How Long Would It Take to Crack Your Password?
"How long would it take to crack my password?" is the right question to ask. The answer reveals why some passwords fall in seconds and others would outlast the universe.
How cracking works
Attackers rarely "guess" at a login screen. After a data breach, they get a file of scrambled (hashed) passwords and try billions of combinations offline, on fast hardware. So the real threat model is: how many guesses until they hit yours?
Why length dominates
Each extra character multiplies the possibilities. Adding one character does far more than swapping a letter for a symbol. That's why a long, simple passphrase beats a short, cryptic password.
Rough crack times
Assuming a fast offline attack, approximate times for a random password using lowercase + uppercase + digits + symbols:
| Length | Approx. time to crack |
|---|---|
| 8 characters | Hours to days |
| 10 characters | Months to years |
| 12 characters | Centuries |
| 16 characters | Effectively forever |
These collapse if the password isn't random — common words, names and patterns are tried first and fall instantly, regardless of length.
What this means for you
- Use 16+ characters, or a 4–6 word random passphrase.
- Make it random — predictability is the real weakness.
- Use a unique password per site so one breach doesn't cascade.
- Enable two-factor authentication for important accounts.
See your password's strength
Our password generator shows live entropy (in bits) and an estimated time-to-crack as you adjust length and character types — generated locally, never sent anywhere.
FAQ
Is a 12-character password safe?
If it's random, it's strong against current attacks. 16+ gives a comfortable margin for the future.
Do symbols matter?
They help, but length helps more. A longer password with fewer symbol types still wins.