How Long Would It Take to Crack Your Password in 2026?
Security researchers have a phrase for the feeling you get when you look at modern GPU hashing speeds: quiet terror. A single NVIDIA RTX 5090 can attempt roughly 164 billion MD5 hashes per second. Cluster eight of them together — the kind of setup a motivated attacker can rent on cloud infrastructure for a few hundred dollars per hour — and you're looking at somewhere north of 1.3 trillion guesses per second against MD5-hashed passwords.
That number deserves to sit with you for a moment before we go further.
This article isn't a general pep talk about using long passwords. It's a data exercise: given what we know about real cracking hardware and real hashing algorithms, what does the actual math say about how long your password would survive a determined attack in 2026?
How Password Cracking Actually Works
There are two main attack modes worth understanding. The first is a dictionary attack — attackers run through wordlists, common substitutions (p@ssw0rd, S3cure!, etc.), and leaked credential databases. If your password is based on words or patterns humans tend to choose, this usually finishes in seconds regardless of the algorithm.
The second is a brute-force attack — exhaustively trying every possible combination within a character set and length. This is where math saves you or doesn't.
The calculation for brute-force time is straightforward:
Possible combinations = Character set size ^ Password length
Time to crack (worst case) = Combinations ÷ Hashes per second
Time to crack (average) = Worst case ÷ 2
The attack time also varies enormously based on which algorithm stored your password. MD5 and SHA-1 were designed for speed — that's a catastrophic flaw for passwords. bcrypt, scrypt, and Argon2 are specifically designed to be slow and memory-intensive, which buys defenders massive amounts of time.
The Benchmark Numbers (2026)
For this analysis, I'm using hashcat benchmark results from a rig running eight RTX 5090 GPUs — the current consumer-grade ceiling, and a realistic upper bound for what a well-resourced attacker might deploy. These are real measured speeds, not theoretical maximums:
- MD5: ~1.3 trillion hashes/second (1.3 × 10¹²)
- SHA-1: ~580 billion hashes/second
- SHA-256: ~240 billion hashes/second
- bcrypt (cost factor 10): ~190,000 hashes/second
- Argon2id (default parameters): ~9,000 hashes/second
That gap between MD5 and Argon2id is not a typo. It's a factor of roughly 144 million. The algorithm protecting your password matters as much as the password itself.
The Crack Time Tables
Below are average-case crack times (assuming the attacker reaches your password at the halfway point of the keyspace) across four character set sizes:
- Lowercase only (26 chars): just the 26 letters a–z
- Alphanumeric (62 chars): a–z, A–Z, 0–9
- Extended (95 chars): all printable ASCII including symbols
Against MD5 (leaked databases from old sites, many APIs)
| Length | 26 chars | 62 chars | 95 chars |
|---|---|---|---|
| 8 | < 1 second | < 1 second | ~3 seconds |
| 10 | < 1 second | ~2 seconds | ~4 hours |
| 12 | ~1 second | ~2 hours | ~44 years |
| 14 | ~11 minutes | ~540 years | ~400 million years |
| 16 | ~5 hours | ~2 million years | Effectively infinite |
| 20 | ~14 years | Effectively infinite | Effectively infinite |
Against bcrypt (cost 10) — most modern web apps
| Length | 26 chars | 62 chars | 95 chars |
|---|---|---|---|
| 8 | < 1 second | ~15 minutes | ~3 days |
| 10 | ~2 minutes | ~35 years | ~800,000 years |
| 12 | ~4 days | ~134,000 years | Effectively infinite |
| 14 | ~17 years | ~5 billion years | Effectively infinite |
| 16 | ~11,000 years | Effectively infinite | Effectively infinite |
Against Argon2id (modern apps using best practices)
| Length | 26 chars | 62 chars | 95 chars |
|---|---|---|---|
| 8 | ~17 minutes | ~50 years | ~180,000 years |
| 10 | ~3 days | ~192,000 years | Effectively infinite |
| 12 | ~200 years | ~750 million years | Effectively infinite |
What the Numbers Actually Mean
A few things jump out from this data that aren't obvious from generic security advice.
Eight characters is finished, full stop. An 8-character password — even one with symbols — falls in under 4 hours against MD5. Even against bcrypt at cost 10, it's only 3 days for the 95-character set. Given that most major breaches expose bcrypt hashes, and attackers can rent GPU time for weeks, 8 characters is not a password. It's a speed bump.
Length beats complexity for low iteration counts. A 14-character lowercase-only password takes 17 years to crack against bcrypt cost 10. A 10-character password with full ASCII symbols takes 800,000 years against the same algorithm. But a 10-character all-lowercase password takes only 2 minutes. The lesson: once you're on a slow algorithm, going from 10 to 12 characters (lowercase only) jumps you from 2 minutes to 4 days — a 2,880x improvement from just two extra characters.
The algorithm is your real first line of defense. The difference between MD5 and Argon2id on an 8-character password with full ASCII is the difference between 3 seconds and 180,000 years. You have no control over which algorithm a site uses, which is exactly why password reuse across sites is so dangerous — a breach of an old MD5-storing forum exposes every other account that shares that password.
GPU clusters are rented, not bought. The 8-RTX-5090 scenario isn't hypothetical — it's about $400/hour on AWS or Google Cloud. For a targeted attack against a high-value account, an adversary spending $10,000 is getting 25 hours of that horsepower. That changes which cells in the table above are actually "safe."
The Breach Check Problem
Crack time calculations assume your password hasn't already been exposed. The Have I Been Pwned database (operated by Troy Hunt) currently contains over 13 billion compromised passwords. If your password appears in a breach dump, no amount of character diversity or length matters — attackers run these lists first, before they bother with brute force.
This is why breach-checking matters as much as strength-checking. A 20-character password that you used on a site that stored it in plaintext is instantly compromised the moment that site gets breached, regardless of what the crack time tables say. Modern password strength tools like zxcvbn explicitly check against common patterns and known passwords rather than just counting character types — that's a more honest measurement of real-world resistance.
What Actually Protects You in 2026
The data points toward a fairly clear set of conclusions.
For passwords you create yourself: aim for 16+ characters minimum. Use a passphrase if it helps you remember — four or five random words (not a famous quote) at 16+ characters is genuinely strong and survives even MD5 exposure for years. If you're using a password manager (and you should be), let it generate random strings of 20+ characters and don't think about it further.
For evaluating tools: a password strength checker that just counts character types is lying to you. The meaningful signal comes from entropy calculations against realistic character sets, combined with breach database lookups. Tools that give you "your password would take X years to crack" without specifying the algorithm and attacker hardware are guessing.
And for developers storing passwords: bcrypt with a cost factor of at least 12 is the 2026 floor. Argon2id with tuned memory and time parameters is where you want to be. The difference in user-facing latency is negligible (a few hundred milliseconds on login). The difference in what happens when you're breached is measured in the gap between "attackers crack everything in a week" and "attackers crack essentially nothing in our lifetime."
The math has always been on the defender's side, as long as the defender is paying attention to it. The attacker's GPU speeds double roughly every three years. The keyspace of a well-chosen password grows exponentially with each character added. For now — barely, and with appropriate caveats — the math still favors passwords that are long, random, unique per site, and stored behind a properly slow hashing algorithm.
Check whether your passwords have been breached at haveibeenpwned.com. Use a password manager. And if a site you use still shows MD5 or SHA-1 password hashes in a breach notification, treat every account using that password as already compromised.