Estimated time to crack password

We have written about major password breaches like the “collections #1” breach in the past.

Brian Kreb’s recent blog details how Facebook stored hundreds of millions of passwords in plain text going back to at least 2012 is worth a read. Facebook has also written their own blog on the subject. Passwords, how they are stored, and how they are cracked are a hot topic right now.

The reality is most of the time if a company is breached their password database is not plain text so the hackers end up with passwords that look something like this:


Hashes are created using a mathematical equation and act as an extra layer of security in case the system is breached. They help prevent your password from being immediately revealed. The hash is what hackers need to crack to obtain your actual password on systems that do not store them in plain text like Facebook did.

How easy is it to crack passwords?


7 numerical digits. This will be cracked by your cellphone instantly. Passwords consisting of just numbers are very easy for machines to crack.


10 numerical digits. This will take a computer about 2 minutes to crack or a dedicated graphics card will have it in about 5 seconds. The extra few digits make it a bit more difficult to crack than the previous password but length alone isn’t enough.


8 digits, all lower case letters. A computer will crack this in about 30 minutes and a graphics card will take about 3 minutes. Letters are harder to crack then numbers because there are more than 10 letters in the alphabet but overall time to crack is still very low.


8 digits, mix of lowercase letters and numbers. A computer will take about 8 hours to crack or about 45 minutes for a graphics card.


8 digits, mix of numbers, uppercase and lowercase letters. A computer will crack this password in 25, a graphics card will crack it in 2 days, and a super computer will break it in 2 seconds.

The typical password guidelines for online banking, for example:

  • New password must be 6 to 12 characters

  • Use a combination of letters and numbers

  • Don’t use special characters, such as #@!*&

They don’t even allow you to use symbols. This is the best you can do.


8 digits, uppercase and lowercase letters, numbers, and symbols. This is the default password requirement for Microsoft Active Directory accounts.

A computer needs 2 years to crack this password, a graphics card needs 1 month, and a super computer will chew through it in about 1 minute. Or if you think about it in terms of cost to crack: the super computer costs approximately $0.25 for a minute of use.

It begs the question - how often do you change your password? Even if it’s every 3 months a password with these limitations is still very vulnerable. Not to mention how easy is it to remember that password with symbols?


14 digits, lower case letters. It’s just 3 random words so ought to be easy to break right? Actually a computer would need 249,000 years to break this seemingly simple password. It drops to 25,000 years for a graphics card and 7 days for a super computer. However the cost of that super computer time would be in the area of $100,000.


18 digits, lower case letters.

It’s not even worth recording the time it would take a computer or graphics card to break this one because it would take 114,000 years for a super computer. We’ll have to wait for quantum computers or some future technology to break that password in anyone’s lifetime.

Pick a password using random words!

Picking random words makes it extremely difficult for a computer to crack but also very easy for a person to remember.

Even better, you can put the name of the website or service in the password to ensure you use a different password for every service.


It would take 14 years to crack this password on a super computer and if the password leaks the only website compromised is your Facebook account. You’d only need to change your Facebook password up to once every 13 years to save yourself from super computer attack though that assumes that your password isn’t stored in plain text!

Length is what matters. The xkcd comic illustrates this point well, correct horse battery staple.