The time it takes to crack a password depends on exactly two variables: how many possible characters it can contain (the character set) and how long it is. Together, they define the total number of possible combinations โ the "search space" โ that an attacker must explore. The table below assumes a dedicated attacker with a GPU rig capable of 100 billion guesses per second, which is realistic for a well-resourced adversary in 2026. The character set assumes a pool of 72 possible characters: uppercase, lowercase, numbers, and common symbols.
The numbers speak for themselves. At 8 characters, your password falls in hours. At 16 characters, it outlasts the sun.
| Length | Combinations (72^N) | Time at 100B guesses/sec | Verdict |
|---|---|---|---|
| 8 | 7.2 ร 10^14 | ~2 hours | Instantly cracked |
| 10 | 3.7 ร 10^18 | ~1.2 years | Dangerous |
| 12 | 1.9 ร 10^22 | ~6,100 years | Minimum acceptable |
| 14 | 1.0 ร 10^26 | ~31 million years | Strong |
| 16 | 5.2 ร 10^29 | ~165 billion years | Very strong |
| 20 | 1.4 ร 10^37 | ~4.5 ร 10^18 years | Essentially uncrackable |
An important caveat: these times assume the password is truly random โ generated by a cryptographically secure source, with no predictable patterns. If your password is a dictionary word with a number appended (e.g., "password123"), a dictionary attack will break it in milliseconds regardless of theoretical brute-force time. The table describes the worst-case for the attacker, not a guarantee of safety if the password itself is weak.
A brute force attack tries every possible combination of characters in sequence: "aaaaaa", "aaaaab", "aaaaac", and so on until it matches the target. It is guaranteed to succeed given enough time, because it systematically exhausts the entire search space. The defense is simple: make the search space too large to exhaust within a human lifetime. Every additional character in your password multiplies the time by the size of the character set, so a 12-character password is not twice as hard as a 6-character one โ it is approximately 140 billion times harder.
A dictionary attack is far more efficient and far more common. Instead of trying every character combination, the attacker tries a list of known passwords โ millions of them, collected from previous data breaches. The RockYou breach of 2009 exposed 32 million plaintext passwords; the LinkedIn breach of 2012 exposed 117 million. These and dozens of other leaked databases have been compiled into massive wordlists used by attackers and penetration testers alike. If your password appears in any breach database, it is in these wordlists, and a dictionary attack will find it in seconds. Adding "123" or "!" to a dictionary word does not help โ modern cracking tools apply "mangling rules" that automatically generate common variations: appending numbers, substituting "@" for "a", capitalizing the first letter.
The practical implication: a 6-character truly random password (about 139 billion combinations with a 72-character set) is significantly stronger than a 20-character password derived from dictionary words with common substitutions, because the dictionary attack reduces the effective search space to a few million candidates. Randomness is the foundation of password strength. Length amplifies it, but randomness is what makes it work in the first place.
Every major password leak โ and there have been many โ reveals the same pattern. In the 2012 LinkedIn breach, the most common password was "link" (after which the company was named), followed by "123456", "password", and "linkedin". In the 2016 Adobe breach affecting 153 million accounts, the top passwords included "123456", "123456789", "password", and "adobe123". Across every breach dataset ever studied, the same five to ten passwords dominate the top spots: "123456", "password", "123456789", "12345678", "qwerty", and "111111".
These passwords are not being cracked โ they are being guessed. An attacker does not need a GPU cluster to break "123456"; it is the first guess in every wordlist ever compiled. The lesson from decades of leaked data is unambiguous: humans are terrible at generating random passwords. We gravitate toward patterns, sequences, and personal references, and attackers have catalogued every common pattern. The only reliable defense is to remove the human from the password generation process entirely โ use a tool like our free password generator that creates truly random passwords using cryptographic randomness.
If you follow these rules, your password will survive any realistic attack:
1. Minimum 12 characters, preferably 16+. At 12 truly random characters, cracking becomes infeasible with current hardware. At 16, it becomes infeasible with any hardware that obeys the laws of physics as we understand them. Every extra character adds an exponential multiplier to the search space.
2. Use all four character types. Uppercase letters (A-Z), lowercase letters (a-z), numbers (0-9), and symbols (!@#$). Using all four expands your character set to roughly 72 possible characters per position, maximizing the search space for a given length. A 12-character password from a 26-character set (lowercase only) has 95 quadrillion combinations; from a 72-character set it has 1.9 sextillion โ 20,000 times more.
3. Never reuse passwords across accounts. Credential stuffing โ where attackers take email-password pairs from one breach and try them on other services โ is the most common attack vector. A strong, unique password on your email account means nothing if you use the same password on a random forum that gets breached next week.
4. Generate, do not invent. A password you invent in your head is not random, no matter how clever you think you are. Your brain follows patterns it is not aware of. Use a cryptographically secure password generator โ like our tool โ to create passwords that are genuinely unpredictable.
A passphrase is a sequence of randomly chosen words that serves as your password. If you select four words randomly from a list of 7,776 common English words (the Diceware wordlist), the resulting passphrase has approximately 51 bits of entropy โ equivalent to a 9-character random password โ but is far easier to remember. Six randomly chosen words provide about 77 bits, matching a 14-character random password.
The key word is random. A passphrase like "ilovepizzanapoli" is not secure โ it follows predictable grammar and can be cracked by language models. A truly random passphrase like "correct-horse-battery-staple-remark-kite" is vastly stronger because the words are unrelated and unpredictable. You can generate a passphrase manually using dice and the Diceware wordlist, or let the generator handle the randomness for you.
Passphrases are ideal for passwords you must type manually: your master password for a password manager, your computer login, your phone unlock code converted to words. For accounts where you can paste from a password manager, a random character string at 20+ characters is stronger, but a passphrase gets you 95% of the way there with substantially better memorability.
Even with the best password strategy, there is a practical limit to human memory. The average person has dozens of online accounts. Memorizing a unique 16-character random password for each one is not possible. A password manager โ Bitwarden (free and open-source), 1Password, or the built-in manager in your browser or operating system โ solves this by generating, storing, and auto-filling unique passwords for every account. You only need to remember one strong master password or passphrase to unlock the vault.
Two-factor authentication (2FA) is the essential second layer. Even if an attacker obtains your password โ through a breach, phishing, or a keylogger โ they cannot access your account without the second factor. Use a TOTP app (Google Authenticator, Authy, Bitwarden Authenticator) or a hardware security key (YubiKey) rather than SMS-based codes, which are vulnerable to SIM-swapping attacks. Enable 2FA on at minimum: your email account, your password manager, your bank, your domain registrar, and any social media accounts.
Together, these three practices โ strong unique passwords for every account, stored in a password manager, protected by 2FA โ eliminate the attack vectors that account for the overwhelming majority of successful account compromises. It takes about thirty minutes to set up and permanently raises your security baseline.
Create a 20-character random password that would take quadrillions of years to crack. Free, instant, and generated entirely in your browser โ never sent to any server.
Open Password Generator