Study: This is how much time it will take to crack a password in 2025

Contents

Compared to 2024, the time it takes to crack passwords with graphics processing units (GPUs) for the consumer sector has decreased by almost 20 percent. An eight-character password consisting of only lowercase letters can now be cracked in just 3 weeks. This is according to the Password Table 2025 published by Hive Systems on World Password Day in early May. In view of this development, the IT security company argues that the computing capabilities readily available on the market, which can also be used to crack passwords, have "dramatically accelerated" within a year.

According to Hive, the speed at which passwords can be cracked using hardware for systems with artificial intelligence (AI) has increased by over 1.8 billion percent compared to devices for private use. This is due to the boom in large language models in particular, such as ChatGPT, Gemini or Claude, which have to be trained with a lot of data and are therefore also very hardware-hungry.

"We are experiencing an astronomical ramp-up in computing power," explains Alex Nette, CEO of Hive Systems. Today's AI hardware is changing cyber security risks. Passwords that were secure last year could "now be cracked in a fraction of the time".

Better password hygiene required

Hive's password table provides an annually updated overview of how quickly different types of passwords – can be cracked by an attacker with modern hardware using brute force methods based on length and complexity –. All conceivable combinations of character combinations are systematically tried until a correct password is guessed. The more computing power is available, the faster this query runs.

According to Hive, this year's results reflect the combined effects of faster GPUs, distributed cloud computing and AI-specialized hardware. The security experts see this as a reminder "that password hygiene must evolve alongside technology". Shorter, simpler passwords that used to last for years are now vulnerable to attack within months, weeks or even days. This time window is getting smaller and smaller as computing power increases.

The password table generally simulates how long it would take to crack a password of various lengths and complexities using brute force, so to speak. Hive 2025 generally uses twelve Nvidia GeForce RTX 5090s as the basis for its calculations, which are currently the most powerful consumer GPUs and provide a large amount of computing power. Last year, the experts used twelve units of the predecessor model RTX 4090, i.e. significantly less computing power.

Bcrypt used as a hash function

When attackers infiltrate a company's IT systems and gain access to relevant databases, they usually get their hands on these hashes – not the passwords in plain text. A hash digest such as 5f4dcc3b5aa765d61d8327deb882cf99 cannot be calculated back to generate the word "password" that was used to create it. Attackers therefore generate hashes for all possible letter/number combinations and compare them with the captured ones. In principle, this can be done with any computer, but is significantly faster if the process is accelerated with powerful graphics cards. To create the table, Hive uses the now common bcrypt algorithm as a hash function and selects a cost factor of 10 (32768 iterations).

It should be 13 characters

Under these conditions, a PIN with eight digits can be cracked in 15 minutes with twelve RTX 5090 GPUs, according to the table. If upper and lower case letters as well as symbols and special characters are also used, computers with 12 such graphics cards need 165 years.

In this constellation, users with a 13-character password are in the halfway green zone. It should currently take 56 billion years for a corresponding password to be cracked. The table from the previous year is not directly comparable with the current one, as Hive only assumed the use of an RTX 4090 GPU and the bcrypt cost factor of 5.

What if someone were to spend a lot of money and deploy an army of high-performance graphics cards? OpenAI is said to have trained ChatGPT-4 using 20,000 A100 Tensor Core GPUs from Nvidia. According to the table, this would allow a four- to ten-digit PIN to be cracked almost instantly using only numbers. It takes more than an average human lifetime, namely 112 years, to crack a ten-digit password with upper and lower case letters. It takes 52 billion years to crack a fourteen-digit password with special characters, numbers, upper and lower case letters, even with concentrated GPU computing power.

The table generally shows the maximum time required for a pure brute force attack. Other attack methods such as dictionary attacks, rainbow tables or the exploitation of stolen password databases can often lead to success more quickly in reality, especially if identifiers have already been compromised. The overall focus of the overview is on education.

(wpl)