Skip to content

Brute Force Password Hacking: How long will it take to Brute Force a password


As we all know, its not a good idea to brute force a password, as its much faster to use password attacks using hashcat.

I found a good graphic on how slow brute force hacking can be, depending on the length and the complexity of the password.  The graph also demonstrates how longer passwords offer, and alphanumeric complexity, can alter the risk vector in your favour.

password breaking time calculator

The game of password hacking is this:

  1. Users reset password every month, ie 30 days
  2. If we can Brute force the password in 15 days, we can use the password for another 15 days.
  3. Brute force attacks, will normally crack the password about half way through the times quote.
  4. An 8 character password, is listed as 84 days, which means it should crack in approximately 41 days (close to a months reset).  How would you protect accounts at this point?  It is recommended to force longer passwords, eg 10-14 characters to protect against brute force attacks, as a pragmatic, rather than guaranteed security. Its possible that a brute force attack could break the security in the first day, however, this would be unlikely.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: