The Scale of Modern Cracking Hardware
A consumer-grade GPU can test billions of password hashes per second against common algorithms. A dedicated cracking rig with multiple high-end GPUs can reach hundreds of billions of guesses per second. Cloud computing allows attackers to rent this capability cheaply and scale it on demand for valuable targets.
The Mathematics of Length
An 8-character password using 95 printable ASCII characters has 95^8 = 6.6 quadrillion combinations. At 100 billion guesses per second, that's exhausted in about 18 hours. A 12-character password has 540 quintillion combinations — 770 years at the same rate. A 16-character password is effectively uncrackable by brute force for centuries.
Why Online vs Offline Cracking Differs
Against live services, brute force is rate-limited by lockout policies and CAPTCHA. Attackers typically only attempt a few common passwords per account online. Offline cracking happens when an attacker steals a hashed password database — they can then crack at full GPU speed with no rate limiting. This is the scenario where length truly matters.
The Threshold for Real Security
For offline brute force against current hardware, 80+ bits of entropy is a practical minimum for sensitive accounts. This corresponds to roughly 12-13 characters of truly random, full ASCII characters. For long-term security or very sensitive data, 100+ bits (16+ characters) provides comfortable margin against foreseeable hardware improvements.
The numbers make it clear: password length is your most powerful defense against brute force attacks. A randomly generated 16-character password will not be cracked by brute force in your lifetime with any foreseeable hardware.