How Long Would It Take to Crack Your Password?
Most passwords aren't "guessed" — they're calculated. A modern attacker with a single high-end GPU can test tens of billions of combinations per second offline, against a stolen database. The only thing standing between that hardware and your account is how many possible combinations your password could be. That number depends on two things: how long the password is, and how many different character types it draws from.
The table below shows the estimated time to brute-force a fully random password (the kind this generator produces), assuming roughly 100 billion guesses per second — a realistic figure for a determined attacker in 2026:
| Length | Lowercase only | Letters + numbers | All character types |
|---|---|---|---|
| 8 characters | Instant | ~6 minutes | ~2 hours |
| 12 characters | ~3 days | ~7 months | ~3,000 years |
| 16 characters | ~14,000 years | ~26 million years | ~2 trillion years |
| 20 characters | ~23 billion years | practically forever | practically forever |
Estimates are for fully random passwords. A "clever" human-made password like Summer2024! is cracked almost instantly regardless of length, because attackers try predictable patterns first.
Why length beats complexity
People assume that swapping an "a" for "@" makes a password strong. It barely helps. Each extra character multiplies the number of possibilities, while a single substitution adds almost nothing — attackers have built those tricks into their tools for years. As the table shows, a 16-character lowercase password is dramatically harder to crack than an 8-character password using every symbol on the keyboard. If you remember one rule, make it this: add length first, complexity second.
What entropy actually means
Security researchers measure password strength in "bits of entropy" — essentially, the number of yes/no questions an attacker would have to answer to find your password. Each bit doubles the work. A password below 50 bits is weak, 60–75 bits is solid for everyday accounts, and 80+ bits is overkill that will outlast you. The strength meter above this article estimates entropy in real time as you adjust the length and character options, so you can see the effect of each change instead of guessing.
How long should your password be? A practical guide
- Throwaway accounts (forums, newsletters you don't care about): 12 characters is fine.
- Everyday accounts (shopping, streaming, social media): 16 characters with mixed types.
- High-value accounts (email, banking, password manager master password): 20+ characters, or a long passphrase you can actually remember.
Your primary email is the most important account you own — it's the reset point for everything else. Treat it like the master key it is.
Common mistakes that look secure but aren't
- Reusing one "strong" password everywhere. The moment one site is breached, every account that shares that password is exposed. This is the single most common way people get hacked — and a generator only helps if each password is unique.
- Predictable patterns. Capital letter at the start, number and "!" at the end (Password1!) is the first thing cracking software tries.
- Personal information. Pet names, birth years, and favourite teams are all publicly discoverable and routinely included in attack dictionaries.
- Relying on memory for dozens of accounts. No one can remember 50 unique 16-character passwords. That's what a password manager is for.
Why a generated password is safer than one you invent
Humans are bad at randomness. We unconsciously fall back on keyboard patterns, dates, and dictionary words even when we're trying to be unpredictable — and attackers model exactly those habits. This tool generates passwords using your browser's cryptographically secure random number generator (crypto.getRandomValues), the same class of randomness used for encryption keys. Nothing is sent to a server, nothing is stored, and the result has no human pattern for an attacker to exploit.