Password Strength Chart | Crack Times by Length & Character Type (2025 Data)

Think an 8-character password is safe enough? With modern GPUs, a numeric-only 8-character password can be cracked in just 15 minutes.

This article presents password crack times by character count and type, based on Hive Systems' 2025 data and NIST guidelines, so you can gauge your own password strength at a glance.

Why Length and Character Variety Matter

Password strength boils down to two factors:

• Length: Each additional character multiplies the possible combinations by tens to hundreds
• Character variety: More character types mean more candidates per position

A 4-digit numeric PIN has just 10,000 possibilities. A 4-character password using all 95 printable ASCII characters has about 81 million. The combination of length and variety is what makes a password hard to crack.

Crack Time Chart — Length × Character Type

The data below comes from Hive Systems' 2025 report, modeling a brute-force attack against bcrypt hashes (cost factor 10) using twelve NVIDIA RTX 5090 GPUs.

Digits Only (0–9: 10 characters)

Lowercase Letters Only (a–z: 26 characters)

Mixed Case + Digits (a–z, A–Z, 0–9: 62 characters)

All Character Types (95 printable ASCII characters)

Important Context

This chart assumes an offline brute-force attack on bcrypt hashes. Keep in mind:

• Real-world risk depends on the service: Login rate limiting and account lockouts make online brute-force effectively impossible
• Weak hash algorithms (MD5, etc.) are orders of magnitude faster to crack
• GPU power grows rapidly: From RTX 4090 (2024) to RTX 5090 (2025), cracking speed roughly doubled — and the trend continues

How Passwords Get Cracked

Brute-Force Attack

Every possible combination is tried one by one. The chart above reflects this method. More characters and types mean exponentially more tries.

Dictionary and Credential-Stuffing Attacks

Attackers use lists of commonly used passwords ("password123", "qwerty") and credentials leaked in past breaches.

No matter how long a password is, predictable patterns like "password" or "123456789" are cracked instantly. The crack times above assume truly random strings.

NIST's Latest Password Guidelines

The U.S. National Institute of Standards and Technology (NIST) publishes SP 800-63B, which influences password policies worldwide. Revision 4 (2024–2025) introduced significant changes to longstanding practices.

No More Mandatory Rotation

NIST now prohibits forced periodic password changes (except after a confirmed breach). The reasoning:

• Forced rotation leads to minimal changes (incrementing a number at the end)
• This actually decreases security by making passwords more predictable
• A strong password used consistently is safer than a frequently rotated weak one

Length Over Complexity — 15+ Characters Recommended

The new guidelines state that services must not impose composition rules (e.g., requiring uppercase, symbols). The emphasis is on length.

How to Create a Strong Password

The Passphrase Method

Combine multiple words into a long password that's both memorable and strong.

Example:

1. Think of a phrase: "The quick brown fox jumps high"
2. Combine: TheQuickBrownFoxJumpsHigh (25 characters)
3. Add variation: The-Quick-Brown-Fox-Jumps-High! (31 characters)

This easily exceeds 20 characters and far surpasses a 12-character random string in strength.

Use a Password Generator

The most reliable approach is to generate a truly random string with a dedicated tool. Human-chosen passwords inevitably contain patterns; generated ones don't.

Store generated passwords in a password manager and use a unique password for every service.

FAQ

How many characters should a password be?

At least 12 characters using all character types (uppercase, lowercase, digits, symbols). NIST's latest guidelines recommend 15 or more.

Is an 8-character password safe?

It depends. Numeric-only 8 characters: cracked in 15 minutes. All character types: about 164 years with current GPUs — but with rapid hardware improvements, 12+ characters is the safer bet.

Should I change my password regularly?

NIST SP 800-63B Rev. 4 says no — routine changes are no longer recommended. Only change your password when a breach is confirmed.

What's the easiest way to create a strong password?

A password generator is the most reliable method. For a memorable option, use the passphrase method — string several words together into a long password.

Should I use a password manager?

Yes. It's the most practical way to use long, unique passwords for every account. NIST recommends them as well.

Summary

• Numeric-only 8 characters = cracked in 15 minutes — digits alone are too weak
• All character types, 12+ characters is the current safety baseline
• NIST recommends 15+ characters and discourages periodic rotation (change only after a breach)
• Length matters more than character-type complexity rules
• Use a passphrase or a password generator for the strongest results

If you're unsure about your current passwords, check their length and character variety. Any password under 12 characters should be upgraded now.