How Long Would It Actually Take to Crack Your Password?
An interactive breakdown of crack time by length, character set, and hashing algorithm. With current GPU benchmarks.
The number that actually matters
A modern GPU cracking rig can test approximately 100 billion MD5 password hashes per second. Against bcrypt (cost factor 10), that drops to about 25,000 per second. The hashing algorithm your target site uses matters more than anything else.
Real crack time estimates by password type
Against MD5 (older — still used by many sites)
- 6 characters, letters only: Under 1 second
- 8 characters, mixed case + numbers: About 22 minutes
- 10 characters, full character set: About 3 weeks
- 12 characters, full character set: About 400 years
- 16 characters, full character set: Computationally infeasible
Against bcrypt cost-10 (the modern standard)
- 8 characters, mixed case + numbers: About 3 years
- 10 characters, full character set: Millions of years
- 12 characters, any reasonable composition: The sun burns out first
Why length beats complexity every time
Adding one character multiplies the search space by the character pool size. A 12-character password from 95 ASCII chars has 95^12 = ~5.4 × 10^23 combinations. A 16-character password has ~4.4 × 10^31 — about 81 million times larger. Swapping a letter for a symbol adds far less. This is why NIST 800-63B prioritises length over complexity requirements.
The attack that bypasses all of this
Brute force is rarely how passwords are cracked in practice. Dictionary and rule-based attacks are orders of magnitude faster against common patterns. "P@ssw0rd" has 6.6 × 10^15 combinations in theory but cracks in milliseconds because it's in every wordlist.
Use PassGeni's breach checker to see if your password has already appeared in known breach datasets. And use the password generator to create passwords with verified high entropy — the DNA Score shows you exactly where you stand.
The bottom line on entropy
80+ bits of entropy is considered secure against all currently feasible brute-force attacks. A 16-character password using uppercase, lowercase, numbers, and symbols gives you approximately 105 bits. PassGeni shows entropy in bits for every password generated — aim for green on the strength bar and 80+ bits on the entropy display.