How Long to Crack Your Password with Brute Force?

How long would it take someone who has no idea what your password is but who has a lot of computational capability to crack it using brute force?

By brute force, we mean using their code-cracking computer systems to systematically run through all the possible permutations of characters that may be in your password. Which for all they know, may be anywhere from 1 to 22 characters long.

For their part, cybersecurity specialists Hive Systems put the following chart together to show how long that might take a well-equipped independent hacker. Or rather, one with the code-cracking technology Hive's analysts believe is already available to them in 2022.

Hive Systems: Time It Takes a Hacker to Brute Force Your Password in 2022

But what about tomorrow's technology? What about passwords with more than 18 characters? What if you could use more kinds of characters?

Answering questions like those is why we created the following tool, which we built after reverse-engineering the results from Hive Systems' table. If you're reading this article on a site that republishes our RSS news feed, please click through to our site to access a working version.

Password Data
Input Data Values
How many different kinds of characters can be used in your password?
How many characters are used in your password?
How many billion attempts per second can a hacker's system use to crack your password?

How Long to Crack Your Password?
Calculated Results Values
Time Needed to Crack Password Using Computational Brute Force

Here's an article discussing the math behind the tool. The default of 95 kinds of characters represents the 10 numbers, 26 lower case letters, 26 upper case letters and 33 special characters available on most U.S. English keyboards. If you play with these figures, you should be able to reasonably duplicate the results from Hive Systems' chart. Within a relatively small margin of error, that is.

The tool is also computationally limited in how many characters might be in a password, to avoid exceeding JavaScript's computational limits. We've arbitrarily limited the potential passwords to be a maximum of 20 characters, which works for 95 kinds of characters, but may not for larger potential character sets. If you get results that seem haywire for the numbers you've entereed, odds are you've run into that computational limit.

But the thing we're most leery of in building the tool is that we set "billions" as the basic unit for entering the number of attempts per second for the hacker's password cracking system. How long will it be before that seemingly large number becomes unreasonably small?