Top Ways and Time for Hackers to Brute Force Your Passwords – 2021

Last Updated: 30th December, 2020

Time for Hackers to Brute Force Your Passwords


Ever wondered how long will it take for hackers to break into your passwords? The Infographic above shows exacty the time vs complexity of your passwords. Yellow zone passwords are secured and can’t be cracked in an amount of time that isn’t feasible.

How does Passwords Work?

All passwords are first hashed before being stored. A hash is a one way mathematical function that transforms an input into an output. It has the property that the same input will always result in the same output. Modern hashing algorithms are very difficult to break, so one feasible way to discover a password is to perform a brute force attack on the hash.

There are a few factors used to compute how long a given password will take to brute force. To compute the time it will take, you must know the length of the password, the character set used, and how many hashes can be checked every second.

On a modern computer (8 core, 2.8 GHz) using the SHA512 hashing algorithm, it takes about 0.0017 milliseconds to compute a hash. This translates to about 1.7*10^-6 seconds per password, or 588235 passwords per second. Although we will not use the metric in this article, it is important to note that a GPU, or 3D card, can calculate hashes at a speed 50-100 times greater than a computer. For the purposes of this KB article, we will calculate how long given passwords can be cracked using a single modern computer. We also calculate how long they can be cracked using a supercomputer, which is approximately equivalent to a botnet with 100000 computers. Modern supercomputers can be up to 150000 faster than their desktop counterparts and a 100000 computer botnet is feasible; the largest botnet to date is estimated to have 12 million computers. We also assume that on average, the password will be cracked when half of the possible passwords are checked.

As you can see, simply using lowercase and uppercase characters is not enough. If we include numbers, such as in the password “r3Dcr0W5”, there are 62 characters in the set. To break this password, it will take (1.7*10^-6 * 62^8) seconds / 2, or 5.88 years. Although this is infeasible on a single desktop computer, it would still only take 31 minutes to break on a botnet. Even if you increase this to 10 characters, it can be broken in 83 days on a supercomputer or botnet. If that botnet utilizes the GPU for all computers, it can potentially be broken in less than a day.

If you include symbols, then depending on the symbols used, there are about 80 characters in the set. To break a password such as “%ZBGbv]8”, it would take (1.7*10^-6 * 80^8) seconds / 2, or 45.2 years. On a supercomputer or botnet, this will take 4 hours.

So, even if you use a very secure set of characters, your password should be at least 10 characters long. To break a 10 character password that uses letters, numbers, and symbols, such as “%ZBGbv]8g?”, it would take (1.7*10^-6 * 80^10) seconds / 2 or 289217 years. This would take about 3 years on a supercomputer or botnet.

The moral of the story is that passwords should be at least 10 characters long and include a mix of numbers, lowercase letters, uppercase letters and symbols.

Top ways Hackers Brute Force your password

1. Brute Force

Risk Level: Low

Surprisingly not as prevalent as people tend to think, brute forcing passwords is difficult, time-consuming and expensive for criminals.

What Is It?

It’s the kind of thing that security researchers like to write about, or which you might see in TV shows: a hacker runs an algorithm against an encrypted password and in 3…2…1… the algorithm cracks the password and reveals it in plain text.

How Does It Work?

There are plenty of tools like “Aircrack-ng”, “John The Ripper”, and “DaveGrohl” that attempt to brute force passwords. There’s generally two kinds of cracking available. The first is some form of “dictionary” attack – so called because the attacker just tries every word in the dictionary as the password. Programs like those mentioned above can run through and test an entire dictionary in a matter of seconds.

How Can You Stay Safe?

The key to staying safe from brute force attacks is to ensure you use passwords of sufficient length. Anything 16 characters or over should be sufficient given current technology, but ideally future-proof yourself by using a passphrase that is as long as the maximum allowed by the service that you’re signing up to. Avoid using any service that doesn’t let you create a password longer than 8 or 10 characters. Worried about how you’d remember a super long password? 

2. Phishing

Risk Level: High

Over 80% of all cyber crimes begin with a Phishing.

 Hackers love to use phishing techniques to steal user credentials, either for their own use, or more commonly to sell to criminals on the dark net.

What Is It?

Phishing is a social engineering trick which attempts to trick users into supplying their credentials to what they believe is a genuine request from a legitimate site or vendor.

How Can You Stay Safe?

Use 2-factor or multi-factor authentication. Although researchers have developed tricks to overcome these, in the wild cases are yet to be reported. Caution is your number one defense against phishing. Ignore requests to sign in to services from email links, and always go directly to the vendor’s site in your browser. Check emails that contain attachments carefully. The majority of phishing emails contain misspellings or other errors that are not difficult to find if you take a moment to inspect the message carefully.