RESEARCHJune 21, 2025·7 min read

How Long Would It Take to Brute-Force Your Password in 2025?

Modern GPUs crack short passwords in seconds. Here is the current time-to-crack table for every password length and character set.

The numbers that should motivate you

With a modern GPU cluster (the kind used for password cracking, not generative AI), an 8-character password using uppercase, lowercase, numbers, and symbols can be cracked in under an hour if it's stored as an MD5 hash. The same password stored as bcrypt (work factor 10) takes roughly 3 years. The difference isn't the password — it's how the site stored it.

You don't control how sites store your passwords. You do control the passwords themselves. Here are the actual timelines.

Cracking rates for current hardware (2025)

Reference hardware: consumer GPU cluster (4× RTX 4090), which costs under $10,000 and is accessible to well-funded attackers.

  • MD5: ~200 billion hashes/second. An 8-character full character set (95 chars): 0.4 hours. 10 characters: 4 years. 12 characters: 35,000 years.
  • SHA-256: ~8 billion hashes/second. 8 chars: 11 hours. 10 chars: 120 years.
  • bcrypt (cost 10): ~8,000 hashes/second per GPU. 8 chars: 4,000 years. 10 chars: effectively infinite.
  • Argon2id: Designed to be memory-hard; GPU cracking is much less effective. Modern best practice.

Why hash algorithm matters more than you might think

These numbers assume a full brute-force search. In practice, attackers use dictionaries with rule sets that dramatically reduce effective search space by exploiting predictable substitution patterns. An 8-character complex password that follows a common template (Word1!) can crack in seconds even against bcrypt because the effective search space is tiny.

The lesson isn't just "use bcrypt" — it's that you can't know how a site stores your password until they breach (too late). A 20-character random password is computationally infeasible even against MD5. A 20-character passphrase is infeasible against any modern algorithm.

The practical upshot for password length

  • Under 10 characters: Unsafe against any hashing algorithm given sufficient time and value
  • 12-14 characters: Reasonably safe against bcrypt, at risk against MD5 and SHA-1
  • 16+ characters: Safe against all common hashing algorithms even for targeted attacks with significant resources
  • 20+ characters: Computationally infeasible for the foreseeable future, regardless of hashing

PassGeni defaults to 18 characters for exactly this reason. Use the Strength Checker to see the estimated crack time for any specific password — it uses current GPU-based cracking rates in its calculation.

Key topics
brute force timepassword cracking speedGPU crackinghash ratepassword strength
Was this post useful?
Frequently asked questions

Questions about this topic

How fast can modern GPUs crack passwords?

+

What password length is safe against brute force in 2025?

+

Does the hashing algorithm matter more than password length?

+
More posts

Related reading

AI Password Cracking in 2025: What Large Language Models Changed

8 min read →

10 Password Security Myths Still Circulating in 2025

7 min read →

Password Length vs Complexity: Which Actually Matters More?

6 min read →