Brute Force Password Cracking: The Numbers
Understanding how long it takes to crack a password helps you choose appropriate security for your accounts. This page provides realistic estimates based on current hardware capabilities.
164 GH/s
RTX 5090 MD5 Speed
95
Printable ASCII Characters
10¹⁹
Combinations for 10-char Password
How Brute Force Works
A brute force attack tries every possible password combination until finding the correct one. The time required depends on:
- Password length: Each additional character multiplies possibilities
- Character set size: More character types = more combinations
- Hashing algorithm: Slower hashes take longer to compute
- Hardware speed: Modern GPUs can test billions per second
Modern Cracking Hardware (2026)
Password cracking leverages GPU parallel processing. Here's what attackers might use:
🎮
Single RTX 5090
~164 billion MD5 hashes/second | ~3.2 billion SHA-256/second | ~$2,000 consumer hardware
⚡
8x RTX 5090 Rig
~1.3 trillion MD5/second | ~25 billion SHA-256/second | ~$20,000 enthusiast setup
☁️
Cloud GPU Cluster
~50 trillion MD5/second | Scales with budget | ~$10-50/hour rental
🏢
Nation-State Resources
Classified speeds, likely 100+ trillion/second | Custom ASICs possible
Password Crack Time Table (MD5 Hash)
Times shown for passwords using all character types (95 printable ASCII). MD5 is fast to compute, representing a worst-case scenario for defenders.
| Length |
Combinations |
Single RTX 5090 |
8x GPU Rig |
Cloud Cluster |
| 4 chars |
81 million |
< 1 ms |
< 1 ms |
< 1 ms |
| 5 chars |
7.7 billion |
47 ms |
< 1 ms |
< 1 ms |
| 6 chars |
735 billion |
4.5 seconds |
0.6 seconds |
< 1 ms |
| 7 chars |
70 trillion |
7 minutes |
54 seconds |
1.4 seconds |
| 8 chars |
6.6 quadrillion |
11 hours |
1.4 hours |
2.2 minutes |
| 9 chars |
630 quadrillion |
44 days |
5.6 days |
3.5 hours |
| 10 chars |
60 quintillion |
11.6 years |
1.5 years |
14 days |
| 11 chars |
5.7 sextillion |
1,100 years |
139 years |
3.6 years |
| 12 chars |
540 sextillion |
105,000 years |
13,000 years |
340 years |
| 14 chars |
4.8 octillion |
950 million years |
119 million years |
3 million years |
| 16 chars |
43 nonillion |
8.6 trillion years |
1 trillion years |
27 billion years |
Important: These times assume true brute force against random passwords. Passwords based on words, patterns, or personal information can be cracked exponentially faster using dictionary and rule-based attacks.
Impact of Hashing Algorithm
The hash algorithm a website uses dramatically affects crack times. Slower algorithms are better for security:
| Algorithm |
Speed (RTX 5090) |
8-char Crack Time |
12-char Crack Time |
Security Rating |
| MD5 |
164 GH/s |
11 hours |
105,000 years |
Weak (obsolete) |
| SHA-1 |
45 GH/s |
1.7 days |
380,000 years |
Weak (deprecated) |
| SHA-256 |
3.2 GH/s |
24 days |
5.3 million years |
Moderate |
| bcrypt (cost 10) |
184 KH/s |
1,140 years |
93 billion years |
Strong |
| bcrypt (cost 12) |
46 KH/s |
4,560 years |
372 billion years |
Strong |
| Argon2 |
~10 KH/s |
21,000 years |
1.7 trillion years |
Excellent |
Good news: Most reputable websites now use bcrypt, scrypt, or Argon2. With these algorithms, even an 8-character random password would take thousands of years to crack.
The Math: Calculate It Yourself
Here's how to calculate password crack times:
Combinations = CharacterSetSize ^ PasswordLength
Combinations = 95^12 = 540,360,087,662,636,962,890,625
Seconds = Combinations / HashesPerSecond
Seconds = 540,360,087,662,636,962,890,625 / 164,000,000,000
Seconds = 3,295,000,000,000,000 (~104,500 years)
AverageTime = Seconds / 2 = ~52,250 years
Character Set Sizes
| Character Set |
Size |
Example |
| Numbers only |
10 |
0-9 |
| Lowercase only |
26 |
a-z |
| Letters (mixed case) |
52 |
a-z, A-Z |
| Alphanumeric |
62 |
a-z, A-Z, 0-9 |
| All printable ASCII |
95 |
Letters, numbers, symbols |
Real-World Considerations
Why Actual Attacks Are Often Faster
- Dictionary attacks: Try common passwords first (instant for "password123")
- Rule-based attacks: Apply common patterns (P@ssw0rd variations)
- Credential stuffing: Test passwords leaked from other breaches
- Rainbow tables: Pre-computed hashes for unsalted passwords
- Social engineering: Guess based on personal information
Why Some Attacks Are Slower
- Rate limiting: Websites block after failed attempts
- Account lockout: Temporary or permanent lock after attempts
- CAPTCHA: Requires human interaction
- 2FA: Second factor blocks access even with correct password
- Slow hashing: bcrypt/Argon2 makes each guess expensive
Practical takeaway: Brute force math assumes attackers have obtained your hashed password from a database breach. Online attacks against live systems face rate limiting and other defenses. Offline attacks against stolen hashes follow the times shown above.
Recommendations Based on the Math
Password Length Guidelines
| Account Type |
Minimum Length |
Recommended |
Rationale |
| Disposable accounts |
12 characters |
14 characters |
Survives cloud cluster attack for years |
| Standard accounts |
14 characters |
16 characters |
Safe for decades against any known threat |
| Email / Password manager |
16 characters |
20 characters |
Protects high-value targets, future-proof |
| Financial / Critical |
18 characters |
20+ characters |
Maximum security + hardware 2FA required |
Bottom line: A randomly generated 16-character password using our password generator would take trillions of years to crack—even with hardware that doesn't exist yet. That's the definition of "secure enough."