It can take a few minutes to several months (and even years) to crack passwords.
It depends on several factors, such as the complexity of the password, the hacking method, the hacker’s proficiency, and additional security practices in play.
Even the most secure password can be hacked in mere minutes if the user doesn’t properly secure it.
This article dives into what factors affect how long it takes to crack a password and what you can do for better password security.
Factors Affecting Password Hack Time
The factors below sum up everything that determines how long it’ll take to hack any password:
#1 Length of the Password
Longer passwords are harder to guess for humans and take more time for computers to hack.
Every new character you put in a password creates a new string of possibilities that the computer needs to recalculate and combine to find the correct password.
Even humans can more easily guess a 4-digit PIN than a 12-character code.
That doesn’t mean the ideal password length is 12 characters, though.
To put things in context, guessing an 8-character password would mean trying up to 209 billion possible character combinations.
This isn’t something a human would want to attempt.
However, a computer can guess this password in under a minute, so the password isn’t as secure anyway.
The table below shows how long it could take to hack different passwords based on length alone:
| Password Character Length | Time to Hack |
|---|---|
| 4-6 | Instantly |
| 7-8 | Less than one hour |
| 9 | Up to 3 days |
| 10 | Up to 5 months |
| 11 | Up to 34 years |
| 12 | Up to 3k years |
The criteria goes on, but you get the idea.
Imagine what adding an extra password character does to the length of time it takes to hack that password.
However, the password length alone isn’t a good indicator of password strength.
The other factors below leverage length as an addition, not as a standalone, so they’re worth looking at.
#2 Personal Information Within Passwords
Perhaps the biggest mistake that most users make when creating a password is including their personal information.
There is a high chance that one or more of your account passwords contain your:
- Age
- Birth year
- Name
- Nickname
- Pet’s name
- Child or spouse’s name, etc.
The list above is not exhaustive of all the kinds of personal information you might use in your passwords.
However, the fact remains that doing so leads to more harm than good in account security.
Not all hackers are random people who don’t know you.
Someone you go to school or work with might try to break into your personal computer or phone.
Even if the hacker doesn’t know you, they can get your details from social media.
Trying that personal information first, or feeding their hacking algorithm that data, can help make the hack even faster.
Stay away from using anything personally identifying in your passwords.
This often shows that their passwords aren’t long enough or contain personal information they can easily remember.
#3 Variation of Characters Used
Length alone isn’t a good indicator of a reliable password, which is a mistake many users make.
Here’s an example:
[LisaJaneDoe] and [@%$LojH*i#&] are both 11-character passwords, but the first is easily hackable compared to the second.
The first password is probably the user’s full name, which a human can easily guess.
Combining numbers, symbols, lowercase, and uppercase letters will give password crackers a tough time with the second password.
Some users also vary their password characters by adding their birth years (such as JaneDoe1897), but that’s just as poor.
A hacker who knows you or obtains that data from your online/offline profiles can still use it against you.
The table below shows you how variations of characters can influence your password security, in line with the length.
| Password Character Length | Numbers only | Lowercase letters only | Upper + lowercase letters | Numbers + upper and lowercase letters | Numbers + Upper and lowercase letters + symbols |
|---|---|---|---|---|---|
| 4-6 | Instantly | Instantly | Instantly | Instantly | Instantly |
| 7-8 | Instantly | Instantly | Less than 5 minutes | Less than 10 minutes | Less than one hour |
| 9-10 | Instantly | Less than 5 minutes | 1 hour – 3 days | Up to 3 weeks | Up to 5 months |
| 11-12 | Instantly | Up to 2 days | 5 months – 24 years | Up to 300 years | Up to 3,000 years |
| 13 | 19 seconds | Up to 2 months | Up to 1,000 years | Up to 12,000 years | Up to 202,000 years |
| 14-15 | 3 – 32 minutes | 4 – 100 years | 64,000 – 1 million years | Up to 46 million years | Up to 1 billion years |
If anything, the table above shows that:
- You should never create 4–6-character passwords.
- An 11–12-character password can be stronger than another 14–15-character password.
Take everything in context and vary the characters used in your passwords.
#4 Computing Power of the Hacking Tool
Below is a basic example of how computers hack a password:
- Assume the password is numeric, three (3) characters long, and contains 1,2, and 3.
- The computer tries [123], [321], [312], [132], [231] and [213].
- One of those six combinations will be the correct password.
With every new character you add, the computer has to find new ways to rearrange all those characters till it gets your password.
Now, recall that we started with 1,2,3 here, but it’s not like you unscrambled your actual password for the hacker and asked them to find the right thing.
Likewise, the hacker (and their computer) doesn’t know whether you’re using plain numbers, plain texts, special symbols, or a mix of these.
The computer has to combine 26 alphabets with ten numeric characters and countless symbols.
On top of that, the computer has to try with varying lengths since it has no idea how long your password is.
That sounds like a headache already.
Only very fast computers can manage such combinations in record time.
So, a password that takes a supercomputer a few years to crack could take a basic computer a few decades.
#5 Hacker Proficiency
An experienced hacker stands a higher chance of hacking a password faster than a junior hacker.
Proficiency comes into play when every other thing is equal.
This means a more knowledgeable hacker will get a password faster with access to the same tools, the same knowledge of the user (or not), and any other additional variables.
Here’s where it gets interesting:
Even for the most experienced hacker, you could make your passwords un-hackable.
Tightening your password security (which I’ll discuss in the following sections) so that it takes years to crack makes such passwords undesirable to hackers.
So, they leave your account alone and go where they can score easier wins instead.
#6 The Type of Hack
Password hacking doesn’t occur in just one way.
The various forms of password hacking present different success rates, depending on how they’re applied.
Thus, it’s essential to keep abreast of the most common password hacking attempts.
For example, there is a low chance that a hacker gets your highly complex password via a brute force attack, even if they had an extensive setup.
If you’re not aware of phishing scams, they could steal/hack your password in less than 10 minutes.
The section below discusses multiple password hacking attempts and gives you an insight into how they’re carried out and how to avoid them.
Different Password Hacking Techniques to Know
Hackers can choose to hack a password in multiple ways.
Some of the most popular types of password hacks are discussed below:
Brute Force Attacks
Brute force attacks rely on combining every possible alphanumeric character and symbol to crack a password.
These attacks leverage a robust algorithm and a fast supercomputer capable of generating different combinations.
While they look less sophisticated, brute force attacks are one of the most potent against non-complex passwords.
Brute force attacks enjoy the luxury of time and can keep trying as long as there is no login limitation.
With enough time – which can range from seconds to decades – a supercomputer will reveal your password in a brute force attack.
The preventive measures below will help keep your password safe against brute force attacks.
- Limit login attempts.
- Use multi-factor authentication.
- Choose complex passwords.
Phishing Attacks
Phishing attacks are the most successful social engineering password hacks, as hackers get even better at carrying them out.
In phishing attacks, hackers assume the identity of a corporation, person, or other entity you trust to request sensitive information from you.
Once you enter the sensitive information, it is relayed to the hacker, who can then use the information as part of a hack.
For example, hackers could send you an email that looks like it’s from your bank, asking you to cancel a strange monthly subscription if you don’t want it to read against your account.
There’ll usually be a link provided to your online banking platform.
You don’t know that the website you’re visiting isn’t your bank’s portal but one the hackers made to look like the real thing.
Entering your online banking information on such pages relays your login data to the hacker rather than granting you access to your banking account.
- Don’t click on links in unsolicited emails/texts.
- Don’t download attachments in unsolicited emails/texts.
- Install and antivirus to scan links and attachments before downloading them.
- Always type out links by yourself.
- Check if you’re on secure connections (most phishing websites are unsecured).
- Look out for anomalies in address names (the small letter “L” and capital letter “I” are often used interchangeably to confuse victims).
Keylogging
As the name implies, keylogging relies on capturing every keystroke a user enters on their computers to determine the passwords to specific accounts.
Keyloggers are malware installed on the target computer which silently collects data, relaying this data to a server specified by the hacker.
This malware is very dangerous because it can reveal your online account passwords.
Beyond that, it can disclose sensitive information you enter online.
If you’re buying from an ecommerce marketplace and enter your card details, for example, a keylogger records and sends every keystroke of that data to the hacker.
Unlike other forms of malware (like ransomware) that you instantly know about, keyloggers can operate in the background for many months.
- Install an antivirus. Scan your devices regularly.
- Never sideload apps on your devices.
- Don’t download unsolicited attachments in texts from untrusted sources.
- Never plug untrusted drives into your PC.
- Regularly scan your PC and devices for unwanted apps running in the background.
- Install a firewall (inbound and outbound) on your devices.
Rainbow Table Attack
Rainbow table attacks utilize a “rainbow table” to reverse password hashing technology, decrypting already secured passwords into plain text.
Corporations and online services used to store user passwords as plain texts, the same way you enter them into their platforms.
However, that allowed for a higher frequency of breaches since getting access to the plaintext file means having backdoor access to the accounts on that platform.
So, they devised a new method of password encryption known as hashing.
Hashing means that every password you enter in plain text is converted into a hash (long string of characters) that only the computer can understand and decode.
Thus, a password like [JaneDoe1997] could be stored as [ah65*7h/.Ljvtosi)(8&=;ps’/.d&] in the hash database.
To make things harder for hackers, a hash string doesn’t correspond to the number of characters in your password.
However, hackers got better at decoding this once they had the rainbow table.
They could reverse the hash enough until they got to the plain text.
Most online services now use salting to make using rainbow tables impossible for hackers.
Salting adds an extra character to the hashed password, but only the computer knows which is the additional character.
This completely changes the generated hash string and throws the hacker off your password trail.
- Use trusted online accounts.
Man-In-The-Middle Attack
As the name implies, a man-in-the-middle attack relies on the hacker inserting themselves between your devices and the servers you’re communicating with.
This allows the hacker to intercept your messages, communication, and every other data you enter over the network.
Man-in-the-middle attacks often occur over unsecured networks, which allows the hacker to snoop around your internet data.
Once they have inserted themselves between you and the target server, they see everything you – and that target server – also see.
Tools for internet data sniffing and snooping are getting ridiculously cheaper these days.
Likewise, hackers don’t need to be particularly experienced to use this hacking technique.
This is one of the reasons I believe it’s one of the deadliest methods, even though others may see it as too simple to be worried about.
- When using public Wi-Fi networks, layer your connection over a VPN.
- Install antivirus software and scan your devices regularly.
Dictionary Attack
A dictionary attack is a brute force attack that tries all the words in a dictionary (as possible passwords) against a user’s account.
Hackers usually upload a dictionary file into their password hacking algorithm, trying out the different words (from A – Z) until the algorithm finds one that clicks.
Some dictionary attacks take it a step further, combining multiple words in case the user has created a passphrase [e.g., the common ‘iloveyou’ password]
Believing that password length alone equals better password security makes most people victims of this password attack.
You may fall in this category if you’re simply using the longest word in your dictionary or a group of words.
The latter is what I see some users calling a passphrase and believing it’s secure.
A dictionary attack is enough to find out such passwords.
If you’ve used only lowercase letters for your dictionary password or passphrase, you can see from the table above how easy that passphrase is to hack.
- Choose complex passwords.
- Use alphanumeric characters and symbols in your passwords.
- Vary the letter cases in your passwords.
- Choose password strings containing no alphabet.
How to Make Your Passwords Unhackable?
Earlier, I mentioned that no password is impossible to hack.
So, why bother?
Think of it like this.
One password can be hacked in 5 seconds, while another will take 1 billion years to hack.
The latter still got hacked, but I can bet no hacker has a billion years to spend on one password.
So, here are tips on making your passwords unhackable:
Choose Obscure and Complex Passwords
As mentioned (many times) previously, ensure your passwords are as divorced from your person as possible.
You now know that the longer your passwords, the better.
If you cannot always come up with such complex and obscure passwords yourself, I recommend using a free online password generator.
They help you avoid common passwords and can generate strong passwords for multiple sites.
- Online password generator (use LastPass)
Always Use Encrypted Connections
Man-in-the-middle attacks happen because your connections are unsecured and allow anyone to see the data you’re transmitting on the web.
Staving off such attacks prevents the hacker from seeing what you’re doing, much less the passwords (or other data) you’re sending over the network.
If you must use public and free Wi-Fi connections, getting a VPN is your best bet.
NordVPN is a recommended VPN provider offering obfuscated servers that tunnel your internet data via secure packets only seen by you and the target server.
Even if you were using the plain NordVPN connection, you still get better protection than browsing the internet without a VPN.
You can keep using a VPN when you’re on private connections since you don’t know who might have access to your network data.
Layering your private and public connections over a VPN prevents even your ISP from seeing what you’re doing on the internet.
- VPN (Try NordVPN for the best value for money)
Change Your Passwords Frequently
Now, I don’t recommend this for all accounts.
As long as you have generated a strong password the first time, you can keep using most of your accounts with the same secure password you started with.
For more sensitive accounts (such as work files, bank accounts, healthcare login, insurance accounts, etc.), I recommend changing your passwords frequently.
The reason for this is simple:
Human error accounts for many password breaches, and you might have spilled your password to someone.
A shoulder-surfer might have even seen where you store your passwords.
Changing the passwords to these sensitive accounts where you could take the most significant financial, career, or personal hits helps protect you in the case of any eventualities.
- Password manager (discussed below).
- Password generators.
Get a Password Manager
I mentioned earlier that over half of people (53%) memorize their passwords.
This is usually possible when the password is short, simple, and personal.
Now you know better.
Password managers allow you to enjoy the luxury of using strong, complex passwords without remembering them.
They provide a single location where you can store all of your unique logins and access them under a master password.
However, 65% of Americans alone don’t trust password managers[7].
You’re right to be skeptical about these tools.
Using the wrong ones may mean putting all of your passwords in the hands of a company that’ll use them against you.
There’s also the fear that anyone who hacks your password manager has access to all the accounts you’ve secured there.
This is why you should only choose a reliable password manager (check recommended tools below) and have a secure password for it too.
This is the only password you have to memorize.
- Bitwarden - User-friendly password manager with an inbuilt password generator and a feature-packed freemium option.
- NordPass - Allows you to sync passwords across all your devices, login autofill on websites, and unlimited password storage.
- Dashlane - Offers inbuilt VPN with sharing across up to five users.
Don’t Reuse Passwords
A LogMeIn study shows that employees reuse their passwords about 13 times[8].
A shocking 51% of people[2] even use the same passwords for their work and personal accounts.
Reusing one password across multiple accounts brings the convenience of not having to remember unique logins for each account.
You don’t see that it also gives a hacker access to all other accounts with the same password as soon as they hack the first one.
You can get around this by generating unique, secure passwords for your online accounts with a password generator.
The good news is the password managers I recommended above come with password generators.
Generate the passwords you need within those managers, store them there, and sync them between all of your devices.
That way, you have access to unique passwords across all of your accounts and are ready to go on your devices.
- Password managers (I recommend NordPass).
- Password generators (use the one within NordPass).
Passwords are personal and should never be shared.
There are a lot of collaboration tools that allow you to grant account access to other users without giving them your passwords.
Still, it’s shocking that 43% of US internet users[9] have shared their passwords with other people.
Even 69% of employees have shared their passwords[2] with a co-worker in the workplace.
The person you’re sharing your password with might not be as security-conscious as you are.
That leaves your password at risk when it’s with them since it could fall into the wrong hands.
Fortunately, there are several things you can do to get around this password-sharing problem.
- Use collaboration tools (such as Google Docs or other relevant options) rather than share passwords.
- Create guest accounts with restricted access for others who need account access.
- Revoke access when you’re done sharing.
- Change your passwords immediately after you're done sharing them.
Use Multi-Factor Authentication
Multi-factor authentication adds an extra layer of security to your accounts such that passwords alone don’t grant account access but remain the first point of entry.
Two-factor authentication (also known as 2FA) is the most popular form of MFA today.
MFA requires anyone with your account password to enter a code sent to an authorized device before granting access to the account.
You can set up MFA to work via texts (codes sent to your mobile number or email), physical tokens or generated in-app.
These methods are great, but a hacker can clone your SIM card or intercept the codes sent to your phone.
If they already have access to your email, they can also intercept the messages sent to your email inbox.
This is where authenticator apps make the difference.
Get one, set it up, and always generate the one-time passwords needed for account login within them.
- Google Authenticator - One of the best for MFA. Doesn’t work in some regions (such as China).
- Microsoft Authenticator - A close second to Google’s offering.
How Long to Crack Bitlocker Password?
Bitlocker uses 256-bit encryption, thus it will take trillions of years to decrypt a drive that uses this feature.
You can also increase the safety features of your Bitlocker by adding a PIN that prevents the encryption key from being loaded onto the system immediately on bootup.
Note that your PIN should be as secure as possible since it can give an attacker access to the system if they know it.
Microsoft allows between 4 and 20 digits for the PIN.
For maximum security, only consider PINs 15-20 characters long.
Frequently Asked Questions
Are Passwords Difficult to Crack?
Password cracking difficulty depends on the length of the password, proficiency of the hacker, the computing power of the hacking computer, and password complexity, among other things.
These factors can make a hack successfully happen in mere seconds or decades.
What Is the Hardest Password to Hack?
The most complex password to hack will feature a long string of alphanumeric characters and symbols which don’t contain any personally-identifying information to the user.
These passwords aren’t considered unhackable, but they’ll take so long (up to billions of years) to hack that the hacker won’t bother with them.
Note that a strong password can still be hacked if a user slips up and becomes a victim of phishing attacks, connects to unsecured Wi-Fi networks, or shares their secure passwords with others.
Is Password Length Better Than Complexity?
Password complexity is a better measure of password strength compared to length.
For example, 15-character passwords consisting of numbers alone can be hacked in under an hour.
This compares to up to 3,000 years required to hack a 12-character password that contains alphanumeric characters with a mix of upper and lowercase letters.
How Long Does It Take to Crack Wi-Fi Password?
Like any other password, cracking a Wi-Fi password depends on how secure the password is and how experienced the hacker is.
Not changing your Wi-Fi password from the default settings makes it easier to hack since most routers come with the same defaults passwords that could be obtained online.
The type of router can also play a factor in how easy a password is to hack.
Poorly-made routers don’t have secure firmware against external attacks and could be easier to bypass than reliable models.
How Long Does It Take to Crack a Password of 8 Characters?
8-character passwords can be cracked almost instantly, provided a powerful enough computer is used.
Even with a combination of alphanumeric characters and symbols, 8-character passwords could be found by average computers in under an hour.
It’s best to increase the character count slightly to stand a better chance against hackers.
For reference, a 10-character password can take about five months to crack on average, which is a massive leap over the one-hour timeframe of an 8-character password.
How Long Does It Take to Crack a Password of 6 Characters?
6-character passwords are highly susceptible to instant hacks, no matter the characters used.
Computers can figure out the combinations in the password faster and crack it almost instantly.
I recommend generating a stronger password via a password manager like NordPass, which you can also use to store the secure password.
If you must use just six characters, boost your password security with multi-factor authentication that requires a unique generated token every time you try to log in.
How Long Should Passwords Be?
Passwords shouldn’t only be long but complex enough to be unhackable by supercomputers with high processing power.
When generating keywords, start with a minimum of 14 characters that contain a mix of:
- Uppercase alphabets.
- Lowercase alphabets.
- Numeric characters.
- Symbols.
Length alone isn’t a good indicator of a good password.
When combined with varied characters, the password gains more complexity and is harder to crack.
Online Safety Goes Beyond Just Passwords
Passwords are crucial for online safety, but they can’t work alone.
You should know about other dangers you face online stemming from the kind of device you use, the websites you visit, and even your ISPs.
For example, you might not know about browser fingerprinting and how your browser choice can be used to identify you on the internet.
If you’re a social media user, you might also be interested in protecting your privacy on Facebook and seeing what data Google has on you (hint: it’s massive).
Finish that off by browsing our internet privacy and safety section for the most recent and updated privacy advice to implement right away.
Sources:
- https://www.scientificamerican.com/article/the-mathematics-of-hacking-passwords/
- https://www.yubico.com/blog/yubico-releases-the-2019-state-of-password-and-authentication-security-behaviors-report/
- https://cybernews.com/best-password-managers/most-common-passwords/
- https://www.verizon.com/business/resources/reports/dbir/2020/smb-data-breaches-deep-dive/
- https://www.businessinsider.com/90-percent-of-passwords-vulnerable-to-hacking-2013-1?IR=T
- https://www.techrepublic.com/article/57-of-it-workers-who-get-phished-dont-change-their-password-behaviors
- https://www.passwordmanager.com/password-manager-trust-survey/
- https://www.logmein.com/newsroom/press-release/2019/new-lastpass-research-finds-password-habits-remain-key-obstacle-to-business-security
- https://storage.googleapis.com/gweb-uniblog-publish-prod/documents/PasswordCheckup-HarrisPoll-InfographicFINAL.pdf
