What is the minimum safe password length in 2025?

Security experts recommend at least 12-15 characters minimum. NIST guidelines suggest 15 characters for passwords without multi-factor authentication. A 15-character password with mixed character types would take millions of years to crack with current hardware.

How Long Would It Take to Crack Your Password?

Q: How long does it take to crack an 8-character password?

An 8-character password using only lowercase letters can be cracked in about 3 weeks with modern GPU hardware (12x RTX 5090). Adding uppercase, numbers, and symbols increases that to around 11,000 years, but 8 characters is still considered too short by modern standards.

Q: Is password length or complexity more important?

Length matters more than complexity. A 15-character password using only lowercase letters takes longer to crack than an 8-character password with uppercase, lowercase, numbers, and symbols combined. However, using both length and complexity together provides the strongest protection.

Updated March 2026 · Based on 2025 Hive Systems data (12× RTX 5090, bcrypt)

Short answer: if your password is 8 characters or less, a motivated attacker with consumer-grade hardware could crack it in weeks or less. If your password is "password123" or anything remotely like it, the answer is instantly.

Every year, the security firm Hive Systems publishes updated cracking benchmarks using the latest consumer GPUs. Their 2025 table uses a stack of 12 NVIDIA RTX 5090 cards against bcrypt-hashed passwords — which is the hashing algorithm most modern web apps actually use. The results are sobering.

The Crack Time Table

This table shows the maximum time for a brute-force attack — systematically trying every possible combination until a match is found. Real attacks using dictionary words, leaked password databases, or AI-assisted guessing are often much faster.

Length	Numbers Only	Lowercase	Mixed Case	+ Numbers & Symbols
6	Instant	Instant	Instant	1 second
8	Instant	3 weeks	5 months	11,000 years
10	5 seconds	44 years	70,000 years	52 billion years
12	8 minutes	30,000 years	190 million years	3,000+ years
15	6 days	1.3 billion years	477 million years	Trillions of years
18	17 years	56 trillion years	Quadrillions of years	Heat death of universe
20	1,700 years	Quadrillions of years	Quintillions of years	Not happening

Hardware note: These times assume 12× NVIDIA RTX 5090 GPUs — the most powerful consumer cards available in 2025. State-sponsored attackers and well-funded criminal operations may have access to significantly more powerful hardware. AI-assisted cracking methods can also dramatically reduce times for passwords that follow common human patterns.

Length Beats Complexity. Every Time.

Look at the 15-character row in the table. Even a password made of only lowercase letters at 15 characters would take over a billion years to brute-force. Meanwhile, an 8-character password with uppercase, lowercase, numbers, and symbols? About 11,000 years — which sounds long until you remember that targeted attacks don't start from scratch. They start with patterns humans actually use.

The math is simple: every additional character multiplies the number of possible combinations exponentially. Going from 8 to 12 characters doesn't make your password 50% stronger — it makes it millions of times stronger.

The best approach? Both. Use a long password and mix in different character types. A 20-character password with letters, numbers, and symbols is essentially uncrackable by brute force with any technology that exists today — or will exist in the foreseeable future.

Why These Numbers Don't Tell the Whole Story

The table above assumes a pure brute-force attack — trying every possible combination. In reality, attackers are much smarter than that. They use dictionary attacks (trying common words and phrases first), credential stuffing (trying passwords leaked from other breaches), and increasingly, AI-powered tools that have learned the patterns humans use when creating passwords.

Tools like PassGAN (a neural network trained on millions of real leaked passwords) can recognize that humans tend to capitalize the first letter, replace "o" with "0", and stick "!" at the end. A password like "Summer2025!" might look complex, but to an AI that's learned these patterns, it's one of the first guesses.

This is exactly why randomly generated passwords matter. A random 20-character string has no patterns to exploit — the only option left is brute force, and as the table shows, brute force against a long random password is a losing game.

Your password stinks. Get a better one.

Generate a Strong Password →

What the Experts Recommend in 2025

NIST (the U.S. National Institute of Standards and Technology) updated their password guidelines to recommend at least 15 characters for passwords without multi-factor authentication. CISA (the Cybersecurity and Infrastructure Security Agency) goes further, suggesting 16 characters minimum.

Both organizations emphasize that length is the single most important factor in password security. They also recommend using a password manager to generate and store unique passwords for every account — because even a perfect password becomes worthless the moment you reuse it on a site that gets breached.

Here's the practical takeaway: use a randomly generated password of at least 16 characters with a mix of character types, stored in a password manager. And enable multi-factor authentication everywhere it's offered.

FAQ

How long does it take to crack an 8-character password?

With only lowercase letters and modern hardware: about 3 weeks. With a full character set (upper, lower, numbers, symbols): roughly 11,000 years via brute force. But real-world attacks using dictionaries, leaked databases, and AI-assisted methods are often much faster — especially if the password follows common human patterns.

What is the minimum safe password length?

Most security experts recommend at least 12-15 characters. NIST suggests 15 characters minimum without MFA, and CISA recommends 16. For maximum security, aim for 20+ characters using a randomly generated password from a tool like password.dog.

Is password length or complexity more important?

Length wins. A 15-character lowercase-only password is dramatically harder to crack than an 8-character password with every character type. That said, the strongest approach combines both: long passwords with mixed character types. Using a random generator ensures you get both without the effort of coming up with something yourself.

Can AI crack passwords faster than brute force?

Yes — for passwords created by humans. AI tools trained on leaked password databases can predict common patterns and dramatically reduce cracking time. However, against truly random passwords, AI has no advantage over brute force. Random generation eliminates the patterns that AI exploits.

Password.dog generates passwords that would take trillions of years to crack.

Click the Dog →