Which password length can be considered "safe" these days?

edited January 8 in Off-topic

Considering someone isn't on a budget and can run 5000 cloud GPU instances for a month... what length would be "uncrackable"? How'd you actually calculate?

I'm talking about offline cracking only, standard hashing algo like SHA256.

Happy to hear your thought!

Hack The Box


  • Two native language words, one foreign language word, some numbers, and special chars in between each of the aforementioned character groups. 16char's minimum in my opinion, but passwords and 2fa dont mean anything anymore considering that state actors can see anything they want with stuff like bluecoat proxies.

    Sidechannel and MITM > cracking.

    Why pay for compute time in GCP or AWS when you can just utilize humans to pave your way to success :p

  • The complexity of the passwords and their unpredictability (e.g. lack of patterns) also affects how quickly they can be cracked using offline password cracking. If you assume lack of patterns and a set of characters used (upper/lower alphanumeric, numbers, special characters), it should be possible to estimate an average case scenario if you know the throughput one can achieve with 5000 GPU cloud instances.


  • 16char's minimum in my opinion

    Which is the maximum of Android disc encryption pass length, one of the reasons I was asking.

    Sidechannel and MITM > cracking.

    Happy to read some elaboration of the matter, links, etc.

    if you know the throughput one can achieve with 5000 GPU cloud instances.

    Assume 20.000 GTX 1080 and an engineer capable of perfect parallelization, just like you did assuming the best case scenario. So we'd image these 20.000 GPUs are in one PC running hashcat and have the most secure, patternless password possible. Again my question for calculating / estimating.

    Hack The Box

Sign In to comment.