Hi everyone – I’m back again with the 2025 update to our password table! Computers, and GPUs in particular, are getting WAY faster (looking at you Jensen Huang and Sam Altman), but people are also picking and configuring stronger password hashing algorithms. This table outlines the time it takes a computer to brute force your password, and isn’t indicative of how fast a hacker can break your password – especially if they stole your password via phishing, or you reuse your passwords (it’s 2025 please stop doing that). It’s a good visual to show people why better passwords can lead to better cybersecurity – but ultimately it’s just one of the many tools we can use to talk about protecting ourselves online!
**Data source:** Data compiled using independent data gathering and research from multiple sources about hashing functions, GPU power, and related data. The methodology, assumptions, and more data can be found at [www.hivesystems.com/password](http://www.hivesystems.com/password)
**Tools used:** Illustrator and Google sheets
Luckily hunter2 isn’t on this list, so I’m safe
So 8 characters with upper and lowercase letters, numbers, and symbols should be fine for an average person only for a little bit longer due to the advancement of computers.
Am I misunderstanding something, or does this colour grading make zero sense?
If “green” means “safe”, why does 5 billion years in the third column not equal safe?
If hackers are this persistent, I’d honestly just let them have access to my stuff.
TFW your weakest password requires 1 qld of years (what even is a qld?)
*assuming there isn’t any preventative measures server-side for spamming auth requests
good thing i have emojis in my passwords
I read once that the best password is 4 words separated by spaces that are unrelated to each other. Is there truth to this, and how would it look on your graph?
Adding length ups entropy faster than adding to the character set, after a point. So go with long, memorable pass phrases if you have to remember it or just use a password manager.
Why isn’t any solution that is longer then your lifespan not green?
How does a hacker know which character set is in use? It seems the first columns are artificially constrained (unless the hacked system has announced that expanded character sets are illegal).
I am really curious about those graphs. Can someone explain to me, how these numbers are in any way relevant for the average user? I get that this is how much time it takes to crack a password, but if somebody tries to get my, for example, google password, wouldn’t it be more dependent on the loading time of the homepage? Not even taking into account maximum number of login attempts. Some time way back I obtained the windows password of my father in-law, he forgot with a linux boot from a disk. I know that scenarios like these are still there, but it seems to me that most of the stuff, is behind a prohibitive latency of some homepage?
I am checking the table for 2024 and the times were shorter then? 8 characters at the rightmost column is 164 years here and only 7 years last year?
Is brute forcing even a thing anymore? I feel like most services have password requirements, login time limits, two factor, etc. Where it’s not even a viable method anymore in the majority of cases.
Social engineering, data breach dumps, rogue URLs, DNS poisoning and session hijacking seem way more likely these days, but I am but a humble network engineer.
Question. Let’s say I have the option to use upper, lower, numbers, and symbols, but I don’t use one of those options. How does this weaken my password?
Mathematically it makes sense, but practically it doesn’t. Like, do hackers start all brute force attempts trying only upper and lower, and then add numbers when they’ve tried “all” possible combinations? If they know the password can contain those four options, won’t they start their attempts with all four options anyway?
I remember XKCD getting a lot of crap over their explanation of password strength recently, but it looks like they are right. I’m sick and tired of being forced to add numbers, symbols, blah-dee-dah. Give me the option of 11 characters full of garbage, or a longer and easier to remember password.
So bad short passwords are a lot safer than is claimed because hackers rarely have access that allows them to flood a system with password tries. Even if they got their hands on a database they have to brute force usernames etc too and do it with potentially millions of entries.
This may be a silly question, but I know nothing about password cracking. Do brute force attempts go in alphabetical and numerical order? By that I mean would a password of ABC123 be faster to crack (even if only a fraction of a second) than XYZ789?
Is this the maximum time it would take to brute force it, if they had to go through every combination before they got to mine? Or is it an average time, or do I not understand what brute force means. Is there a chance they stumble upon a 15 character special character mix password instantly?
Ah okay so my Passwort ;DROPTABLE:Passwords
Is very good I see
Ps:the joke is that the code wouldn’t work at all but the password contains everything except numbers
3 billion years is…yellow??
Edit: Great data, thanks for putting it together. I saw your response in another comment. Colors choices could be better.
I had an IT security teacher in HS and he always said that the passwords need to be tough.
My WiFi password since HS is something like:
diagonalcrosssectionofscissorsst512i
The house guest love me, every time 🙂
I like how 3 billion years is still ‘Yellow’
Wouldn’t this require the hacker to know this information about your password? So it only matters if the service allows alphanumeric + special characters in passwords in order to benefit from that level of entropy?
Would just adding like twenty 8’s to the front or back of your regular password be safe? Or would the repeatedness be easier to crack?
Like from hunter2 to 888888888888888888888hunter2.
![[OC] I updated our popular password table for 2025](https://www.europesays.com/wp-content/uploads/2025/04/89x5g3t4xrxe1-1920x1024.png)
26 comments
Hi everyone – I’m back again with the 2025 update to our password table! Computers, and GPUs in particular, are getting WAY faster (looking at you Jensen Huang and Sam Altman), but people are also picking and configuring stronger password hashing algorithms. This table outlines the time it takes a computer to brute force your password, and isn’t indicative of how fast a hacker can break your password – especially if they stole your password via phishing, or you reuse your passwords (it’s 2025 please stop doing that). It’s a good visual to show people why better passwords can lead to better cybersecurity – but ultimately it’s just one of the many tools we can use to talk about protecting ourselves online!
**Data source:** Data compiled using independent data gathering and research from multiple sources about hashing functions, GPU power, and related data. The methodology, assumptions, and more data can be found at [www.hivesystems.com/password](http://www.hivesystems.com/password)
**Tools used:** Illustrator and Google sheets
Luckily hunter2 isn’t on this list, so I’m safe
So 8 characters with upper and lowercase letters, numbers, and symbols should be fine for an average person only for a little bit longer due to the advancement of computers.
Am I misunderstanding something, or does this colour grading make zero sense?
If “green” means “safe”, why does 5 billion years in the third column not equal safe?
If hackers are this persistent, I’d honestly just let them have access to my stuff.
TFW your weakest password requires 1 qld of years (what even is a qld?)
*assuming there isn’t any preventative measures server-side for spamming auth requests
good thing i have emojis in my passwords
I read once that the best password is 4 words separated by spaces that are unrelated to each other. Is there truth to this, and how would it look on your graph?
Adding length ups entropy faster than adding to the character set, after a point. So go with long, memorable pass phrases if you have to remember it or just use a password manager.
[https://xkcd.com/936/](https://xkcd.com/936/)
Why isn’t any solution that is longer then your lifespan not green?
How does a hacker know which character set is in use? It seems the first columns are artificially constrained (unless the hacked system has announced that expanded character sets are illegal).
I am really curious about those graphs. Can someone explain to me, how these numbers are in any way relevant for the average user? I get that this is how much time it takes to crack a password, but if somebody tries to get my, for example, google password, wouldn’t it be more dependent on the loading time of the homepage? Not even taking into account maximum number of login attempts. Some time way back I obtained the windows password of my father in-law, he forgot with a linux boot from a disk. I know that scenarios like these are still there, but it seems to me that most of the stuff, is behind a prohibitive latency of some homepage?
I am checking the table for 2024 and the times were shorter then? 8 characters at the rightmost column is 164 years here and only 7 years last year?
Is brute forcing even a thing anymore? I feel like most services have password requirements, login time limits, two factor, etc. Where it’s not even a viable method anymore in the majority of cases.
Social engineering, data breach dumps, rogue URLs, DNS poisoning and session hijacking seem way more likely these days, but I am but a humble network engineer.
Question. Let’s say I have the option to use upper, lower, numbers, and symbols, but I don’t use one of those options. How does this weaken my password?
Mathematically it makes sense, but practically it doesn’t. Like, do hackers start all brute force attempts trying only upper and lower, and then add numbers when they’ve tried “all” possible combinations? If they know the password can contain those four options, won’t they start their attempts with all four options anyway?
I remember XKCD getting a lot of crap over their explanation of password strength recently, but it looks like they are right. I’m sick and tired of being forced to add numbers, symbols, blah-dee-dah. Give me the option of 11 characters full of garbage, or a longer and easier to remember password.
So bad short passwords are a lot safer than is claimed because hackers rarely have access that allows them to flood a system with password tries. Even if they got their hands on a database they have to brute force usernames etc too and do it with potentially millions of entries.
This may be a silly question, but I know nothing about password cracking. Do brute force attempts go in alphabetical and numerical order? By that I mean would a password of ABC123 be faster to crack (even if only a fraction of a second) than XYZ789?
Is this the maximum time it would take to brute force it, if they had to go through every combination before they got to mine? Or is it an average time, or do I not understand what brute force means. Is there a chance they stumble upon a 15 character special character mix password instantly?
obligatory xkcd: https://xkcd.com/936/
Ah okay so my Passwort ;DROPTABLE:Passwords
Is very good I see
Ps:the joke is that the code wouldn’t work at all but the password contains everything except numbers
3 billion years is…yellow??
Edit: Great data, thanks for putting it together. I saw your response in another comment. Colors choices could be better.
I had an IT security teacher in HS and he always said that the passwords need to be tough.
My WiFi password since HS is something like:
diagonalcrosssectionofscissorsst512i
The house guest love me, every time 🙂
I like how 3 billion years is still ‘Yellow’
Wouldn’t this require the hacker to know this information about your password? So it only matters if the service allows alphanumeric + special characters in passwords in order to benefit from that level of entropy?
Would just adding like twenty 8’s to the front or back of your regular password be safe? Or would the repeatedness be easier to crack?
Like from hunter2 to 888888888888888888888hunter2.
Comments are closed.