Experts reveal how long it would take a hacker to crack your password

We all assume hackers won’t crack our own passwords, even if they’re simple ones with only a few characters. 

But just how easy is it for someone to break into an online login?

According to new research, anything with six characters, regardless of whether numbers and symbol are included, can be cracked instantly.

The same goes for anything that is seven or eight characters but made up of just numbers or lower case letters.

Become a ySense member and start earning today totally free !

But the news doesn’t get much better for any eight character combination.

In fact, they can all be guessed in about 39 minutes according to US cybersecurity company Hive Systems, which is based in Richmond, Virginia. 

On the flip side the way to guarantee that your password won’t be cracked for some 438 trillion years is to use 18 characters made up of numbers, upper and lower case letters and symbols. 

New research suggests that any password with six characters, regardless of whether numbers and symbol are included, can be cracked instantly. Hive Systems made the colour-coded table (pictured), showing how safe users’ passwords really are


Rank Password Time to crack  Users
1 123456 < 1 sec 103170552
2 123456789 < 1 sec 46027530
3 12345 < 1 sec 32955431
4 qwerty < 1 sec 22317280
5 password < 1 sec 20958297
6 12345678 < 1 sec 14745771
7 111111 < 1 sec 13354149
8 123123 < 1 sec 10244398
9 1234567890 < 1 sec 9646621
10 1234567 < 1 sec 9396813
SOURCE: NordPass 

Of course, that would take you quite a while to input every time.

A more manageable 11 character password featuring the same alternative features would be cracked in around 34 years, the research suggests.

Hive Systems made the colour-coded table for 2022, showing how safe users’ passwords really are.

The company said its data was ‘based on how long it would take a consumer-budget hacker to crack your password hash using a desktop computer with a top-tier graphics card’. 

‘If you use the same password on multiple sites, you’re in for a bad time,’ Hive Systems wrote in a blog post.

The firm also discussed hashing, a technique which protects stolen passwords, and how hackers get around the one-way algorithm.

In the context of passwords, a ‘hash’ is a scrambled version of text that is reproducible if you know what hash software was used. 

For example, if the word ‘password’ is hashed using MD5 software the output would be 5f4dcc3b5aa765d61d8327deb882cf99.  

Passwords you use on websites are stored in servers as hashes instead of in plain text like ‘password’ so that if someone views them, in theory, they won’t know the actual password.

In the given example for ‘password’, the hacker would only see 5f4dcc3b5aa765d61d8327deb882cf99.

Hive Systems said its data was 'based on how long it would take a consumer-budget hacker to crack your password hash using a desktop computer with a top-tier graphics card'

Hive Systems said its data was ‘based on how long it would take a consumer-budget hacker to crack your password hash using a desktop computer with a top-tier graphics card’


Rank Password Time to crack Users
1 123456 < 1 sec 571107
2 password < 1 sec 423192
3 liverpool < 1 sec 224160
4 password1 < 1 sec 162086
5 123456789 < 1 sec 152801
6 12345 < 1 sec 151914
7 qwerty < 1 sec 145626
8 liverpool1 2 Seconds 123328
9 charlie < 1 sec 109524
10 arsenal < 1 sec 107899
SOURCE: NordPass 

It is impossible to reverse this hash to produce the word ‘password’, but what hackers do is make a list of all the combinations of characters on your keyboard so they can then begin hashing them. 

By finding matches between this list and the hashes from the stolen passwords, hackers can figure out a user’s true password, which in turn allows them access to your logins for various websites.

‘We reviewed password data breaches from 2007 to present, reported through HaveIBeenPwned, to see what attackers have actually been trying to crack and whether that changed over time,’ Hive Systems said.

‘Generally speaking, website logins that people probably care less about, like forums and restaurants, used and continue to use MD5 and SHA-1. 

‘That is a pretty big deal assuming people reuse the same passwords on more concerning sites like banking, government, private messaging, email, and social media.’

In light of the new research, experts have urged the public to use more complicated passwords with unique letter and number combinations, along with two-factor authentication (2FA). 

2FA requires users to provide an additional piece of information, such as a pin code sent via text message, as well as a password. 

Last month London-based card machine provider Dojo analysed data on 100,000 breached passwords from the UK government‘s National Cyber Security Centre (NCSC).

It found ‘123456’, ‘qwerty’ and ‘password’ – all easily remembered but notoriously bad choices – were among the most frequently hacked passwords.

Overall, pet names or terms of endearment – including ‘love’, ‘baby’ and ‘angel’ – were found to be the most commonly hacked passwords, ahead of animals, colours and swear words.

Naveed Islam, chief information security officer at Dojo, thinks the public keeps using simple passwords – in spite of ongoing warnings to to – due to ‘password fatigue’. 

This term refers to the strain of having to think up and remember multiple passwords, as more and more our every day lives are digitized and we’re required to open online accounts to access basic services. 

‘Attackers exploit these well-known coping strategies, leaving individuals vulnerable,’ he added.

Dan DeMichele, vice president for Product Management at password manager provider LastPass, called strong passwords ‘the first and most essential line of defence against a cyber-attack’.  

‘A strong password is at least 16 characters long and includes a mix of capital and lowercase letters as well as numbers and symbols,’ he said. 

‘Cyber attackers love it when their intended victims are uninformed and unaware about cybersecurity — it makes their task easier. 

‘It’s therefore imperative you keep up to date on security best practices.’ 



– Use a mix of special characters, numbers, capital letters. Including a range of upper and lower-case letters, as well as numbers and symbols (such as $ £ !), makes passwords securer and harder to hack.

– Aim for a long password with a minimum of 8-12 characters. The longer the password, the better. Longer passwords require more time to work out combinations and hackers looking for a quick win may be deterred.

–  Use multi-factor authentication. Two-factor authentication requires hackers to get through two layers of security checks before they can get onto your account.

– Use a password manager. When creating multiple unique passwords, it can be tricky to remember them all. Instead of writing passwords down or on your phone’s notes, there are many apps and websites where you can safely store these passwords instead.

– Change your passwords regularly. Changing your passwords often reduces the risk of your accounts being compromised.


– Don’t use personal information in your passwords. Stay away from using any type of personal information in your passwords, such as a name, date of birth, or your pet’s name. This information can easily be discovered by hackers from social media profiles or even public conversations.

– Don’t use obvious sequences of letters or numbers. Avoid using numbers and letters in common sequences such as 1234 or qwerty. These generic formats and memorable keyboard paths are the first to be guessed by hackers.

– Don’t tell anyone your password. Keep your passwords to yourself. If you were to share a password, make sure to change it soon after.

– Don’t automatically save passwords to your browser. It may be very convenient, but allowing your browser to save passwords risks your details being viewed by other people that use your devices.

– Don’t use the same password across multiple accounts. It’s important to not reuse passwords. If one account was to be hacked it could result in exposing other accounts to be breached with the same password.

Source: Dojo

Source link


Related Articles

Back to top button