Try to go for 18 characters or more.
Cybersecurity company, Hive Systems, has just put out its 2025 Password Table as a continuation of its yearly analysis of how difficult passwords are to crack. The results are in, and while it’s not exactly pretty, the good news is that unless you’re against computing might of a multibillion global AI company, you’re probably safe just adding some extra characters to your password.
That’s if you weren’t already practicing good password security to begin with, which involves essentially just that: having a very long password (a different one for each account/service). Preferably with a combination of numbers, lowercase letters, capital letters, and symbols.
Hive Systems explains: “Nvidia finally released a new consumer graphics card, the RTX 5090. To simulate a fairly successful hacker we once again assumed not one but twelve RTX 5090s.”
Twelve GPUs seems to be the key number because it is “the best consumer accessible hardware configuration that won’t block you from running tools used for brute forcing passwords.” That’s what the company said about its previous 12 x RTX 4090 analysis, anyway, and presumably the same is true about next-gen high-end consumer GPUs, too.
Bcrypt is the algorithm that most sites and services use these days to ‘hash’ your plaintext password and is what the company is analysing the GPU cracking against. Hashing is the process of turning your plaintext password into something else so that, for instance, if someone hacks the server your hash is stored on, they won’t be able to see your password but only its hash. This can’t be reverse engineered, either. As Hive Systems explains: “Hashing software is a one-way street by design.”
So, the 2025 table shows how long it can take 12 Nvidia GeForce RTX 5090 graphics cards to brute force their way through to guess the correct hash to log in to your account—in other words, to crack your password.
The long and short of it is that, as expected, if you use a password that’s eight characters long and only uses lowercase letters and numbers, you’re screwed. It’ll only take the RTX 5090 GPUs three weeks to crack. Adding in some uppercase letters (but keeping it at eight characters) puts that time frame up to 15 years. Adding numbers puts it up to 62, and adding symbols puts it up to 164 years.
Diversifying your password’s character set is clearly one way to go, then. But so is adding additional characters. If you have 18 characters, even if those are just numbers, it would take these 12 top-end graphics cards 284,000 years to crack. The difference can be exponential, too. For instance, a password made of 13 numbers would take the graphics cards 3 years to crack, but add in just one more number and that rises to 28 years, then add another and it rises to 284.
What is artificial general intelligence?: We dive into the lingo of AI and what the terms actually mean.
NIST (the National Institute of Standards and Technology) still recommends a minimum character count of 15 for passwords. This makes sense, because it’s the number that increases cracking time to well in excess of a lifetime when using a standard brute force hacker’s best likely setup.
If you’re looking to defend against actors with a lot more compute power than this (who is after you?), Hive Systems analysed how long it would take the hardware that was used to train ChatGPT-4 (20,000 Nvidia A100 server GPUs). Even using this hardware, it would take 388 years to crack a numbers-only password of 18 characters—but it would take 39 years for 17 characters and 4 years for 16 characters, again proving the rule that adding more characters is almost always a good idea if you’re in this kind of range.
So, if you’re using a weak password, then yes, we are now in a computing era where plenty of bad actors will be able to successfully brute force your password with some pretty standard (albeit expensive) compute power. But if you use long passwords with lower case, upper case, numbers, and symbols, you still have little to worry about… well, not on the brute force front, anyway. Maybe now’s the time to download that password manager you’ve been meaning to get around to trying out.
About Post Author
