How Long Would It Take To Crack Your Password?

A password like Summer2025! takes about seven seconds to crack on a $300 gaming GPU. It has an uppercase letter, a number, and a symbol — the full complexity checklist. And it still falls in seconds.

Most of us were taught password rules that optimize for the wrong thing. Complexity feels secure. Length actually is. In 2026, the difference between a password that survives a breach and one that doesn’t is usually about four extra characters — not special symbols, not forced uppercase, not the quarterly rotation your work account keeps nagging you about.

This post explains how cracking actually works, what the real numbers look like on 2026 hardware, and why two passwords that look equally “strong” can have crack times 10,000 years apart.

TL;DR. A “strong-looking” 9-character password can crack in seconds if it follows a predictable pattern. A 14-character random string or a 5-word passphrase takes trillions of years on current hardware. Length matters far more than special characters. Test yours below — nothing you type leaves your browser.

Test your password first

[mso_password_checker]

Try a password similar to one you actually use — not your real one, but the same pattern. Same length, same mix of letters and numbers, same style of word you’d pick. The checker runs entirely in your browser. Nothing you type is sent anywhere, logged, or stored.

You’ll see three numbers: entropy (a measure of randomness in bits), guesses-per-second assumed by the attacker, and estimated crack time. The crack time is the headline number, but it’s only meaningful if you understand which attack scenario we’re modelling — which is the next thing we’ll cover.

What “crack time” actually measures

When a site tells you your password is “strong,” it usually means one of three very different things. The same password can look safe under one assumption and hopeless under another.

Scenario 1: Online, throttled (10 guesses per second)

An attacker is typing into the actual login form. The site locks them out after a handful of wrong guesses, or slows them down with rate limiting and CAPTCHAs. Even a weak password is usually safe here — which is why most password meters quote huge crack times. This is the most flattering scenario, and the least realistic.

Scenario 2: Online, unthrottled (1,000 guesses per second)

An attacker is hitting an API endpoint that doesn’t rate-limit properly, or is spreading guesses across thousands of accounts (credential stuffing). More realistic, and the reason 2FA matters.

Scenario 3: Offline, fast hashing (10 billion guesses per second)

This is the one that matters. After a breach, attackers download a file of hashed passwords and crack them on their own hardware, offline, at GPU speed. A modern RTX-class GPU can test 10 billion guesses per second against weak hash algorithms like MD5 or SHA-1. Against slow hashes like bcrypt with a high work factor, that drops to thousands per second — but most sites aren’t using bcrypt correctly.

Making Sense Of Security quotes crack times for Scenario 3 by default, because that’s the scenario you need to survive. A password that takes 10,000 years offline will take effectively forever online. The reverse isn’t true.

Password	Scenario 1 (10/sec)	Scenario 2 (1K/sec)	Scenario 3 (10B/sec)
Summer2025!	~3 years	~11 days	~7 seconds
h7Qm$vL	~2,000 years	~20 years	~1 minute
correct-horse-battery-staple	essentially forever	essentially forever	~150 trillion years

Why two “10-character” passwords can have crack times 10,000 years apart

The length of a password tells you almost nothing on its own. What matters is the search space — how many possibilities the attacker has to try. A 10-character password drawn from a predictable pattern has a search space smaller than a 6-character random string.

Consider three 10-character passwords:

Password12 — in every breach dictionary ever compiled. Crack time: instant.
Summer2025 — a season plus a year, a known pattern. Pattern-aware crackers like Hashcat’s rule engine try this combination in seconds. Crack time: ~2 seconds.
k7#mQp2vLz — genuinely random across all 94 printable ASCII characters. Crack time: ~6 months on 2026 GPU hardware.

Same length. Three different orders of magnitude in safety. The attackers’ advantage is that they don’t try all 94^10 possibilities — they try the likely ones first. Dictionary words, common substitutions (p@ssw0rd), years, names, keyboard walks (qwerty, 1qaz2wsx), and every combination of those get tested long before true random strings do.

????

⚡ FAST ???? STREAKS ???? 400+ FACTS

Ready to Play?

Quick-fire True or False rounds that’ll change how you think online.

PRESS START ▶

This is why a 16-character passphrase of common words (correct-horse-battery-staple) can be enormously strong despite using only lowercase letters and hyphens: the search space isn’t 26 letters raised to 28 positions, it’s how many 4-word combinations exist in the English dictionary. With a dictionary of around 7,500 common words, that’s still roughly 3.2 trillion combinations — decades of cracking time even on fast hardware, and all without memorizing a single special character.

The easy way: a password manager like Bitwarden (free, open source) or 1Password generates a different 50-character random string for every site you use, and you only have to remember one master passphrase. Setup takes about 20 minutes.

The three things attackers actually exploit

Every fast crack falls into one of three categories. If your password avoids all three, you’re effectively safe from offline cracking.

1. Dictionary words and leet-speak substitutions

Attackers start with a dictionary of a few hundred million leaked and common passwords, then apply rules: capitalize the first letter, add a digit at the end, swap e for 3, a for @, and so on. Every “clever” substitution you can think of, they’ve tried. P@ssw0rd! is no stronger than password to a modern cracker.

2. Predictable structures

Name + year. Pet + birthday. Company + exclamation point. Season + year. Sports team + jersey number. These patterns look unique because your specific values feel personal. But the structure is what cracking rules target, and there are only a few dozen common structures. Once the structure is known, the rest is a quick fill-in-the-blank.

3. Reuse across sites

Even if your password is genuinely random, if you use the same one on 15 sites, it only takes one of those sites being breached for attackers to have your credentials for all 15. This is credential stuffing, and it’s currently responsible for roughly 34% of login attempts on major sites (Auth0 2025 State of Secure Identity). The fix isn’t a better password — it’s a different password everywhere.

Free: the Password Upgrade Checklist (PDF)

A one-page checklist to audit your 10 most-used passwords in under 20 minutes: which to change first, what to replace them with, and how to stop doing the three things above. No email wall you have to click through — just your address and an instant download.

[mso_lead_magnet slug=”password-upgrade-checklist”]

What a safe password actually looks like in 2026

Three options, in order from easiest to most “security cosplay”:

Use a password manager and let it generate 20-character random passwords for every site. This is the single highest-impact change most people can make. Bitwarden is free and open source.
Use a 5- or 6-word passphrase for the few passwords you need to remember (your device login, your password manager master). Diceware-style — four randomly chosen common words give you ~51 bits of entropy, five give you ~64, six give you ~77.
Add a hardware security key (YubiKey or similar) to your most important accounts — email, password manager, financial — so that even a perfect phishing attack can’t log in without the physical key in hand. About $50 per key.

What you don’t need: forced password rotation, complexity requirements that push you toward Summer2025! patterns, or a 30-page password policy. NIST abandoned the rotation advice in 2017. Most corporate IT hasn’t caught up.

Our picks for password managers in 2026

Bitwarden — free tier covers everything most people need, open source, independently audited. The safe default.

1Password Families — $5/month for up to 5 users, best-in-class UX, worth it if you’re setting up a family. Affiliate link.

Proton Pass — privacy-focused, part of the Proton ecosystem, good if you already use Proton Mail or VPN. Affiliate link.

What to do in the next 20 minutes

Scroll back up and test three of your real passwords (or variants with the same structure) in the checker.
Pick the weakest one. Sign up for Bitwarden and change that password to a 20-character generated one.
Download the Password Upgrade Checklist PDF and schedule 20 minutes on your calendar this week to work through your top 10.
Forward this post to the one person in your life who still uses Spring2025!.