What is password entropy?

Entropy is a measure of randomness, expressed in bits. For passwords, entropy = log2(character_set_size ^ length). A password with 80 bits of entropy means an attacker must try up to 2^80 combinations (about 1.2 x 10^24) to guarantee finding it. Higher entropy = more possible combinations = longer crack time. One additional bit of entropy doubles the number of combinations.

How fast can passwords be cracked in 2026?

Speed depends on the hash algorithm. Against fast hashes (MD5, SHA-1): a single high-end GPU cracks about 10 billion hashes per second. A GPU cluster can exceed 100 billion. Against bcrypt (cost 12): roughly 50-100 hashes per second per GPU. Against Argon2id: even slower. The hash algorithm used by the website matters more than most people realize.

How many combinations does my password have?

Multiply the character set size raised to the power of your password length. Lowercase only (26 chars) at 12 characters: 26^12 = 95 quadrillion. Full ASCII (95 chars) at 12 characters: 95^12 = 540 sextillion. Each additional character multiplies the total by the character set size.

Why does length matter more than complexity?

Adding a new character type (say, going from lowercase to lowercase+uppercase) doubles the character set from 26 to 52 — multiplying combinations by 2^length for the whole password. But adding one more character of length multiplies combinations by the entire character set size (26-95x). For any password over 8 characters, adding length gives more entropy per keystroke than adding complexity.

What is the difference between brute force and dictionary attacks?

Brute force tries every possible combination sequentially: aaa, aab, aac... it is slow but guaranteed to find any password eventually. Dictionary attacks try common passwords, words, phrases, and known patterns first. They are orders of magnitude faster against human-chosen passwords. A 10-character dictionary word is cracked in seconds by a dictionary attack but would take years by pure brute force.

Are rainbow tables still a threat?

Less so than a decade ago. Rainbow tables are precomputed hash-to-password lookup tables. They are devastating against unsalted hashes but completely defeated by salting (adding random data before hashing). Most modern systems use salted hashes. However, legacy systems, old databases, and poorly implemented applications may still use unsalted MD5 or SHA-1 — rainbow tables crack those instantly.

How does bcrypt change crack time estimates?

Dramatically. bcrypt is intentionally slow — it takes roughly 100 milliseconds to compute one hash (at cost 12), compared to nanoseconds for MD5. Against MD5 at 10 billion/sec, an 8-char mixed password falls in days. Against bcrypt at 100/sec on the same GPU, that same password would take over 2 million years. The hash algorithm is the great equalizer.

Is a 20-character password overkill?

For brute force against current and near-future technology, yes — a random 16-character mixed password already exceeds what any computer can crack. But passwords are not only attacked through brute force. Phishing, keyloggers, database breaches, shoulder surfing, and social engineering bypass password strength entirely. A 20-character password is not overkill if it is your master password or encryption key that protects everything else.

Password Crack Times Explained — From Instant to Heat Death of the Universe

Last updated: April 202610 min readGenerator Tools

Password cracking is math, not magic. Every password has a calculable number of possible combinations. Every cracking rig has a measurable speed. Divide one by the other and you get a crack time — from fractions of a second to longer than the heat death of the universe. Here are the real numbers.

Character Set Sizes

The "character set" is the pool of possible characters for each position in your password. Larger pool = more combinations = harder to crack:

Character Set	Characters Included	Pool Size	Example
Digits only	0-9	10	482917
Lowercase only	a-z	26	mxkfpq
Lowercase + uppercase	a-z, A-Z	52	mXkFpQ
Alphanumeric	a-z, A-Z, 0-9	62	mX4FpQ
Full printable ASCII	a-z, A-Z, 0-9, symbols	95	mX4!pQ@#
Extended (Unicode)	All above + accented, CJK, etc.	~143,000+	mX4!pñQü

Most password crackers assume the full printable ASCII set (95 characters) as a worst case. If they know you only used lowercase, they narrow to 26 — and your password becomes roughly 95/26 = 3.65x easier to crack per character position.

The Combinations Formula

Total possible passwords = character_set_size ^ length

This is an exponential relationship. Each additional character does not add — it multiplies. That is why length is so powerful:

Length	Lowercase (26)	Alphanumeric (62)	Full ASCII (95)	Entropy (Full ASCII)
6	309 million	56 billion	735 billion	39.4 bits
8	208 billion	218 trillion	6.6 quadrillion	52.6 bits
10	141 trillion	839 quadrillion	59.9 quintillion	65.7 bits
12	95.4 quadrillion	3.2 quintillion	540 sextillion	78.8 bits
14	64.5 quintillion	12.4 sextillion	4.9 x 10^27	91.9 bits
16	43.6 sextillion	47.7 septillion	4.4 x 10^31	105.1 bits
18	29.5 septillion	183 octillion	4.2 x 10^35	118.2 bits
20	19.9 octillion	704 nonillion	3.6 x 10^39	131.4 bits

Reading this table: a 12-character password using full ASCII has 540 sextillion possible combinations (540 followed by 21 zeros). That is 540,000,000,000,000,000,000,000 guesses an attacker must try to be certain they find it.

Attack Speeds in 2026

How fast an attacker can try passwords depends on two things: their hardware, and the hash algorithm used by the system storing the password.

Attack Scenario	Speed (hashes/sec)	Hardware	Notes
Online attack (rate-limited)	~100-1,000/sec	Any	Most websites lock accounts after 5-10 failed attempts
Offline — MD5 hash	~50 billion/sec	Single RTX 4090	MD5 is broken for passwords. Sites still using it are negligent.
Offline — SHA-1 hash	~20 billion/sec	Single RTX 4090	Slightly better than MD5. Still inadequate.
Offline — SHA-256 hash	~10 billion/sec	Single RTX 4090	Better but still a fast hash. Not designed for passwords.
Offline — bcrypt (cost 10)	~1,500/sec	Single RTX 4090	Purpose-built for passwords. Intentionally slow.
Offline — bcrypt (cost 12)	~100/sec	Single RTX 4090	Recommended minimum cost factor.
Offline — Argon2id	~10-50/sec	Single RTX 4090	State of the art. Memory-hard — resists GPU parallelism.
GPU cluster	~100 billion/sec (MD5)	8x A100 cluster	Nation-state or organized crime level
Future (2030 estimate)	~1 trillion/sec (MD5)	Next-gen hardware	Planning margin. Today's "centuries" might become "decades."

The critical insight: your password's crack time depends on which hash the site uses. A 12-character random password against bcrypt would take millions of years. The same password against unsalted MD5 takes weeks. You cannot control which hash a website uses — so make your password strong enough to survive even fast hashes.

Crack Time Table: SHA-256 at 10 Billion/sec

This table uses SHA-256 at 10 billion guesses per second — a realistic single-GPU scenario for a motivated attacker with an offline database dump:

Password Length	Lowercase Only (26)	Alphanumeric (62)	Full ASCII (95)
6	< 1 second	5.6 seconds	1.2 minutes
8	21 seconds	6 hours	7.6 days
10	4 hours	2.7 years	190 years
12	302 days	10,000 years	1.7 million years
14	558 years	39 million years	15.5 billion years
16	400,000 years	151 billion years	14 trillion years
18	280 million years	580 trillion years	13 quadrillion years
20	194 billion years	2.2 quadrillion years	11.5 quintillion years

For context: the universe is about 13.8 billion years old. The heat death of the universe is estimated at ~10^100 years. A random 16-character full-ASCII password sits comfortably in "outlasts the solar system" territory even against fast hashes.

Why Common Passwords Are Instant Regardless of Length

The crack times above assume random passwords — every character independently chosen with equal probability. Real passwords are not random. Attackers exploit this ruthlessly:

Dictionary attacks try every word in dictionaries of common passwords, English words, names, and phrases. "correcthorsebatterystaple" is a dictionary phrase now (thanks, XKCD). These dictionaries contain billions of entries.
Rule-based attacks take dictionary words and apply transformations: capitalize first letter, add digits at end, substitute @ for a, append "!" or "2026". This turns "password" into "P@ssword2026!" in milliseconds.
Hybrid attacks combine dictionary words with brute-force appendages: every word + every 4-digit number, every two words concatenated, every word + every 3-char symbol combo.
Markov chain attacks use statistical models of how humans construct passwords. They know that "th" is more likely than "qx" and that passwords tend to start with uppercase and end with digits + symbols.

This is why "December2026!" is cracked in minutes despite being 13 characters with mixed types. The effective entropy is far lower than the theoretical maximum because the pattern is predictable.

Length vs Complexity: The Final Answer

Every additional character of length multiplies total combinations by the character set size. Adding a character type (going from lowercase to mixed case) multiplies by a smaller factor spread across existing characters. The math always favors length:

Option	Change	Entropy Added	Effort
Add 1 character (full ASCII)	16 chars → 17 chars	+6.6 bits	1 more character to type
Add symbols to lowercase-only	26 → 95 char set	+1.87 bits per position	Shift key + memorization
Add 4 characters (lowercase)	12 chars → 16 chars	+18.8 bits	4 more characters to type
Add uppercase + digits + symbols	26 → 95 char set	+1.87 bits × 12 = +22.4 bits	Significant memorization burden

For a 12-character password: adding 4 more lowercase characters (easy to type) gives you +18.8 bits. Switching to full ASCII (harder to type and remember) gives you +22.4 bits. The complexity route wins by a slim margin — but requires dramatically more effort. And a 16-character lowercase password (75.2 bits) is already virtually uncrackable.

Test Your Own Password

All these numbers mean nothing until you check your actual password against them. Open the Password Strength Checker, type your password, and see where it falls on this scale. If it is under 60 bits of entropy, the Password Generator can create a replacement in one click.

Related Security Tools

Password Strength Checker — see your password's entropy and estimated crack time
Password Generator — generate random passwords at any length
Hash Generator — see what MD5, SHA-256, and other hashes look like
Text Encryptor — AES-256 encryption for text you need to protect
File Encryptor — encrypt entire files before storing or sharing
UUID Generator — generate unique tokens and identifiers
Domain Extractor — extract domains from phishing URLs for investigation

See where your password falls — seconds, centuries, or heat death of the universe.

Check Your Password

Password Crack Times Explained — From Instant to Heat Death of the Universe

Character Set Sizes

The Combinations Formula

Attack Speeds in 2026

Crack Time Table: SHA-256 at 10 Billion/sec

Why Common Passwords Are Instant Regardless of Length

Length vs Complexity: The Final Answer

Test Your Own Password

Related Security Tools

Related Posts

Password Strength Checker

Is Your Password Strong Enough?

Password Security 2026

Best Checkers — Reddit