Published: 2026-04-21
How Long to Crack My Password? (2026 Guide)
Find out exactly how long it takes to crack your password in 2026. Real GPU benchmarks, crack time tables by length and charset, and a free strength checker.
Here's the short answer: an 8-character password can be cracked in under 11 hours using a single consumer GPU — if the site stored it as an unsalted MD5 hash. That same password behind bcrypt would take over 1,000 years on the same hardware.
The number that matters isn't just your password length. It's the combination of length, character variety, and how the target system stored the hash. Get one of those wrong and even a "strong" password isn't.
Want to know where your current password stands? Paste it into our Password Strength Checker — it runs locally in your browser, nothing is ever sent anywhere.
The Two Very Different Worlds of Password Cracking
Before any table or benchmark makes sense, you need to understand this split:
Online attacks — the attacker is trying to log in through a real login form. Most services rate-limit to 5–100 attempts per minute, lock accounts after failures, or require CAPTCHAs. At 10 guesses per second, cracking a random 8-character lowercase password would take roughly 6.6 years. Rate limiting saves millions of weak passwords every day. While a server might lock your account after 5 failed attempts, an attacker with a leaked database can guess millions of times per second without you ever knowing.
Offline attacks — the attacker has already stolen a database of hashed passwords (a breach). Now they run billions of guesses per second against those hashes on their own hardware, with no rate limiting at all. This is where it gets brutal.
The rest of this article is about offline attacks. That's the realistic threat model.
2026 GPU Crack Speeds: The Baseline
Modern password cracking runs on GPUs, not CPUs. A single RTX 4090 — a consumer card you can buy for around $1,600 — hits these speeds in Hashcat:
| Hash Algorithm | Speed (RTX 4090) |
|---|---|
| MD5 | ~164 billion/sec |
| SHA-256 | ~23 billion/sec |
| bcrypt (cost 10) | ~184,000/sec |
| Argon2id | ~15,000/sec |
That difference between MD5 and bcrypt isn't a typo. It's a 1,000,000× gap. Password hashing algorithms designed for security (bcrypt, Argon2) are deliberately slow. MD5 and SHA-1 are designed for speed and absolutely should not be used to store passwords — but plenty of breached databases still contain them.
A botnet or cloud GPU cluster multiplies these numbers linearly. 100 RTX 4090s? Multiply everything by 100.
Password Crack Time Table (2026 Benchmarks)
This table shows the time to crack a password by brute force using a single RTX 4090. It assumes the attacker is trying every possible combination — no dictionary, no leaks.
Against MD5 (legacy / bad storage)
| Password Type | Length | Combinations | Crack Time |
|---|---|---|---|
| Lowercase only | 6 | 309 million | Instant |
| Lowercase only | 8 | 209 billion | ~1.3 seconds |
| Lowercase + uppercase | 8 | 218 trillion | ~22 minutes |
| All printable ASCII | 8 | 6.6 quadrillion | ~11 hours |
| All printable ASCII | 10 | 59 quintillion | ~11.6 years |
| All printable ASCII | 12 | 54 sextillion | ~104,000 years |
| All printable ASCII | 16 | 4.4 octillion | ~850 billion years |
Against bcrypt cost=10 (good storage)
| Password Type | Length | Crack Time |
|---|---|---|
| Lowercase only | 8 | ~13 days |
| Lowercase + uppercase | 8 | ~37 years |
| All printable ASCII | 8 | ~1,138 years |
| All printable ASCII | 10 | ~10 million years |
| All printable ASCII | 12 | Effectively uncrackable |
The takeaway: the storage algorithm matters enormously. But you don't control how the site you're logging into stores passwords. So your defense is making your password long enough that even the worst-case storage (MD5) buys you enough time.
12 characters of all charsets against MD5 = 104,000 years. That's your minimum target.
What "Character Set" Actually Means
When attackers brute force, they pick a charset — the pool of characters they assume the password uses. Each added character type multiplies the search space dramatically.
- Lowercase only (a–z): 26 characters
- + Uppercase (A–Z): 52 characters
- + Numbers (0–9): 62 characters
- + Symbols (!@#...): ~95 printable ASCII characters
Going from lowercase-only to all-ASCII on an 8-character password multiplies the combinations by 31,000×. Same length, massively different crack time.
This is why the advice "add a capital and a number" exists. It's not wrong — it just doesn't go far enough. Length beats complexity, but you need both.
Dictionary Attacks Are Much Faster Than Brute Force
The tables above assume random passwords. Yours probably isn't random.
A dictionary attack starts with:
- The 10 billion most common passwords from breached databases (RockYou2024 has 10B entries)
- Common substitutions:
E→3,A→@,S→$,o→0 - Name + birth year patterns:
sarah1998,Michael2001 - Keyboard walks:
qwerty,123456,zxcvbnm
A GPU can run 100+ billion modified dictionary guesses per second against MD5. P@ssw0rd takes milliseconds. Tr0ub4dor&3 — made famous by XKCD — is in the lists by now.
The defense against dictionary attacks is true randomness. Not randomness you invented in your head — actual randomness from a CSPRNG. Our Password Generator uses the Web Crypto API to do exactly that. You're not going to outguess an attacker with a 10-billion-entry wordlist.
The Real-World Threat: Credential Stuffing
Most people don't get their accounts compromised by brute force. They get hit by credential stuffing: an attacker takes a leaked username/password pair from one breach and tries it on 200 other services.
Your Gmail password leaked from a forum you signed up for in 2015? If you reused it anywhere, those accounts are gone before you notice.
The fix is one password per site, generated randomly. That turns credential stuffing from an automated sweep into an impossible per-account brute force.
How to Actually Know Your Password's Strength
Estimating crack time by hand is tedious. Our Password Strength Checker does the entropy math automatically — it shows you:
- The entropy in bits
- A crack time estimate at consumer GPU speeds
- A strength rating from Very Weak to Very Strong
- Which charset requirements you're hitting
It runs entirely client-side. Type your password in — it never leaves your browser, and it's never logged anywhere.
The 2026 AI Cracking Question
You might have seen headlines about AI improving password cracking. It's real but overhyped. Tools like PassGAN can generate plausible-looking passwords using neural networks trained on breach data.
What this actually means: dictionary attacks got a bit smarter. They're now better at guessing human-invented patterns. It doesn't change the math for truly random passwords. A 16-character random password against bcrypt is still "heat death of the universe" territory, with or without AI.
The response is the same as always: random, long, unique. AI makes human-picked passwords worse. It doesn't touch machine-generated ones.
Five Rules That Match the Data
The crack time tables above make these conclusions obvious:
- 12+ characters is the new minimum. 8 is dead against MD5. 10 buys you a decade. 12 buys you the rest of your life.
- Use all four character types. Lowercase, uppercase, numbers, symbols. The 31,000× multiplier is real.
- Never reuse passwords. Credential stuffing makes reuse the #1 real-world attack vector.
- Use a password manager. You can't memorize 200 unique 16-character random passwords. You shouldn't try.
- Generate, don't invent. Use our Password Generator — it uses
crypto.getRandomValues()under the hood, which is the same entropy source your OS uses for cryptographic keys.
Quick Reference: What Password Length Should You Use?
| Use Case | Recommended Length | Charset |
|---|---|---|
| Throwaway / low-risk account | 12 characters | All ASCII |
| Email / social media | 16 characters | All ASCII |
| Banking / financial | 20+ characters | All ASCII |
| Master password (password manager) | 6–7 words | Passphrase |
| Work accounts / SSO | 16 characters | All ASCII |
| Numeric PIN (phone, card, recovery) | 6–8 digits | Use our PIN Generator |
For master passwords, a passphrase is the right call — long, high entropy, actually memorable. For everything else, a random password stored in a manager wins.
Bottom Line
An 8-character password is not secure in 2026. Full stop. Modern GPUs make it a solved problem in hours against bad storage and years against good storage — but you don't know which one you're dealing with.
The math is clear: 12 random characters with full charset diversity gives you ~104,000 years against MD5 and effectively infinity against bcrypt. Go longer and you're in "doesn't matter" territory for every realistic threat.
Check where your current passwords stand with the Password Strength Checker, then use the Password Generator to replace the ones that don't hold up. The whole process takes five minutes.
Frequently Asked Questions
How long does it take to crack an 8-character password?
Using a single RTX 4090 GPU, an 8-character lowercase-only password takes about 1.3 seconds against MD5 storage. With all printable ASCII characters it takes around 11 hours. Against bcrypt (cost 10), the same password takes over 1,000 years — which is why the storage algorithm matters as much as the password itself.
Is a 12-character password strong enough in 2026?
Yes — a 12-character random password using all four character types is the modern minimum. It provides over 100,000 years of protection against offline MD5 brute-force and is effectively uncrackable against bcrypt. Anything shorter is a liability against modern GPU hardware.
What is the difference between online and offline password cracking?
Online cracking targets a live login form and is throttled by rate-limiting and account lockouts to a handful of guesses per second. Offline cracking runs against a stolen database of password hashes at billions of guesses per second with no restrictions. Every major breach puts your passwords in the offline threat model — that is the scenario these tables are built around.