Why is it said that no password is uncrackable (Kein Passwort ist unknackbar) — what does that mean in practice?
Given infinite time, every password falls. The goal isn't unbreakable — it's making cracking economically infeasible.
The principle:
A password is just a finite string. With enough compute time, brute force will eventually try every combination. So security isn't binary; it's economic — make cracking cost more than the data is worth.
What "uncrackable enough" looks like:
| Password type | Crack time (modern GPU) |
|---|---|
| 8 chars, lowercase | seconds |
| 8 chars, mixed | hours |
| 12 chars, mixed | thousands of years |
| 6-word random passphrase | trillions of years |
The catch — Moore's Law:
GPU speed roughly doubles every 18 months. A password that takes 100 years today might take 1 year in 2040. So pick lengths that have decades of headroom.
Quantum threat:
Grover's algorithm on a future quantum computer would effectively halve password strength (e.g. 128-bit → 64-bit). Hashing functions already account for this with output sizes ≥256 bits.
Tip: This is why password rotation policies (NIST has actually deprecated mandatory rotation) matter less than length and uniqueness. A 16-char unique password rotated every 5 years beats an 8-char password rotated monthly.
Go deeper:
Brute-force attack (Wikipedia) — every password is crackable given enough guesses; length makes the time astronomical.
Hive Systems password table — real GPU benchmarks turning "crackable, just slow" into concrete per-length numbers.