Time Needed to Crack Passwords, 2018 Edition

December 13th, 2017

These time ranges are valid as of 2018 for attackers that might have stolen a database from a third-party website you use.

It assumes the attacker is using a cloud platform like AWS and your password has been hashed and salted by the website. You, on the other hand, should assume the website’s security was programmed by troglodytes like the guy on the right ⟶

If the site in question does store your password securely, the time to crack will increase significantly. That means they use something like scrypt, bcrypt, PBKDF2, or basically anything OWASP recommends. Run away if you hear “unsalted”, MD5, or SHA-1.

Passphrases Crack Time

A passphrase is several random words combined together, like xkcd’s famous correcthorsebatterystaple suggestion.

The below chart assumes the attacker knows what dictionary you used and the dictionary has around 8000 words.

Number of Words Time to Crack
3 words 3 seconds
4 words 7 hours
5 words 8 years

Passwords Crack Time

Alphanumeric means the password is made up of uppercase and lowercase letters, as well as numbers. Basically A-Z, a-z, 0-9.

Jeff Atwood
Password Length Time to Crack … with special character
9 characters 2 minutes 2 hours
10 characters 2 hours 1 week
11 characters 6 days 2 years
12 characters 1 year 2 centuries
13 characters 64 years

Obligatory don’t be an Idiot

You should assume the attacker knows a lot about you; case and point: Facebook. Guessable things like the following have no business being in your password:

  • Your: name, birthday, anniversary, social security number, etc.
  • Your parent’s, friend’s, spouse’s, dog’s: name, birthday, etc.
  • Sequences like 12345

  • Any of the above, but combined; adding guessable things together does not make them un-guessable
  • Passwords you’ve used before; they’ve probably already been breached

tl;dr: use 13 characters or 5 random words combined