Hi everyone – I’m back again with the 2025 update to our password table! Computers, and GPUs in particular, are getting WAY faster (thanks Jensen Huang and Sam Altman), but people are also picking and configuring stronger password hashing algorithms. This table outlines the time it takes a computer to brute force your password, and isn’t indicative of how fast a hacker can break your password – especially if they stole your password via phishing, or you reuse your passwords (it’s 2025 please stop doing that). It’s a good visual to show people why better passwords can lead to better cybersecurity – but ultimately it’s just one of the many tools we can use to talk about protecting ourselves online!
Receipts: Data compiled using independent data gathering and research from multiple sources about hashing functions, GPU power, and related data. The methodology, assumptions, and more data can be found at [www.hivesystems.com/password](http://www.hivesystems.com/password)
This assumes the system is vulnerable to a brute force attack though right?
A simple time out or lock out from too many failed attempts would stop even the “instant” ones.
Thingkingalot
So like is a hacker really willing to go after my password for 15 years of his life? And how is this measured? While the numbers sound good “a quintillion years and 3days to crack your password” how are they determined? Is this random brute force data? Even then, there are systems in place to stop brute force attacks. You don’t have to answer I’ll Google them later.
SamPrak
12 RTX 5090 bruh what whos having such stuff?
Burt_Macklin_FBI_123
12 RTX 5090s to crack my password for an iTunes account from 10 years ago? Be my guest.
Zuokula
nice, my pasword is 1qd years proof.
0k-ok
Well I’m good for 94qd years see ya later
ICantEvenGarne
Most phone passcodes are 4 digits long I assume this wouldn’t work in most cases as too many attempts will lock users out.
Necessary_Echo8740
One quindecillion years
That’s like what, a minute or two for a quantum computer?
dbfuentes
Yeah, my pasword is 463qn years proof.
HardStroke
I love how anything above 164 years and below 12bn years is not green.
12bn years is fine but 3bn years, idk man, its cutting it close.
mechanical-monkey
56 billion years. I’m ok with my password 😂
L3monSqueezy
When does a Password become green and when and why is it orange? Isn’t it more or less irrelevant if it takes 3bn years or 56bn years? When and why does a password become green?
nekomata_58
Correct-Horse-Battery-Staple
shadowds
Just wanted make sure I’m reading this correctly it say hardware time 12 5090?
Zaorysh
That moment when my random, stupid ass password is on the far end of good
Good job, brain
Double_DeluXe
Meanwhile the company has an user admin password admin webfacing terminal running in the background…
Alec_colin
Why is anything over 100k years in the yellow?
Drummer61190
I guess I’m safe with my Bitwarden randomly generated 25 characters passwords then 😅.
EternalFlame117343
RIP. I use 32 characters and numbers and it’s not in the table. Am I cooked?
morbihann
So basically 8 chars of all kinds is good enough.
mxpower76
“The password is 1,2,3,4,5. That’s amazing. I have the same password on my luggage”
HumonculusJaeger
A Password alone only does so much. even longer once.
Heir116
I mean, 60 years is long enough for someone to rethink their choices…. Maybe I’ll just do 8 letters and numbers 🤷♂️
Seeteuf3l
I should email this to whoever decided that one environment requires 30 character PW.
Me4TACyTeHePa
Can i stay assured that i will not be hacked if i have 2 phase authentication via mobile app?
GDog507
I’m happy to report that my password is still safe for 200,000 years lol
Mors_Umbra
The main issue I have with these sorts of tables is it implies the hacker already starts with intimite knowledge of your password, which should not be the case.
For example, if I have a 20-character password composed of only lowercase letters, is that *really* less difficult for them to brute force compared to one containing a mix of capitals and symbols? Unless the hacker has pre-existing knowledge that your password only contains lower case letters, then they have to try all combinations regardless and it is in fact, just as secure, is it not?
IMO length is the only thing that matters as long as your password field doesn’t stipulate silly conditions like ‘no symbols’ etc that give the hacker an edge. An odd, memorable sentence is going to be far more secure than some 10-character word-number-symbol soup that you probably forgot halfway through typing it in.
moon6080
What’s deemed instantly? We talking milliseconds or 5 seconds. Just wondering how time scales
Nodan_Turtle
My bank only required 8 digits, lowercase with one number, when I first signed up. That seems fine at first, except that tech will keep advancing. What might take between 15-62 years today might take hours a few years from now.
filbert13
Is this average time or is this the longest possible if their brute force guess was the last possible password?
bigtexasrob
Neat! My not strong enough password can’t be cracked in any amount of time that matters.
PontificatinPlatypus
“Password1234” = 917 million years to break.
<spins pen> I am invincible!!
Polly_____
Would using something like a yubikey stop a brute force?
kdttocs
So a space in the password makes in uncrackable?!?
justapileofshirts
Good to know that every password I use takes at least a year, and that I routinely forget passwords I don’t save within three months, so no one will ever crack a password before I have to change it.
Theo_95
bcrypt is outdated now Argon2 is preferred, would be interesting to see you repeat this test on it.
39 Comments
Hi everyone – I’m back again with the 2025 update to our password table! Computers, and GPUs in particular, are getting WAY faster (thanks Jensen Huang and Sam Altman), but people are also picking and configuring stronger password hashing algorithms. This table outlines the time it takes a computer to brute force your password, and isn’t indicative of how fast a hacker can break your password – especially if they stole your password via phishing, or you reuse your passwords (it’s 2025 please stop doing that). It’s a good visual to show people why better passwords can lead to better cybersecurity – but ultimately it’s just one of the many tools we can use to talk about protecting ourselves online!
Receipts: Data compiled using independent data gathering and research from multiple sources about hashing functions, GPU power, and related data. The methodology, assumptions, and more data can be found at [www.hivesystems.com/password](http://www.hivesystems.com/password)
Everything you need to know about passwords:
https://xkcd.com/936/
This assumes the system is vulnerable to a brute force attack though right?
A simple time out or lock out from too many failed attempts would stop even the “instant” ones.
So like is a hacker really willing to go after my password for 15 years of his life? And how is this measured? While the numbers sound good “a quintillion years and 3days to crack your password” how are they determined? Is this random brute force data? Even then, there are systems in place to stop brute force attacks. You don’t have to answer I’ll Google them later.
12 RTX 5090 bruh what whos having such stuff?
12 RTX 5090s to crack my password for an iTunes account from 10 years ago? Be my guest.
nice, my pasword is 1qd years proof.
Well I’m good for 94qd years see ya later
Most phone passcodes are 4 digits long I assume this wouldn’t work in most cases as too many attempts will lock users out.
One quindecillion years
That’s like what, a minute or two for a quantum computer?
Yeah, my pasword is 463qn years proof.
I love how anything above 164 years and below 12bn years is not green.
12bn years is fine but 3bn years, idk man, its cutting it close.
56 billion years. I’m ok with my password 😂
When does a Password become green and when and why is it orange? Isn’t it more or less irrelevant if it takes 3bn years or 56bn years? When and why does a password become green?
Correct-Horse-Battery-Staple
Just wanted make sure I’m reading this correctly it say hardware time 12 5090?
That moment when my random, stupid ass password is on the far end of good
Good job, brain
Meanwhile the company has an user admin password admin webfacing terminal running in the background…
Why is anything over 100k years in the yellow?
I guess I’m safe with my Bitwarden randomly generated 25 characters passwords then 😅.
RIP. I use 32 characters and numbers and it’s not in the table. Am I cooked?
So basically 8 chars of all kinds is good enough.
“The password is 1,2,3,4,5. That’s amazing. I have the same password on my luggage”
A Password alone only does so much. even longer once.
I mean, 60 years is long enough for someone to rethink their choices…. Maybe I’ll just do 8 letters and numbers 🤷♂️
I should email this to whoever decided that one environment requires 30 character PW.
Can i stay assured that i will not be hacked if i have 2 phase authentication via mobile app?
I’m happy to report that my password is still safe for 200,000 years lol
The main issue I have with these sorts of tables is it implies the hacker already starts with intimite knowledge of your password, which should not be the case.
For example, if I have a 20-character password composed of only lowercase letters, is that *really* less difficult for them to brute force compared to one containing a mix of capitals and symbols? Unless the hacker has pre-existing knowledge that your password only contains lower case letters, then they have to try all combinations regardless and it is in fact, just as secure, is it not?
IMO length is the only thing that matters as long as your password field doesn’t stipulate silly conditions like ‘no symbols’ etc that give the hacker an edge. An odd, memorable sentence is going to be far more secure than some 10-character word-number-symbol soup that you probably forgot halfway through typing it in.
What’s deemed instantly? We talking milliseconds or 5 seconds. Just wondering how time scales
My bank only required 8 digits, lowercase with one number, when I first signed up. That seems fine at first, except that tech will keep advancing. What might take between 15-62 years today might take hours a few years from now.
Is this average time or is this the longest possible if their brute force guess was the last possible password?
Neat! My not strong enough password can’t be cracked in any amount of time that matters.
“Password1234” = 917 million years to break.
<spins pen> I am invincible!!
Would using something like a yubikey stop a brute force?
So a space in the password makes in uncrackable?!?
Good to know that every password I use takes at least a year, and that I routinely forget passwords I don’t save within three months, so no one will ever crack a password before I have to change it.
bcrypt is outdated now Argon2 is preferred, would be interesting to see you repeat this test on it.
3bn years, Im satisfied.