I updated our password cracking table for 2025

39 Comments

  1. hivesystems

    Hi everyone – I’m back again with the 2025 update to our password table! Computers, and GPUs in particular, are getting WAY faster (thanks Jensen Huang and Sam Altman), but people are also picking and configuring stronger password hashing algorithms. This table outlines the time it takes a computer to brute force your password, and isn’t indicative of how fast a hacker can break your password – especially if they stole your password via phishing, or you reuse your passwords (it’s 2025 please stop doing that). It’s a good visual to show people why better passwords can lead to better cybersecurity – but ultimately it’s just one of the many tools we can use to talk about protecting ourselves online!

    Receipts: Data compiled using independent data gathering and research from multiple sources about hashing functions, GPU power, and related data. The methodology, assumptions, and more data can be found at [www.hivesystems.com/password](http://www.hivesystems.com/password)

  2. danivus

    This assumes the system is vulnerable to a brute force attack though right?

    A simple time out or lock out from too many failed attempts would stop even the “instant” ones.

  3. Thingkingalot

    So like is a hacker really willing to go after my password for 15 years of his life? And how is this measured? While the numbers sound good “a quintillion years and 3days to crack your password” how are they determined? Is this random brute force data? Even then, there are systems in place to stop brute force attacks. You don’t have to answer I’ll Google them later.

  4. SamPrak

    12 RTX 5090 bruh what whos having such stuff?

  5. Burt_Macklin_FBI_123

    12 RTX 5090s to crack my password for an iTunes account from 10 years ago? Be my guest.

  6. Well I’m good for 94qd years see ya later

  7. ICantEvenGarne

    Most phone passcodes are 4 digits long I assume this wouldn’t work in most cases as too many attempts will lock users out.

  8. Necessary_Echo8740

    One quindecillion years

    That’s like what, a minute or two for a quantum computer?

  9. dbfuentes

    Yeah, my pasword is 463qn years proof.

  10. HardStroke

    I love how anything above 164 years and below 12bn years is not green.
    12bn years is fine but 3bn years, idk man, its cutting it close.

  11. mechanical-monkey

    56 billion years. I’m ok with my password 😂

  12. L3monSqueezy

    When does a Password become green and when and why is it orange? Isn’t it more or less irrelevant if it takes 3bn years or 56bn years? When and why does a password become green?

  13. shadowds

    Just wanted make sure I’m reading this correctly it say hardware time 12 5090?

  14. Zaorysh

    That moment when my random, stupid ass password is on the far end of good
    Good job, brain

  15. Double_DeluXe

    Meanwhile the company has an user admin password admin webfacing terminal running in the background…

  16. Alec_colin

    Why is anything over 100k years in the yellow?

  17. Drummer61190

    I guess I’m safe with my Bitwarden randomly generated 25 characters passwords then 😅.

  18. EternalFlame117343

    RIP. I use 32 characters and numbers and it’s not in the table. Am I cooked?

  19. morbihann

    So basically 8 chars of all kinds is good enough.

  20. mxpower76

    “The password is 1,2,3,4,5. That’s amazing. I have the same password on my luggage” 

  21. HumonculusJaeger

    A Password alone only does so much. even longer once.

  22. Heir116

    I mean, 60 years is long enough for someone to rethink their choices…. Maybe I’ll just do 8 letters and numbers 🤷‍♂️

  23. Seeteuf3l

    I should email this to whoever decided that one environment requires 30 character PW.

  24. Me4TACyTeHePa

    Can i stay assured that i will not be hacked if i have 2 phase authentication via mobile app?

  25. GDog507

    I’m happy to report that my password is still safe for 200,000 years lol

  26. Mors_Umbra

    The main issue I have with these sorts of tables is it implies the hacker already starts with intimite knowledge of your password, which should not be the case.

    For example, if I have a 20-character password composed of only lowercase letters, is that *really* less difficult for them to brute force compared to one containing a mix of capitals and symbols? Unless the hacker has pre-existing knowledge that your password only contains lower case letters, then they have to try all combinations regardless and it is in fact, just as secure, is it not?

    IMO length is the only thing that matters as long as your password field doesn’t stipulate silly conditions like ‘no symbols’ etc that give the hacker an edge. An odd, memorable sentence is going to be far more secure than some 10-character word-number-symbol soup that you probably forgot halfway through typing it in.

  27. moon6080

    What’s deemed instantly? We talking milliseconds or 5 seconds. Just wondering how time scales

  28. Nodan_Turtle

    My bank only required 8 digits, lowercase with one number, when I first signed up. That seems fine at first, except that tech will keep advancing. What might take between 15-62 years today might take hours a few years from now.

  29. filbert13

    Is this average time or is this the longest possible if their brute force guess was the last possible password?

  30. bigtexasrob

    Neat! My not strong enough password can’t be cracked in any amount of time that matters.

  31. PontificatinPlatypus

    “Password1234” = 917 million years to break.

    <spins pen> I am invincible!!

  32. Polly_____

    Would using something like a yubikey stop a brute force?

  33. kdttocs

    So a space in the password makes in uncrackable?!?

  34. justapileofshirts

    Good to know that every password I use takes at least a year, and that I routinely forget passwords I don’t save within three months, so no one will ever crack a password before I have to change it.

  35. Theo_95

    bcrypt is outdated now Argon2 is preferred, would be interesting to see you repeat this test on it.

Write A Comment