This table shows how many seconds or centuries it would take a hacker to figure out your passwords

If your password is “123456” The “pass“, the time needed to calculate it and find it during a ‘brute force attack’ is so small that it can be defined as instantaneous. On the contrary, counting as a password with a text string like ‘¡3lP4ter_Br4un!‘, we could force the attacker’s system to calculate alternatives for 2 billion years.

We can know this thanks to a table that has circulated for years on the Internet (with some minor variations) and showing approximations of the time it might take to calculate passwords depending on the number of characters used (between 3 and 18), and if they contain only numbers, only uppercase or lowercase letters, both combined, or all of the above combined with symbols. The first published version of this table is as follows:


2012 chart.

An ancestor of this chart (not yet color coded) was first published in “Troubleshooting Windows 7 Inside Out”, a 2010 book by Mike Halsey (MVP de Microsoft) and, according to its own author, recognized Two years laterthe data comes from the website HowSecureIsMyPassword.net, a site that now has been moved to Security.organd that allows us to enter passwords so that it shows us an estimate of the time it would take to break them.

It takes less and less to break passwords

Both the boxes in the table and the results of the aforementioned website assign a color code to each password type that indicates how optimal it is over time… although it is worth making a clarification: if you see periods of time in yellow that are greater than others marked in green, it is because the possible future evolution of the hardware is taken into accountwhich theoretically could shorten in a few years the calculation of a certain time of passwords until they become inadequate for our long-term security.

Bitwarden and three other free password managers to replace Lastpass and 1Password

Do you remember the password of the 2,000 million years that we proposed in the first paragraph? In the 2012 version of the table, a duration of 97,000 million years was calculated. Halsey himself – pointing to the Ley de Moore and to the generalization of GPUs as responsible for the change—says that, between the publication of the book and the colored version of the table, a password that it took 2.25 years to decipher it had happened to do it in just 57 days.

2021 version.

2021 version.

Obviously, no number that is measured in “millions of years” represents a security problem, but what is relevant is that they indicate a constant acceleration of the technologies that allow cracking passwords. At that rate, will we keep all our passwords safe when what they store has lost its value?