Here’s how long it takes to brute-force a password

Exactly how long does it take a hacker to brute-force a password? Depending on the strength, it’s between “instantly” and…two septillion years. (For those keeping track, that’s something like 146 trillion times the known age of the universe.)

That’s according to a recent report by password management and authentication firm Specops Software, which estimated how long an attacker would need to guess a password based on how many characters it has and how complex it is. Specops researchers modeled the findings on a theoretical attacker running the Hashcat password recovery software using an Nvidia RTX 4090 graphics card—the fastest gaming card on the planet.

At an MSRP starting at $1,599, the RTX 4090 is well out of the price range of most gamers, but it would allow a cybercriminal to crack many weak passwords. For example, the 4090 can crack passwords consisting of 13 separate single-digit numbers “instantly.” But since brute-force difficulty scales exponentially depending on complexity and length, the same 13-character password containing only lowercase letters would take six weeks. Take it to a mix of 13 uppercase and lowercase letters, and the time jumps to 995 years, according to Specops. A 13-character password consisting of mixed-case letters and numbers would take 10,000 years.

Single-celled organisms first appeared on Earth some 3.5 billion years ago. If those germs had an RTX 4090, they’d have cracked a 16-digit password using numbers and mixed-case letters sometime during the early Cambrian period (500 MYA). But they’d still be working on a 17-digit password made just of mixed-case letters, which would take another 4.5 billion years (assuming the Sun hadn’t already absorbed the Earth slightly ahead of schedule). And so on and so forth.

“Even if your organization has been able to configure more secure hashing algorithms to secure the passwords used throughout systems for your organizations, MD5 and other insecure hashing methods pose a threat to you,” Darren James, Specops senior product manager, wrote in the blog post announcing the research. “The threat is password reuse.”

“Your users’ work passwords could be stored in the most secure way but the minute they reuse that password on some less secure website and that website gets leaked; that attacker could be coming for your network,” James added.