Home Password Manager Guides How Long Does It Take To Crack A 12-Character Password?
Krishi Chowdhary Journalist Author expertise
In our content, we occasionally include affiliate links. Should you click on these links, we may earn a commission, though this incurs no additional cost to you. Your use of this website signifies your acceptance of our terms and conditions as well as our privacy policy.

Setting unbreakable passwords for all your online accounts and remembering them is tough. However, considering the increasing number of online breaches, protecting your accounts through a random mix of characters is essential. Read on to find out how long it takes to crack a 12-character password and how to create your own strong passwords.

A password manager can help you create strong passwords for all your accounts and store them for you so you don’t have to remember them.

In this article, you’ll learn how to build strong and safe passwords. Will also see how long an ideal password should be and how long it will take hackers to crack a solid password.

The Problem With Passwords

The single biggest problem with passwords is that there are too many of them. According to NordPass, an average user has around 100 active passwords. Naturally, it’s impossible to remember all of them.

As a workaround, you often set the same password for multiple accounts or reset it every time you log in.

The problem with passwords

As per Statista, 34% of users reset their password once a month, while 15% do it multiple times a week.

We also tend to set passwords that are easy to remember. However, the problem with these passwords is that they are easy to guess – many can be cracked in less than a second.

Here are some commonly used passwords, per Nord’s 5th annual report.

Password Number of uses
123456 4.5M
admin 4.0M
12345678 1.38M
123456789 1.21 million
password 0.71 million

As you can see, most of these passwords contain only numbers or lowercase letters – two of the most vulnerable forms of passwords you can set.

Weak passwords can be cracked using different methods, such as brute force attacks, dictionary attacks, and credential stuffing.

Brute force attack

Hackers use advanced bots and algorithms to guess passwords through trial and error. This method involves trying all possible permutations of a password until it is cracked. Poorly designed passwords can compromise your online accounts in minutes.

Dictionary attacks

Instead of randomly guessing all possible combinations, hackers use a ‘dictionary’ of commonly used phrases or words to crack passwords.

For instance, we may use the name of our favorite sports team as a password. In a dictionary attack, hackers will try the names of all popular sports teams, for example.

Credential stuffing

Another bad habit is taking expired passwords from one account and using them as passwords for another account. Under credential stuffing, hackers use compromised credentials leaked on the dark web to break into accounts.

For example, let’s say your Facebook account password, ‘UiTob#9369,’ has expired. You may then decide to use the same password to log in to your bank account. If the password has already been leaked on the web, hackers can use it to get into your bank account.

How Long Does It Take To Crack A Password?

Your password’s safety depends directly on its complexity. Longer passwords with a good mix of numbers and lowercase and uppercase letters are almost impossible to crack.

On the flip side, if you use only numbers or lowercase letters, it won’t be long before your account is compromised.

The table below highlights the time it would take for hackers to crack passwords of different lengths and combinations of characters.

No. of Characters Numbers Only Lowercase Letters Upper and Lowercase Letters Numbers, Uppercase and Lowercase Letters Numbers, Uppercase and Lowercase Letters, and Symbols
7 Instantly Instantly 25 seconds 1 minute 6 minutes
8 Instantly 5 seconds 22 minutes 1 hour 8 hours
9 Instantly 2 minutes 19 hours 3 days 3 weeks
10 Instantly 58 minute 1 month 7 months 5 years
11 2 seconds 1 day 5 years 41 years 400 years
12 25 seconds 3 weeks 300 years 2,000 years 34K years
13 4 minutes 1 year 16K years 100K years 2M years

An 8-character password can be cracked in a maximum of 8 hours, even when it contains a good mix of numbers, uppercase and lowercase letters, and symbols.

To answer the question, ‘How long does it take to crack a 12-character password?’, it can take hackers around 300 years if it contains a mix of both uppercase and lowercase letters.

There are several free online platforms where you can check the strength of your password, such as Security.org. Simply enter your password to find out how long it would take to crack.

The platform guarantees that the entries are 100% secure and not stored or shared with anyone.

How To Make Your Password Stronger

Strong passwords go a long way in securing your online accounts. Here are some best practices for choosing a password.

Use A Mix Of Characters

Using a mix of uppercase and lowercase letters, symbols, and numbers in your password is always a good idea. Passwords that are all letters or all numbers are much easier to guess than those that contain a mix of both.

Mathematically, when you mix the characters, hackers have to try many more permutations and combinations to crack the password, which obviously takes longer.

As you can see from the above table, a 10-character password with a good mix of characters can take around 5 years to crack. On the other hand, a 10-character numeric password can be breached almost instantly.

Use Password Managers

Nowadays, we have multiple online accounts, such as social media, bank and business portals, and health platforms. It’s always a good practice to have different passwords for each one.

Setting unique passwords and remembering them can be almost impossible. That’s why we recommend using a password manager. Password managers help you create unique passwords and remember them for you.

To access your password manager, you just have to set and remember a master password. Some password managers also come with auto-fill features that enter your password automatically whenever you access your online accounts.

False Answers To Security Questions

Many online platforms ask you to answer a security question to recover your password in case you forget it. However, we recommend not giving true answers to those security questions.

Let’s say your security question is ‘What is your pet’s name?’ The correct answer might be Bruno. However, people close to you will also know your pet’s name, or you might have posted a picture of Bruno online with his name as a caption, which makes it easier for malicious parties to crack your password.

This is why it is always a good idea to set random and unconnected answers to these questions. For instance, you can say that your pet’s name is New York, which makes it much more difficult to guess.

Set Up Two-Factor Authentication

Two-factor authentication (2FA) adds another layer of security to all your accounts. 2FA is a security measure that requires you to provide a second authentication factor in addition to your account’s password. This factor can be an OTP received as a text message on your mobile phone, a code from an authenticator app, or biometrics.

This way, even if your password is breached, hackers cannot access your account without knowing the second authentication factor. Many online accounts these days offer the security of 2FA. Sensitive accounts like your banking app must have 2FA in place.

Change Your Passwords Regularly

Security experts recommend changing your passwords every few months.

This means hackers only have a few months to access your account for nefarious reasons before you change the password, hence limiting damage. It’s why most corporations require employees to change passwords every six weeks.

Change your password regularly

However, most people often end up setting the same passwords with just a little tweak. For example, if their previous password was Rocky1, they may choose Rocky2 as their new password.

It’s hard enough to remember constantly changing passwords for one account, let alone for multiple accounts. And creating and remembering strong passwords each time is practically impossible. That’s where password managers come in.

How To Choose A Good Password Manager

Password managers are an effective solution to the password problem. These platforms create long, random passwords and store them for you. Every time you try to log into your account, the password manager helps you auto-fill your credentials.

That said, many password managers are available – both free and paid. To help you choose the right one, here are a few things to look into when choosing a password manager.


You must look into where the passwords are stored. Password managers are typically of two types: ones that store passwords locally on your device and others that save them in the cloud.

Locally saved passwords can only be accessed from the device on which they are stored. This protects you from possible online password breaches but also makes accessing your accounts from different devices difficult.

On the other hand, with cloud-based password managers, you can access your account from any device since passwords are retrieved from an online address, not a locally tied hardware device.

However, there is always a risk of password leaks, although less than locally stored passwords.

Password Limits

A password manager sometimes restricts the number of passwords you can generate and save. Considering that you might have an average of a hundred active passwords, choose a password manager to meet your needs.

Zero-Knowledge Architecture

Although most password managers nowadays follow a zero-knowledge policy, it’s a good idea to confirm this before purchasing a plan. Zero-knowledge essentially means that all your passwords are encrypted at the device level, and the provider has no knowledge of your actual passwords.

Dak Web Monitoring

Modern password managers have gone beyond their traditional use case.

Most password managers these days monitor the dark web to detect if any of your passwords have been breached. If they find such instances, they alert you immediately and prompt you to change your passwords.

It is always a good idea to look for a password manager with dark web monitoring.

Free vs Paid Password Managers

If you’re on a budget, free password managers can pull through nicely for you. They perform most basic tasks, such as suggesting strong passwords, storing an unlimited number of them, and auto-filling passwords on online web forms and login portals.

You can even check the strength of your passwords and create strong ones. For example, Google offers a free password manager for all registered users.

However, there are a handful of major drawbacks to using free managers. For instance, Google’s password manager does not operate on a zero-knowledge framework. This means that, if needed, Google can access your passwords at any time.

Google password manager

Free password managers often lack essential features like multi-device access, dark web monitoring, emergency access, and sufficient storage space for documents and sensitive files.

This is why we recommend using a paid password manager – it’s an all-in-one security suite. Nordpass, 1Password, and Dashlane are some of the best password managers on the market right now. NordPass, for example, offers both free and paid plans.

NordPass Password Manager

Paid password managers offer advanced functions like a data breach scanner, email masking, and file attachments.

NordPass’s data breach scanner constantly scans the web for any data leaks, including details such as your emails and credit cards. Similarly, the Password Health feature evaluates your passwords and tells you whether they are weak, old, or reused.

Email masking hides your email address every time you have to enter it on a website. This way, no trespasser can eavesdrop on your sensitive details.

Even better, you don’t have to break the bank when getting a paid password manager. First, these are extremely good value (remember, privacy is priceless!).

Second, almost all of them come with at least a 30-day money-back guarantee, meaning you can try them out and then decide if you want to buy them – all without risking a penny.

Here’s a table highlighting the key differences between the top password managers so you can zero in on the best one for your needs and budget.

Password Manager Starting Price Free plan Money back guarantee Key Features
NordPass $1.49/month – two-year plan Yes 30 days – Data breach scanner
– Email masking
– Family plans
1Password $2.99/month No No – Watchtower
– Travel Mode
– Privacy Virtual Cards
Dashlane $4.99/month Yes 30 days – Dark Web Insights
– Phishing Protection
– Passwordless Logins

The Future Of Authentication

Considering the menace of passwords, there is a global drive toward a passwordless future. With this objective in mind, the FIDO Alliance built passkey technology, which works on public key cryptography.

Whenever you create a new account on a website, two new keys are built: a public key and a private one.

The public key is stored on the website’s server, while the private key is stored in your authenticator, which is usually built into your device. This can be biometrics such as Touch ID or Face ID or an authenticator app such as Authy or Microsoft Authenticator.

Biometric authentication

Now, every time you log in, you don’t have to enter your credentials; the authenticator will communicate with the server and match the two keys. As a result, you only have to enter your biometric (or other authentication method you’ve set) to log into your account.

There are several reasons why this method is more secure than using passwords.

For starters, none of your private data is stored on the server. This means that even if the server is breached, hackers cannot access your passkeys.

However, in a classical username–password format, the data is stored on the server, which makes it more vulnerable to malicious third parties.

Paaskeys are phishing-proof. Under a classic phishing attack, hackers lure you to visit legitimate-looking websites and prompt you to enter your credentials. Once you do, your passwords are breached.

However, with passkeys, there are no passwords to enter. The server has to connect with the authenticator to log in. Since the website is fake, the server will not be able to make a legitimate connection.

Passkeys cannot be stolen. For example, if you use your Face ID to log into your bank account, hackers cannot steal those credentials, making it much safer than using passwords.

Key Takeaways

While passwords help protect your online accounts – and are by all accounts necessary – they are also vulnerable to breaches and leaks. Weak passwords containing only numbers or lowercase letters can be breached in seconds.

Rising security and password breaches have made it all the more important to set a strong password, preferably with 12 characters and a good mix of numbers, lowercase and uppercase characters, and symbols.

However, it’s difficult to create and remember such random passwords for all your online accounts. This is why we recommend using a dedicated password manager, which not only generates strong random passwords but also stores them for you.

They also check the strength of your passwords and alert you if any of your passwords or personal information gets leaked.

NordPass is one such password manager that offers both a full-fledged paid plan and a limited yet useful free plan if you want to get a thorough feel for the tool before committing.

We recommend the well-priced paid plan because, for just $1.49 per month, you get access to advanced features such as a data breach scanner and email masking. Moreover, there’s also a generous 30-day money-back guarantee with all its paid plans.


How strong is a 12-character password?

Can you tell how long an attacker would need to crack a 12-character password?

How long does it take a hacker to crack an 8-character password?

How strong is a 13-character password?

The Tech Report - Editorial ProcessOur Editorial Process

The Tech Report editorial policy is centered on providing helpful, accurate content that offers real value to our readers. We only work with experienced writers who have specific knowledge in the topics they cover, including latest developments in technology, online privacy, cryptocurrencies, software, and more. Our editorial policy ensures that each topic is researched and curated by our in-house editors. We maintain rigorous journalistic standards, and every article is 100% written by real authors.

Krishi Chowdhary Journalist

Krishi Chowdhary Journalist

Krishi is an eager Tech Journalist and content writer for both B2B and B2C, with a focus on making the process of purchasing software easier for businesses and enhancing their online presence and SEO.

Krishi has a special skill set in writing about technology news, creating educational content on customer relationship management (CRM) software, and recommending project management tools that can help small businesses increase their revenue.

Alongside his writing and blogging work, Krishi's other hobbies include studying the financial markets and cricket.