA for all your accounts.

Check price →
Yubico Security Key C NFC

Yubico Security Key C NFC

USB-C 2FA key — affordable FIDO2/WebAuthn authentication.

Check price →
TP-Link ER605 VPN Router

TP-Link ER605 VPN Router

Multi-WAN VPN gateway — secure every device on your network.

Check price →

As an Amazon Associate we earn from qualifying purchases.