top of page

Cyber Bites

Time to Crack MD5 Hashed Passwords

How long does it take a well-equipped criminal to crack your password? If it’s 8 characters or shorter it ranges from instantly to 3 hours. If you only use numbers or only lowercase characters, it’s instant. If you used upper and lower case letters, numbers and symbols, it takes 3 hours.

The table below, from SpecOpSoft, gives the breakdown of how length and complexity drive up the time to crack.

SpecOpSoft makes an interesting point about the time it takes if you use a password that’s previously been compromised.


  1. Stay away from short, simple passwords.

  2. Don’t use common passwords which appear on lists of known, compromised passwords, no matter how long or complicated they are.

  3. Enable Multifactor Authentication so you do not depend solely on passwords for security.

Shopping list for building your own password-cracking rig:

  • Computer which can host, power, and cool four add-in video cards.

  • Four Nvidia RTX 4090 ”Gaming” Graphics Cards ($1,600 each)

  • Hashcat Software

One RTX 4090 GPU can “guess” 164 BILLION passwords a second. Graphics cards are used for password cracking because they have a large number of processing cores that can perform calculations in parallel. This makes them ideal for running complex mathematical algorithms. This is also why they are used extensively in training AI models.

Source: SpecOpSoft

Would you like a free, no-obligation Cybersecurity Benchmarking of your organization showing where you stand vs. industry-accepted practices? Click here to schedule a time with one of our associates.


bottom of page