How does password length and character set affect brute-force cracking time (2025 benchmarks)?
Length matters far more than character variety. An 8-character password with symbols takes ~164 years to crack, while jumping to 12 characters pushes it into the billions of years — each extra character multiplies the work.
* Read it as steepness: each extra pair of characters multiplies crack time about 1000x (log axis), while a wider alphabet only shifts a curve up — length beats complexity. *
The table (Hive Systems, 2025; cracking 12× RTX 5090 GPUs against a slow bcrypt cost-10 hash) shows time-to-brute-force:
| Length | Numbers only | Lowercase | Upper+lower | + Numbers | + Symbols |
|---|---|---|---|---|---|
| 8 | instantly | 3 weeks | 15 years | 62 years | 164 years |
| 10 | 1 day | 40 years | 41k years | 238k years | 803k years |
| 12 | 3 months | 27k years | 111m years | 917m years | 3bn years |
| 14 | 28 years | 18m years | 300bn years | 3tn years | 19tn years |
| 16 | 2k years | 12bn years | 812tn years | 13qd years | 94qd years |
Read down any column: adding two characters multiplies the time by roughly 1000×. Read across any row: widening the alphabet (lowercase → +symbols) helps far less than that. So length wins — a long passphrase beats a short, complex password.
Real-world implication:
- Length doubles entropy more cheaply than complexity.
- bcrypt / Argon2 with high work factor is what makes the numbers this big — fast hashes (MD5, NTLM) collapse this table by 6–10 orders of magnitude.
- Passphrases of 4-5 random words ≈ 16-character random ≈ centuries.
Tip: Modern NIST SP 800-63B advice: drop forced complexity and character classes, push for 12+ chars, allow long passphrases, and block known-breached passwords. This is also reflected in ISO/IEC 27002:2022 control 5.17.
Go deeper:
Hive Systems 2025 password table (source of these numbers) — the primary benchmark: 12x RTX 5090 GPUs vs bcrypt cost-10, by length and charset.
Bcrypt and the work-factor (cost) parameter — why a slow hash is what makes these times explode, and how the cost is tuned upward over time.
Password strength — length vs complexity — the entropy argument behind why length wins and modern NIST advice.