LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

How does password length and character set affect brute-force cracking time (2025 benchmarks)?

Length matters far more than character variety. An 8-character password with symbols takes ~164 years to crack, while jumping to 12 characters pushes it into the billions of years — each extra character multiplies the work.

Log-scale line chart of brute-force cracking time in years versus password length (8 to 16) for five character sets, using Hive Systems 2025 bcrypt benchmarks

* Read it as steepness: each extra pair of characters multiplies crack time about 1000x (log axis), while a wider alphabet only shifts a curve up — length beats complexity. *

The table (Hive Systems, 2025; cracking 12× RTX 5090 GPUs against a slow bcrypt cost-10 hash) shows time-to-brute-force:

Length Numbers only Lowercase Upper+lower + Numbers + Symbols
8 instantly 3 weeks 15 years 62 years 164 years
10 1 day 40 years 41k years 238k years 803k years
12 3 months 27k years 111m years 917m years 3bn years
14 28 years 18m years 300bn years 3tn years 19tn years
16 2k years 12bn years 812tn years 13qd years 94qd years

Read down any column: adding two characters multiplies the time by roughly 1000×. Read across any row: widening the alphabet (lowercase → +symbols) helps far less than that. So length wins — a long passphrase beats a short, complex password.

Real-world implication:

  • Length doubles entropy more cheaply than complexity.
  • bcrypt / Argon2 with high work factor is what makes the numbers this big — fast hashes (MD5, NTLM) collapse this table by 6–10 orders of magnitude.
  • Passphrases of 4-5 random words ≈ 16-character random ≈ centuries.

Tip: Modern NIST SP 800-63B advice: drop forced complexity and character classes, push for 12+ chars, allow long passphrases, and block known-breached passwords. This is also reflected in ISO/IEC 27002:2022 control 5.17.

Go deeper:

From Quiz: ISF / ISMS & Security Standards (ISO 27k, NIST, BSI) | Updated: Jul 14, 2026