Short and simple passwords can be cracked in seconds. Long and complicated? Trillions of years.

That’s according to a recent study by Hive Systems, a cybersecurity firm based in Richmond, Virginia, which breaks down how long it would likely take the average hacker to crack the passwords that protect your most important online accounts.

The findings suggest that even an eight-character password — with a healthy mix of numbers, upper-case, lower-case and symbols — can be cracked by the average hacker within eight hours. Anything shorter or less complex can be cracked instantly or in minutes by any hacker who knows what he’s doing, even if he only uses fairly basic equipment.

Meanwhile, according to Hive Systems, it can take up to 438 trillion years for an 18-character password — and one that uses a mix of numbers, lowercase and uppercase letters and symbols — to reach the average hacker.

The company has put together a color-coded chart to illustrate how quickly different passwords can be hacked, depending on their length and use of different characters, and how those times have accelerated since 2020 thanks to faster technology:

The findings support advice from experts such as the National Institute of Standards and Technology, which also suggest choosing long, complex passwords of at least eight characters.

To determine how long it would take to crack your passwords, Hive Systems used data from’s HowSecureIsMyPassword tool to determine how fast the average hacker — that is, someone using consumer-grade equipment, including a desktop computer with “a high-quality graphics card ” – can crack passwords of various lengths and complexities.

In a blog post, company researchers explain how cracking your passwords can work. It starts with a process called hashing, an algorithmically driven process that websites use to hide your stored passwords from hackers.

If you insert the word “password” into a common hashing software called MD5, you get this string: “5f4dcc3b5aa765d61d8327deb882cf99.” The idea is that when hackers break into a website’s server to find lists of stored passwords, they’ll only see a hashed jumble of letters and numbers.

Of course, you shouldn’t use “password” as your password. In fact, it is one of the most common passwords leaked on the dark web.

Hashed passwords are irreversible, as they are created with one-way algorithms. But hackers can create lists of any possible combination of characters on your keyboard and then hash those combinations themselves using the most widely used software programs. At that point, hackers only need to look for matches of the hashed passwords on their list to determine your original passwords.

It’s a complicated process, but it can be easily performed by any expert hacker with consumer-grade equipment, notes Hive Systems. Therefore, your best defense is to use the kinds of long, complicated passwords that take the longest to crack.

The report also strongly recommends that you do not recycle passwords for multiple websites. If you do, and hackers are able to crack your password for one website, “you’re in for a bad time,” the company writes.

Understandably, you don’t want to remember 18-character passwords every time you log into an online account. After all, a password that takes trillions of years to crack isn’t very useful if you also take a few million years to remember.

But even an 11-character password — again using a combination of numbers, upper- and lower-case letters and symbols — could still take hackers 34 years to crack, Hive Systems estimates. And that’s certainly better than eight hours or less.

Sign up now: Get smarter about your money and career with our weekly newsletter

Do not miss:

These are the 20 most common passwords leaked on the dark web – make sure none of them are yours

‘These 9 biggest password mistakes will get you in trouble,’ warns fraud expert and ex-con

This post If your passwords are less than 8 characters long, change them

was original published at “”