ColChart indicating how strong various passwords are.
lankohr
Janne Upla
Aaron@lankohr @kibcol1049 I'd be curious to see the effect of using dictionary-based priors on the time scale. Seems like starting with most likely words and working outward might make this sort of thing easier to crack than it seems based on char count alone.
Benoît Régent-Kloeckner@hosford42 @lankohr @kibcol1049 Given the numbers given, it is assumed that the words are bot human-chosen, but drawn uniformly among the 2000 more common words. 44 bits of entropy are not based on the number of characters.
Hugs4friends ♾🇺🇦 🇵🇸😷@kibcol1049 Nice to know.
dissident@kibcol1049 What interval between entering successive passwords is assumed in this analysis? Does it account for the lockout for a certain amount of time which is often experienced after successive incorrect passwords are entered?
Aleksei☃️@dissident @kibcol1049 https://www.hivesystems.com/blog/are-your-passwords-in-the-green
"The implied attack assumes that MFA is not used or has been bypassed. If you can get access to download the encrypted database, like what happens with most password databases that are stolen, you don’t need to deal with MFA (or those pesky password lockouts) when making attempts thereafter."
The 2025 Hive Systems Password Table Is Here - Passwords Are Easier to Crack Than Ever
Passwords that felt secure a year ago might not hold up in 2025. Hive Systems’ updated Password Table reveals just how much faster hackers can break into accounts today. See the latest cracking times and find out if your passwords are still safe while downloading your copy.
@placebo @kibcol1049 So this only refers to accessing data that's been encrypted with a password, not to accessing say an online account?
Magnus Ahltorp@dissident @placebo @kibcol1049 No, it refers to being able to get your hands on a one-way encrypted database with passwords and then figuring out what the password for a certain user account, in order to use that password on either the same or another site.
David Penfold 
D2@davep @ahltorp @dissident @placebo @kibcol1049 I like yours because n months seems a moderate (yellowish) concern. OP’s color choices seem to be fussing similarly over tens-of-thousands of years.
Damon L. Wakes@InkomTech @davep @ahltorp @dissident @placebo @kibcol1049 Yeah, I really don't understand why 28k years is any more of a concern than 280k years. The only way that makes sense to me is if you're concerned about the possibility of someone using hardware 5,000 times this powerful, at which point one is reduced to a bit of a marathon while the other remains wildly impractical.
@ahltorp @dissident @placebo @kibcol1049
It would be nice if the Hive graphic showed what the number of guesses per second was for each year too. That would make the one I use even more useful.
It would be nice if the Hive graphic showed what the number of guesses per second was for each year too. That would make the one I use even more useful.
Ben AvelingThe usual assumption is that the attacker somehow has the hash and is trying to find a password that matches the hash. That said, trying to decrypt an encoded document would be roughly similar. In contrast, guessing across a network would be very much slower (and easier to detect). @placebo @kibcol1049 @dissident
flo@dissident @kibcol1049 I recommend reading their explanation on their website.
It's quite interesting, imho.
It's quite interesting, imho.
C.S.StrowbridgeI remember seeing a post on Twitter before it went to hell where a father was talking about his daughter signing up for a Disney site and when it asked for a password and it said minimum four characters. Her password was MickeyMinnieDonaldGoofy (or something like that).
That's an amazing password. It is nearly impossible to brute force, but it is really easy to remember. There are some brute force crackers that use dictionaries, so I add miscapitalization and symbols.
HighlandLawyer
@csstrowbridge @kibcol1049 For passphrase brute forcing it's not at all random, so is pretty risky.
Fardels BearMemorable phrases are lot easier to remember than a random string of characters, and you can also use capitalisation, numbers and other characters within them.
rardk64@riggbeck @kibcol1049 yeah but if you just use a password manager even that doesn't matter
a1@rardk64 @riggbeck @kibcol1049 and then you find apps and sites in 2025 limiting the number of characters to 8. Like in the times a 5MB hard disk cost $40.000 and was brought by a truck
Extra_Special_Carbon
UkeleleEric@rardk64 @riggbeck @kibcol1049 except when you either lose the access to ALL your passwords when you lose the master password, or it corrupts or crashes, or the company that supports it stops doing so, or decides to bloat with ai, or sell your details on, or gets hacked. Password managers are a good idea, it's just the implementation.
I would never trust proprietary software to generate passwords. They're personal and creative, keyed to my unique memory.
J$
Jimmy
@kibcol1049 This chart mistakenly sorts passwords by number of characters, not rememberability or even ease of entering. Limiting length based on the number of characters is completely irrelevant unless the system has a very small character limit, which it should never have.
Moz@ahltorp @kibcol1049 depends how often you have to type them. My frequent ones are shortish and easy to type, the higher security ones are idiosyncratic phrases.
But the vast majority are 20 random characters via a password manager. Some exclude symbols because the target website is badly written (the best have different password code on the set and request pages)
@moz @kibcol1049 The number of characters does not directly determine how easy it is to type them. On a traditional keyboard, special characters might need two-three keypresses per character, and on a smartphone, four is not uncommon, and even numbers are normally two.
@ahltorp @moz @kibcol1049
I use a strong lower case passphrase for my password manager, and copy paste randomly generated passwords from there for login to all sites. I haven't seen any stupid ones that disable pasting for the password for a while now.
I use a strong lower case passphrase for my password manager, and copy paste randomly generated passwords from there for login to all sites. I haven't seen any stupid ones that disable pasting for the password for a while now.
wuffelpwgen -syn 53 1|xclip -selection clipboard
Klepsis@kibcol1049 Not sure why 5 billion years is still only "yellow" security
Scott Murray 
@Klepsis @kibcol1049 ^^ **THIS** ^^. Heck, or 27,000 years = orange!
Justin Macleod@kibcol1049 I appreciate the attempt to describe this image, thanks for that. What would help even more would be to impart some of the info in the image so that those who can't see it can learn something from it too. The chart may well be very complex, so even sharing info about the extremes of the spectrum in terms of the password's complexity and time to hack it, would add so much.
@JustinMac84
I think it would have helped if the link that is shown in the graphic would have been written within the toot.
It leads to an exhaustive explanation about how they developed the table.
hivesystems.com/password
@kibcol1049
I think it would have helped if the link that is shown in the graphic would have been written within the toot.
It leads to an exhaustive explanation about how they developed the table.
hivesystems.com/password
@kibcol1049
The 2025 Hive Systems Password Table Is Here - Passwords Are Easier to Crack Than Ever
Passwords that felt secure a year ago might not hold up in 2025. Hive Systems’ updated Password Table reveals just how much faster hackers can break into accounts today. See the latest cracking times and find out if your passwords are still safe while downloading your copy.
@fasnix @kibcol1049 Yeah that would have been cool.
patpro@kibcol1049 nope nope nope nope nope :)
This chart is highly irrelevant for end-users and very deceptive if you don’t take it into the context of the full article it illustrates.
I crack +40 characters long passwords on a regular basis.
Don’t share this chart.
ping @tychotithonus ;)
bigiain@patpro Agreed. It doesn’t matter how you capitalize “Password123” it’s never going to take anyone with any experience the 14 million years claimed in the “11chars”, “upper case lower case and numbers” cell.
TerryB@kibcol1049 Assuming that the letters aren't hacker dictionary words and the numbers aren't a sequence. So not Password123
schuelermine@kibcol1049 what about ca. 50 letters?
@anselmschueler @kibcol1049 Depends how random they are.
@davep @anselmschueler @kibcol1049 Surely, any brute force crack would involve incrementing through each combination of characters in order - so just pick the last one they try - probably źźźźźźźźźźźźźźźźźźźźź or something?
@stephenhomewood @anselmschueler @kibcol1049
Sshhh! You've ruined it now. The bad guys will parallelise the attacks from both ends having read this. Thanks a bunch, I'm off to change all my passwords to "mnmnmnmnmnmnmnmn".