Password crack time estimates are thrown around a lot, but they’re often misleading — calculated against unrealistic hardware assumptions or without accounting for real-world attack methods. Here are honest, grounded numbers based on how attacks actually happen.

Two Very Different Attack Scenarios

Crack time depends almost entirely on the attack scenario, not just the password. There are two fundamentally different situations:

• Online attacks — The attacker is trying passwords against a live login form. Rate limiting, account lockouts, and CAPTCHAs slow these attacks to perhaps 10–100 attempts per second at most. A 6-digit PIN takes seconds to crack offline; online, it might take days or be stopped by lockout after 10 tries.
• Offline attacks — The attacker has a copy of the hashed password database (from a breach) and is running cracking software on their own hardware with no rate limiting. A modern GPU cluster can test billions of passwords per second against MD5 hashes. This is the scenario that makes password strength genuinely matter.

When security researchers talk about crack times, they’re almost always discussing offline attacks, which is the correct frame — because this is what happens after a database breach.

The Real Numbers by Password Length and Type

Against a modern GPU cracking rig targeting MD5 hashes (roughly 100 billion guesses per second for simple passwords):

• 6 characters, lowercase only: Under 1 second
• 8 characters, mixed case + numbers: Minutes to hours
• 10 characters, mixed case + numbers + symbols: Weeks to months
• 12 characters, random mixed: Decades
• 16 characters, random mixed: Centuries
• 6-word diceware passphrase: Longer than the age of the universe (against pure brute force)

These estimates apply to random passwords. Passwords following predictable patterns (dictionary words, common substitutions, known formats) are cracked much faster because attackers use dictionary attacks and rule-based attacks, not just brute force. A “complex” 12-character password based on a dictionary word with common substitutions might fall in minutes.

How Dictionary and Rule-Based Attacks Change Everything

Modern password cracking doesn’t try every possible character combination. Tools like Hashcat use:

• Dictionary attacks — Testing millions of known words, names, and phrases
• Rule-based mutations — Applying known modification patterns (capitalize first letter, add number at end, replace letters with symbols)
• Hybrid attacks — Dictionary words combined with brute-force segments
• Markov chain attacks — Generating statistically likely character sequences based on how humans create passwords

These techniques mean that “P@ssw0rd1” — which looks complex to a human — is likely in the first few thousand guesses of a good dictionary attack because that exact transformation pattern is well-known.

The Effect of Hashing Algorithm

How the password was stored matters as much as the password itself. Against bcrypt (a slow hashing algorithm designed for passwords), the same GPU rig might only test thousands of passwords per second instead of billions. Many older or poorly-built applications still use fast hash algorithms (MD5, SHA1) that provide nearly no protection against offline cracking.

Testing Your Password’s Resistance

The Password Strength Test gives you crack time estimates across four real attack scenarios — brute force, dictionary, hybrid, and GPU cluster — based on your password’s characteristics. You describe the password type and length rather than entering the actual password, so your credentials are never exposed.

The Practical Takeaway

For passwords that are stored by third-party services (which you can’t control), length and randomness are your primary defenses. Aim for 16+ random characters managed by a password manager. For truly critical accounts — your email, your password manager master password — add 2FA so that even if the password is cracked, it’s useless without the second factor.