When people imagine “hackers cracking passwords”, they usually picture a brute‑force attack: a program trying billions of combinations per second until it finds the right one. This image is not far from reality — but the details matter.
In this guide we explain, in clear language, how brute‑force attacks work in 2026, what makes a password vulnerable, and what you can do to make brute‑forcing your passwords essentially impossible.
📑 Table of Contents
🔍 What is a brute‑force attack?
A brute‑force attack is a method where an attacker tries every possible combination of characters until they find the one that matches your password. It is the purest form of “guess until you win”.
In practice, attackers don’t always use pure brute force; they often combine it with smarter strategies (dictionaries, patterns, rules). But the limits of brute force still define the security of your passwords.
🌐 Online vs offline brute‑force attacks
There are two very different scenarios:
- Online brute‑force: trying to guess your password directly on a website’s login form. This is usually limited by rate‑limiting, IP blocking and account lockouts, so only a small number of guesses are possible.
- Offline brute‑force: attacking a stolen database of password hashes on the attacker’s own hardware. Here there are no rate limits, so they can try billions of guesses per second.
Modern password cracking benchmarks and “time to crack” tables refer almost exclusively to the offline scenario.
📊 The math behind crack times
The total number of possible passwords is:
N = SL
Where S is the size of the character set (e.g. 26 lowercase letters, 10 digits, etc.) and L is the length.
Roughly speaking, crack time is about N / R, where R is the number of guesses per second the attacker can make.
In 2026, consumer‑grade GPUs can reach 10⁹–10¹¹ guesses per second for simple hashing algorithms. That’s why short passwords die instantly.
✅ Takeaway: each extra character multiplies the search space. Going from 8 to 16 characters doesn’t “double” security — it can make brute‑force go from minutes to billions of years.
🛡️ Defences: how to make brute‑force unfeasible
You cannot stop attackers from trying, but you can make the math incompatible with reality:
- Use long passwords: for important accounts, aim for 16–20+ characters.
- Use all character types: uppercase, lowercase, digits and symbols to increase S.
- Avoid dictionary words and patterns: these are targeted by smarter attacks that beat pure brute force.
- Prefer services that use strong password hashing (bcrypt, Argon2, PBKDF2) instead of fast hashes like MD5 or SHA‑1.
⚡ See how length changes crack time
Our guides on strong passwords and crack‑time tables show how simply adding characters turns brute‑force from a real threat into a theoretical one.
🛡️ Generate Long, Random Passwords🎯 Practical recommendations for 2026
- Use at least 16 characters for email, banking, cloud storage and your password manager.
- Never reuse passwords — combine length with uniqueness.
- Enable Two‑Factor Authentication so that even a cracked password is not enough.
- Regularly check if your credentials appear in breaches using email leak checkers.