Strong Passwords: Why They Really Matter and How Hard They Are to Crack

In 2023, the most used password in the world was still "123456". In second place: "password". If you're reading this article with a guilty feeling because you use something similar somewhere, you're not alone — but it's time to change. Not out of bureaucratic IT compliance, but because truly understanding what happens when a password gets "cracked" will make you want to use a serious one.

Why simple passwords are a real risk

When an online service is breached (and it happens far more often than you'd think — in 2023 alone there were over 3,000 significant breaches worldwide), attackers obtain a database of accounts. Passwords are rarely stored in plain text: they are almost always saved as hashes, an encrypted string.

The problem is that attackers don't actually need to "decrypt" them: they use dictionary attacks and brute force to find which password matches which hash. And they do it at astronomical speeds with modern GPUs.

An RTX 4090 can test over 100 billion MD5 hashes per second. This completely changes the perspective on "secure passwords."

How long does it take to crack a password?

Data from Hive Systems (updated to 2024 with current hardware) is illuminating:

| Password type | Length | Time to crack | |-----------------|-----------|---------------------| | Numbers only | 6 characters | Instant | | Lowercase only | 8 characters | 22 seconds | | Mixed upper+lowercase | 8 characters | 1 hour | | Mixed + numbers | 8 characters | 8 hours | | Mixed + numbers + symbols | 8 characters | 1 day | | Mixed + numbers + symbols | 10 characters | 5 years | | Mixed + numbers + symbols | 12 characters | 3,000 years | | Mixed + numbers + symbols | 16 characters | Practically impossible |

Length matters exponentially more than complexity. A 12-character lowercase-only password (fourteencharacters) still takes weeks, while Abc1! at 5 characters falls in seconds.

The most common attacks: how they really work

Dictionary attack

The program tries dictionary words, common names, birthdates and their obvious variants (Dog2023, john.smith1, Chelsea!). If you use real words as a base, it doesn't matter how many symbols you add — it'll be found in minutes.

Brute force

Tries all possible combinations. With short passwords, it's blazing fast. With passwords of 12+ mixed characters, it becomes impractical even with advanced hardware.

Credential stuffing

Takes passwords leaked from other breaches and tries them on all other services. It works because most people reuse the same passwords. If johnsmith@gmail.com with password Vacation2022! was on a forum breached in 2021, attackers will try it on Gmail, bank, Amazon, and everything else.

Phishing

Nothing gets "cracked": you're convinced to enter your password on a fake site. The defense isn't password complexity but recognizing the site as fake — and using two-factor authentication.

Rules for a truly secure password

Length first

As you saw from the table, 12 characters is the minimum for a password that holds up. 16 or more is better. An unusual but meaningful phrase works great: PurpleCatEatsSushi2025! is extremely hard to crack and relatively easy to remember.

Use a different password for every service

Credential stuffing is devastating precisely because people reuse passwords. If every service has a different password, a breach of one doesn't compromise the others. Yes, that means remembering many — but that's what password managers are for.

Enable two-factor authentication (2FA)

Even if your password is discovered, 2FA blocks access. The attacker also needs the code that arrives on your phone (or from the authenticator app). Enable it wherever available: email, banking, social media, cloud.

Don't use personal information

Your pet's name, date of birth, your favorite sports team: these are the first things a targeted attacker (who knows you) will try. And they appear in specialized dictionaries.

Create a secure password now

You don't need to invent anything by hand: use our free password generator. You can choose the length, include or exclude symbols, letters, and numbers. The result is generated entirely in the browser — it never passes through any server.

Password managers: the definitive solution

If you need to remember dozens of different, secure passwords, the only practical solution is a password manager. Applications like Bitwarden (open source, free), 1Password, or KeePass generate and store complex passwords for every site — you only need to remember one "master password" to open the manager.

Bitwarden in particular has a complete free version, clients for all operating systems and browsers, and the code is open source and verifiable by anyone.

Understanding a password hash

Want to technically understand how password encryption works? Our hash calculator tool shows how a string is transformed into SHA-256, SHA-1, MD5, and other algorithms. Try entering "123456" and "123457": the hashes are completely different even though they differ by just one character — this property is what makes hashes useful for security.

Frequently asked questions

How often should I change my password? The old advice of changing it every 3 months has been superseded: NIST (the American technical standards body) recommends changing it only if you suspect a breach or if the service notifies you of one. Forced frequent changes push people toward weaker, more predictable passwords.

Is it safe to save passwords in the browser? Better than nothing, but less secure than a dedicated password manager. Browsers sync passwords to the cloud tied to your Google/Microsoft/Apple account: if that account is compromised, so are all your passwords. A dedicated password manager offers an additional layer of encryption.

How do I know if my passwords have already been stolen? Go to haveibeenpwned.com — enter your email and see if it appears in databases of known breaches. If so, immediately change the password on those services.