Time Needed to Crack Passwords, 2018 Edition
These time ranges are valid as of 2018 for attackers that might have stolen a database from a third-party website you use.
It assumes the attacker is using a cloud platform like AWS and your password has been hashed and salted by the website. You, on the other hand, should assume the website’s security was programmed by troglodytes like the guy on the right ⟶
If the site in question does store your password securely, the time to crack will increase significantly. That means they use something like scrypt, bcrypt, PBKDF2, or basically anything OWASP recommends. Run away if you hear “unsalted”, MD5, or SHA-1.
Passphrases Crack Time
A passphrase is several random words combined together, like xkcd’s famous correcthorsebatterystaple suggestion.
The below chart assumes the attacker knows what dictionary you used and the dictionary has around 8000 words.
| Number of Words | Time to Crack |
|---|---|
| 3 words | 3 seconds |
| 4 words | 7 hours |
| 5 words | 8 years |
Passwords Crack Time
Alphanumeric means the password is made up of uppercase and lowercase letters, as well as numbers. Basically A-Z, a-z, 0-9.
| Password Length | Time to Crack | … with special character |
|---|---|---|
| 9 characters | 2 minutes | 2 hours |
| 10 characters | 2 hours | 1 week |
| 11 characters | 6 days | 2 years |
| 12 characters | 1 year | 2 centuries |
| 13 characters | 64 years | — |
Obligatory don’t be an Idiot
You should assume the attacker knows a lot about you; case and point: Facebook. Guessable things like the following have no business being in your password:
- Your: name, birthday, anniversary, social security number, etc.
- Your parent’s, friend’s, spouse’s, dog’s: name, birthday, etc.
- Sequences like 12345
- Any of the above, but combined; adding guessable things together does not make them un-guessable
- Passwords you’ve used before; they’ve probably already been breached
tl;dr: use 13 characters or 5 random words combined
