How Long Should Your Password Be in 2026? The Data Says...
There's a number floating around the internet — usually 12 characters — treated as some universal password length standard. Security blogs recite it. Password managers default to it. IT departments enforce it in their policies. But where did it come from, and does it still hold up against the hardware available today?
Spoiler: it depends heavily on what characters you use, what algorithm hashes your password, and whether you've thought about the difference between cracking speed in 2019 versus cracking speed in 2026. Let's look at the actual numbers.
The Hardware Reality in 2026
Password cracking is overwhelmingly a GPU problem. Modern GPUs can test billions of password candidates per second against cached hashes — the exact scenario that happens in a data breach, when an attacker downloads the hashed password database and runs it offline.
The RTX 4090 launched in late 2022 and quickly became the go-to cracking card. Benchmarks from hashcat (the open-source cracking tool researchers use) put it at roughly 164 billion MD5 hashes per second. For comparison, the RTX 3090 from 2020 managed around 68 billion. That's a 2.4x jump in three years.
By mid-2026, the landscape has expanded further:
- RTX 5090: ~290–320 billion MD5/s (single card)
- RTX 4090: ~164 billion MD5/s
- 8-card RTX 4090 rig: ~1.3 trillion MD5/s
- Cloud renting (A100 cluster): accessible for under $10/hour, capable of hundreds of billions of hashes/second per workload
But MD5 is famously weak — almost no serious service hashes passwords with MD5 anymore. The real-world numbers shift dramatically depending on the hashing algorithm, which is why "how long to crack" questions require knowing both sides of the equation.
Why the Algorithm Matters As Much As the Length
Here's the part most password length discussions skip over. There's roughly a trillion-fold difference in cracking speed between the fastest and slowest password hashing algorithms:
| Algorithm | RTX 4090 Speed | Relative Resistance |
|---|---|---|
| MD5 | ~164 billion/s | Baseline (terrible) |
| SHA-1 | ~57 billion/s | Still terrible |
| SHA-256 | ~23 billion/s | Bad |
| bcrypt (cost 10) | ~184,000/s | Decent |
| Argon2id (moderate params) | ~900/s | Good |
| scrypt (N=32768) | ~1,500/s | Good |
If a site stores your password with bcrypt at cost 10 — which is still fairly common — an attacker with a single RTX 4090 can test about 184,000 passwords per second against your hash. If they're using MD5, they can test 164 billion. The gap is almost unfathomable.
This matters enormously for the length question. A shorter password can be completely secure against one algorithm and crackable in minutes against another. Any advice about password length that doesn't acknowledge this is incomplete.
Crack Time by Character Set and Length
Let's run the numbers. The keyspace — the total number of possible passwords — grows exponentially with length. The formula is simple: characters^length. The time to crack is keyspace divided by hash speed (in a worst-case exhaustive attack scenario).
We'll look at three character sets: lowercase only, mixed alphanumeric, and full printable ASCII (94 characters).
Against bcrypt (cost 10) — a common, reasonably secure setup
Assuming ~184,000 hashes/second on RTX 4090, worst-case exhaustive attack
| Length | Lowercase only (26) | Upper+lower+digits (62) | Full ASCII printable (94) |
|---|---|---|---|
| 8 chars | ~1.1 hours | ~39 days | ~1.9 years |
| 10 chars | ~31 days | ~418 years | ~16,900 years |
| 12 chars | ~58 years | ~1.6 million years | >100 billion years |
| 16 chars | >100 billion years | Astronomical | Astronomical |
Against MD5 — legacy systems, some old forums, some databases
Assuming ~164 billion hashes/second, same RTX 4090
| Length | Lowercase only (26) | Upper+lower+digits (62) | Full ASCII printable (94) |
|---|---|---|---|
| 8 chars | <1 second | ~2.7 minutes | ~37 minutes |
| 10 chars | ~26 seconds | ~170 hours | ~195 days |
| 12 chars | ~11 hours | ~2.8 years | ~4,900 years |
| 16 chars | ~13,000 years | >1 billion years | Astronomical |
The contrast is stark. An 8-character password with full ASCII symbols behind bcrypt would take nearly 2 years to crack with dedicated hardware — but that same password behind MD5 falls in under 40 minutes. This is why password reuse across sites is so dangerous: you might have a strong password, but a breach on a poorly-secured site hands attackers your hash, and they can run it through the fast algorithms first.
Where Dictionary Attacks Change Everything
The tables above assume random, uniformly distributed passwords. Real human passwords are not random. Most people pick words, names, dates, and predictable patterns — and attackers know this.
Hashcat ships with wordlists and rule sets that transform simple words into common password variants: password becomes P@ssw0rd, pa$$word, P4ssword!, and thousands of other combinations. The famous rockyou.txt wordlist has over 14 million real passwords leaked from a 2009 breach. Modern attack lists are far larger.
This changes the math entirely. A dictionary-based attack doesn't need to try every possible 12-character string — it only needs to try the 50 million most common passwords and their variants. That can complete in seconds, even against bcrypt.
The practical implication: randomness matters as much as length, maybe more. A genuinely random 10-character password drawn from full ASCII is vastly stronger than a 16-character passphrase built around a word your family would recognize. But a 16-character random passphrase made from four random words (the "correct horse battery staple" style) is also excellent, because the keyspace becomes the dictionary of ~7,000 common English words to the fourth power — still massive.
The Real Inflection Points
Looking at the data across different algorithms and character sets, a few practical thresholds emerge:
8 characters is effectively broken. Even with a robust character set, 8-character passwords are within reach of modest hardware across most hashing algorithms. Against MD5 or SHA-1 (still depressingly common), it's measured in minutes.
12 characters with good character diversity is the meaningful minimum. Against bcrypt or stronger algorithms, 12 random characters across upper, lower, digits, and symbols puts you in the "centuries to crack" range even on modern hardware clusters. The old "12 is fine" advice is correct — but only if your characters are genuinely random.
16+ characters makes brute-force economically irrational. At 16 random characters with a full character set, the expected crack time on any current hardware exceeds the age of the universe. Even with dramatically improved hardware, the math remains astronomical. This is the territory where the attack surface shifts entirely to social engineering, phishing, and credential stuffing from other breaches — not computation.
The algorithm floor matters. No password length will protect you reliably if the site stores passwords with MD5 or SHA-1 without salting. A 14-character random password behind MD5 has roughly the same protection as a 10-character password behind bcrypt. You don't control how sites store your passwords, which is why password reuse is so catastrophically risky.
What This Means Practically
The GPU benchmarks point toward a few concrete conclusions:
First, a random password generator with a minimum of 16 characters and full character sets (using something like Bitwarden's built-in generator, 1Password, or a well-regarded standalone generator) puts you comfortably past any brute-force scenario that's economically rational in 2026 or the foreseeable future. You're not guarding against compute improvements — you're guarding against the attack becoming worth the cost.
Second, the difference between 12 and 16 characters is meaningful against weaker algorithms, but matters much less against bcrypt with a good cost factor or Argon2id. If you know a site uses modern password hashing, 12 genuinely random characters is probably fine. If you don't know — and you usually don't — defaulting to 16+ costs you nothing.
Third, symbols matter, but not uniformly. Moving from lowercase-only to mixed case and digits has a much larger keyspace effect than adding a few symbols to an otherwise lowercase string. The full printable ASCII set (94 characters) versus alphanumeric (62 characters) roughly doubles the cracking time at the same length — meaningful, but not transformative the way length is.
Finally, multi-card cracking rigs and cloud GPU rentals mean that what previously required specialized hardware is now accessible to anyone willing to spend a few hours of cloud compute. The threshold for "reasonable attacker" keeps expanding. Passwords that were secure in 2018 are more vulnerable simply because the tools are cheaper and more widely available.
The answer to "how long should your password be?" is genuinely: as long as your password manager will generate and store without you having to think about it. The limit is no longer human memory or typing speed — it's just trust in the tool generating and storing the string. Set your generator to 20 characters, let it pick randomly, and stop worrying about whether you're on the right side of the inflection point.
]]>