Short and simple passwords can be cracked in a matter of seconds. Long and complicated ones? Trillions of years.
That's according to a recent study from Hive Systems, a cybersecurity company based in Richmond, Virginia, which breaks down just how long it would likely take the average hacker to crack the passwords safeguarding your most important online accounts.
The findings suggest that even an eight-character password — with a healthy mix of numbers, uppercase letters, lowercase letters and symbols — can be cracked within eight hours by the average hacker. Anything shorter or less complex could be cracked instantly, or within a few minutes, by any hacker who knows what they're doing, even if they're only using fairly basic equipment.
Meanwhile, a password that's 18 characters in length – and which uses a mix of numbers, lowercase and uppercase letters, and symbols – could take up to 438 trillion years for the average hacker to crack, according to Hive Systems.
The company compiled a color-coded graph to illustrate how quickly different passwords could be hacked, depending on their length and use of varied characters, and how those times have accelerated since 2020 thanks to faster technology:
For the study, Hive Systems ran tests to determine how quickly the average hacker – meaning someone using consumer-grade equipment, including a desktop computer with "a top-tier graphics card" – can crack passwords of different lengths and complexities.
In a blog post, company researchers explain how the process of cracking your passwords can work. It starts with a process called "hashing," an algorithmically driven process websites use to disguise your stored passwords from hackers.
If you plug the word "password" into one commonly-used hashing software, called MD5, you'll get this string of characters: "5f4dcc3b5aa765d61d8327deb882cf99." The idea is that if hackers break into a website's server to find lists of stored passwords, they'll only see hashed jumbles of letters and numbers.
You shouldn't, of course, use "password" as your password. In fact, it's one of the most common passwords that end up leaked on the dark web.
Hashed passwords are irreversible, because they're created with one-way algorithms. But hackers can make lists of every possible combination of characters on your keyboard, and then hash those combinations themselves using the most commonly-used software programs. At that point, hackers only have to search for matches of the hashed passwords on their list to determine your original passwords.
It's a complicated process, but one that can easily be pulled off by any knowledgeable hacker with consumer-grade equipment, Hive Systems notes. That's why your best defense is using the sort of long, complicated passwords that take the longest to crack.
The report also strongly recommends not recycling passwords for multiple websites. If you do that, and hackers are able to crack your password for one website, then "you're in for a bad time," the company writes.
Understandably, you might not want to remember 18-character passwords each time you log into an online account. After all, a password that takes trillions of years to crack isn't very useful if it also takes you a few million years to remember.
But even a password with 11 characters – again, using a mix of numbers, uppercase and lowercase letters, and symbols – could still take hackers 34 years to crack, Hive Systems estimates. And that's certainly better than eight hours or less.
CORRECTION: An earlier version of this article misstated that Hive Systems used a Security.org tool to complete its 2022 study. In fact, Hive Systems used the tool for an earlier study in 2020, not the most recent version.