How Long Does It Take To Crack Your Password?

september 01, 2021 | password safety
Cybercriminal cracking and stealing passwords

Are you a QWERTY fan? Maybe sports teams are more your thing? Cowboys42, anyone? If you haven't guessed yet, these are common password choices—ones that should be eternally banned for a variety of reasons.

Security groups release their Top 10 Passwords lists every year, and, year after year, nothing changes. It's depressing if you're a security researcher. If you're a user, it's downright dangerous. In addition, many folks have no idea how rapidly someone can crack their passcode.

The Root of the Problem

"Password reuse is normal. It's extremely risky, but it's so common because it's easy and people aren't aware of the potential impact." That's how breach expert and Australian security guru Troy Hunt sums it up on a website of compromised emails and passwords he maintains.

With password repetition firmly entrenched in America and data breaches on the rise, you should assume someone will employ your stolen passwords for attacks known as credential stuffing. These automated login attempts try your username/password pair on thousands of websites to see what opens.

Stuffing is very successful, and its use grows daily. Once a thief gets into one of your accounts, a simple password change completes the account takeover (ATO), and you, the original owner, are locked out.

Crack Codes Fast

Hackers can crack a code like QWERTY or password123 in a millisecond, so aim higher. For years, security pros have suggested longer, stronger passwords to slow cracking programs down. That advice is still sound but resistance to 16 character passcodes remains strong. The reason? Who can remember a 16-digit code of random numbers and letters?

Consider password as a password. According to, that one's been found in compromised data batches a whopping 3,861,493 times. That huge figure is still far less than the record held by 123456, which pops up 24,230,577 instances in Hunt's harmful password files. You can bet these are the first words hackers check during ATO attempts.

A single digit can boost security. Look at sample password Isoar42. That takes around a minute for a computer to break. [email protected]@ takes far longer—roughly three weeks. Add a third symbol—the ] bracket—and it takes 52 years to crack. Now that's a strong password, no?

There are billions of passcodes floating around the internet. Some are for sale, and others are so stale that they're worth little. Hunt's website stores "real-world passwords" that have been compromised in data breaches. Search his repository of stolen passwords if you'd like to see how yours have held up over time. Then, change any of the combinations you find to be pawned immediately.

Shield Yourself

The first step is admitting you have a problem—a password simplicity or a reuse problem. Maybe both? Yes, it is easier to use one password on 100's of websites. However, the seconds you save using just one or a handful of codes can't hold a candle to the hours, days or months you'll lose trying to fix the damage hackers did with your login credentials.

The time to pump up your password habits is when creating a one. Better security starts with a simple password review:

  • Check out a list of top 100 passwords and avoid them
  • List all your current codes and run them through to discover whether they're already compromised
  • Cross off any words found in a dictionary
  • Don't use your pet's name or your pet name for your spouse
  • Shun any key data from your life, including a parent's name or first car model

Run ideas still on your list—versions similar but not identical to your choices are best—through a password cracking program to get an estimate on how long hackers need to decode your top selection. Play around by adding or deleting digits and watch as a one-minute crack time switches to one thousand years with a few added keystrokes.

This is a great family activity too. Children and teens need to witness this too. Plus, it will give them something to brag about at school tomorrow.

While these online crack services are not super accurate, they will give you a look at how dangerous some of your past choices really were.

"It's my standard password," no one should say ever. Wouldn't that be fantastic—a world in which everyone embraced the need for variety and complexity in password creation. The good guys would save billions, too. Yet, research shows that we're far from that idyllic world with passwords today.

IDShield 24/7 data monitoring can spot your email addresses when they're compromised and potentially sold on hacker forums. A timely alert can help our members get a jump on changing exposed data and searching for the beginnings of identity theft.


IDShield is a product of Pre-Paid Legal Services, Inc. d/b/a LegalShield (“LegalShield”). LegalShield provides access to identity theft protection and restoration services. For complete terms, coverage, and conditions, please see an identity theft plan. All Licensed Private Investigators are licensed in the state of Oklahoma. This is meant to provide general information and is not intended to provide legal advice, render an opinion, or provide any specific recommendations.

Learn more about what to do if your data is compromised