Short and simple passwords can be cracked in a matter of seconds. Long and complicated ones? Trillions of years.
That's according to a recent study from Hive Systems, a cybersecurity company based in Richmond, Virginia, which breaks down just how long it would likely take the average hacker to crack the passwords safeguarding your most important online accounts.
The findings suggest that even an eight-character password — with a healthy mix of numbers, uppercase letters, lowercase letters and symbols — can be cracked within eight hours by the average hacker. Anything shorter or less complex could be cracked instantly, or within a few minutes, by any hacker who knows what they're doing, even if they're only using fairly basic equipment.
Meanwhile, a password that's 18 characters in length – and which uses a mix of numbers, lowercase and uppercase letters, and symbols – could take up to 438 trillion years for the average hacker to crack, according to Hive Systems.
The company compiled a color-coded graph to illustrate how quickly different passwords could be hacked, depending on their length and use of varied characters, and how those times have accelerated since 2020 thanks to faster technology:
The findings back up the advice of experts like the National Institute of Standards and Technology, which also suggests choosing long, complex passwords with at least eight characters.
To determine how long it would take to crack your passwords, Hive Systems used data from Security.org's HowSecureIsMyPassword tool to determine how quickly the average hacker – meaning someone using consumer-grade equipment, including a desktop computer with "a top-tier graphics card" – can crack passwords of different lengths and complexities.
In a blog post, company researchers explain how the process of cracking your passwords can work. It starts with a process called "hashing," an algorithmically driven process websites use to disguise your stored passwords from hackers.
If you plug the word "password" into one commonly-used hashing software, called MD5, you'll get this string of characters: "5f4dcc3b5aa765d61d8327deb882cf99." The idea is that if hackers break into a website's server to find lists of stored passwords, they'll only see hashed jumbles of letters and numbers.
You shouldn't, of course, use "password" as your password. In fact, it's one of the most common passwords that end up leaked on the dark web.