blog.backToBlog
2026-01-10 blog.readTime
Why 12 Characters is the New Security Minimum in 2026
The Rise of GPU Clusters
In the early 2000s, cracking an 8-character password might have taken years on a standard CPU. Today, a modern consumer GPU (like an NVIDIA RTX 5090) can calculate billions of hashes per second. Attackers don't just use one; they chain dozens together.
Offline vs. Online Attacks
It's important to understand the difference:
- Online Attack: Trying to guess your password on the login page (e.g., Gmail). This is slow because Gmail will block them after 3-5 failed attempts.
- Offline Attack: If a database is leaked (like LinkedIn or Adobe), hackers download the file containing "hashes" (encrypted passwords). They can then run cracking software on their own supercomputers 24/7 without anyone stopping them. This is where length matters.
The Numbers (Time to Crack)
8 Characters: Instantly to 2 hours.
10 Characters: 1 - 4 weeks.
12 Characters: 50 - 200 years.
10 Characters: 1 - 4 weeks.
12 Characters: 50 - 200 years.
Future Proofing (Moore's Law)
Warning: Computers get roughly 2x faster every 18 months. A password that takes 10 years to crack today might take only 1 year in the near future.
The Verdict
Stop using 8-character passwords. It's like locking your house with a zip-tie. 12 characters is the new floor. For critical accounts (Banking, Email), aim for 16+ characters.