The short answer
A truly random 8 character password survives about 1.8 hours against a modern offline cracking rig. At 12 random characters you’re at 17,000 years, and at 16 you’ve left the realm of physics-based concern. Length is the lever; everything else is decoration.
The math behind the answer
Password cracking is a counting problem. A password drawn from a pool of 95 printable characters has 95^n possibilities at length n, and an attacker needs, on average, half of them. The only other variable is guessing speed.
For the speed, we don’t have to speculate. Public hashcat benchmarks put a single RTX 4090 at roughly 164 billion MD5 guesses per second. Six of them, a rig any motivated criminal or red team can assemble for the price of a used car, brings you to a round trillion guesses per second. That’s the assumption behind every number in this article: offline attack, fast hash, 10^12 guesses per second.
Run the arithmetic and the cliff appears. 95^8 is about 6.6 quadrillion, which melts in 1.8 hours. 95^10 holds for roughly 1.9 years. 95^12 stretches to 17,000 years, and 95^16 to 1.4 trillion years. Each pair of characters buys you a factor of about 9,000.
Time to crack a random password, offline at 10^12 guesses/sec
Log scale. Full set = 95 printable characters. Assumes a fast hash (MD5/NTLM); slow hashes like bcrypt multiply every figure by 100,000 or more.
Offline versus online: the distinction that changes everything
Those terrifying speeds need one condition: the attacker must hold the hashes. That happens after a database breach, when a dump of hashed passwords lands on their disk and they can guess at hardware speed with nobody watching.
Against a live login form, the picture inverts. Rate limiting, lockouts and latency cap attackers to maybe 10,000 guesses per second across a botnet, and that’s a generous figure for a poorly defended target. The same 8 character password that dies in 1.8 hours offline would take two centuries online.
This is why breach notifications matter more than password paranoia. The moment a service you use gets breached, the offline clock starts on your hash. If that password is unique to the breached site, you’ve lost one account. If you reused it, you’ve lost every account that shares it, and attackers automate exactly that with credential stuffing. Verizon’s Data Breach Investigations Report has put stolen credentials at or near the top of breach vectors for years running.
Fast hashes, slow hashes, and why your sysadmin choices matter
Everything above assumes the defender stored passwords with a fast hash. MD5, SHA-1, even plain SHA-256 were built to be quick, which is precisely the problem: a hash designed for speed hands that speed to the attacker.
Password hashing algorithms exist to be slow on purpose. bcrypt at a sane cost factor processes in the tens of thousands of guesses per second per GPU instead of hundreds of billions. That single design decision multiplies every crack time in the chart by a factor of 100,000 or more. The 1.8 hour password becomes a 20 year password; the 12 character one outlives the solar system. Argon2id, the current OWASP recommendation, also eats GPU memory bandwidth, which hurts cracking rigs where it stings.
If you run systems: your storage choice is part of every user’s password strength, whether they know it or not. NTLM in a 2026 Active Directory is a gift to whoever exfiltrates your hashes.
Why “Summer2026!” dies in seconds anyway
Here’s the honest caveat: the chart describes random passwords, and humans don’t produce random. Real cracking doesn’t start with brute force. It starts with wordlists built from a decade of breaches, then applies mutation rules: capitalize the first letter, append a year, swap a for @. The pattern word + year + symbol that satisfies most corporate complexity policies sits in the first minutes of any competent run.
So “Summer2026!” is eleven characters of false comfort. Its effective entropy isn’t 95^11; it’s one dictionary word, one predictable suffix and one of a dozen popular symbols, a search space a laptop clears before lunch. Complexity rules produced this. Forced 90 day rotation made it worse by training people to increment a counter. NIST SP 800-63B retired both practices, and it took the industry years to listen.
Randomness is the property that makes the math apply. A generator gives you randomness for free.
What to actually do
For accounts: a password manager generating 20+ random characters per site, unique everywhere. You’ll never type them, so length costs nothing. Our password generator runs entirely in your browser and shows you the honest entropy of what it produces, including against these exact attack assumptions.
For the few secrets you type by hand (the manager’s master password, your OS login, disk encryption): a passphrase of 6 or 7 random words. At 10 bits per word you reach 60 to 70 bits, which survives offline attack against any sanely-stored hash, and your thumbs will thank you.
For everything important: turn on multi-factor authentication. A cracked password without the second factor is a key to a door that no longer exists.
Where passkeys fit into this
The industry’s actual answer to cracking is to remove the password. Passkeys, the consumer-friendly name for FIDO2/WebAuthn credentials, replace the shared secret with a key pair: your device holds the private key, the site stores only the public half. There’s nothing to crack offline because the server-side database contains nothing that opens your account, and nothing to phish because the credential is bound to the real domain. Google, Apple, Microsoft, GitHub and most major password managers support them today, and adoption has moved from press releases to login screens.
So should you still care about password length? Yes, for two reasons. First, coverage: thousands of services you use will accept passwords and nothing else for years to come, and your VPN, your NAS and that industrial web interface from 2014 are not getting WebAuthn retrofits. Second, the recovery chain: most passkey deployments keep a password as the fallback path, which means the fallback is now the weakest link. A passkey protected by a recoverable account with a 9 character password is a 9 character account.
The practical 2026 posture, then: passkeys wherever they’re offered, a manager full of long random passwords everywhere else, a serious passphrase guarding the manager itself, and MFA on the accounts that can hurt you. None of these pieces replaces the others yet. Together they make the crack-time chart above someone else’s problem.
One last number to keep. The gap between 8 and 16 characters isn’t twice the security. It’s a factor of about 6.6 quadrillion. Nothing else you can do this afternoon buys that much.
Frequently asked questions
Is a 12 character password enough in 2026?
For a random 12 character password with the full character set, yes, with margin: around 17,000 years against a trillion-guess-per-second offline attack. The catch is the word random. A 12 character password built from a word, a year and a symbol is not random and can fall in minutes to rule-based attacks.
Do symbols make a password stronger than length?
Length wins by a wide margin. Adding symbols grows the character pool from 62 to about 95, a factor of 1.5 per character. Adding one more character multiplies the search space by 95. Four extra lowercase letters beat any amount of symbol decoration on a short password.
How fast can attackers really guess passwords?
Offline, against a stolen database of fast hashes like MD5 or NTLM, a single RTX 4090 tests around 164 billion MD5 guesses per second per hashcat benchmarks, so a small rig reaches trillions. Online, against a live login form with rate limiting, attackers get tens of guesses per second at best, which is why stolen hash databases are the real danger.
Does changing my password every 90 days help?
No, and official guidance agrees. NIST SP 800-63B dropped forced rotation years ago because it pushes people toward predictable patterns like Password2026!. Change a password when there is a reason: a breach, a leak, a suspicious login. Otherwise, make it long, unique and managed.