Eight characters is the minimum password length on many websites. A short password is easy to crack, but much depends on how complex you make it.
American research company Hive Systems has conducted research on how quickly hackers can crack passwords, and what factors influence that speed. A random password can be cracked in a few seconds, even with relatively inexpensive consumer technology.
Impenetrable Combination
For its annual password table for 2025, Hive Systems tested how quickly an attacker with a setup of twelve RTX 5090 GPUs can decipher passwords of various lengths and complexities. The result is unsettling: an eight-character password using only numbers is cracked immediately. If you use lowercase letters in those eight characters, it takes three weeks.
To be as secure as possible, use a password of eighteen characters with lowercase letters, uppercase letters, numbers, and symbols. Then hackers would need a whopping 463 quintillion years (463,000,000,000,000,000) to decipher it. Impossible to hack, therefore.
AI Makes It Even Worse
Those who think that hackers don’t know other methods forget how quickly AI systems are evolving. Hive Systems also tested how fast the hardware that trains ChatGPT and the hardware on which the GPT-3 and -4 AI models run can crack passwords. With these systems, a complex eight-character password is guessed within two months. A simple one in less than an hour.
This is due to more powerful hardware and outdated security at some services. Hive points to the LastPass breach from 2022, where millions of stored passwords were insufficiently encrypted. A modern GPU cluster can easily break through these.
What Can You Do?
Use passwords of at least sixteen characters with uppercase letters, numbers, and special symbols. Even better: switch to passkeys. These are resistant to brute-force attacks and phishing, writes PCWorld. Combine that with a password manager and two-factor authentication, and you’re already much more secure.