Serious Discussion Do longer passwords protect you from compromise? [New research by Specops]


Thread author
Staff Member
Jan 8, 2011
New research from Specops Software has found that even passwords 15 characters long make it into the top ten of the most common password lengths to be compromised (placing eighth). The most compromised length was eight characters, accounting for 212.5 million out four billion in the company's Breached Password Protection Database.
Specops calculates that to crack an eight character password, even those that contain numbers and both upper and lower case characters, can take a mere five minutes. On the other hand, a 15 character password can take up to 37 million years to crack.

However, the report warns that this "shouldn't give organizations a false sense of security, as this is only part of the password security battle." For instance, it won't matter if the credentials are stolen via phishing attacks.
Story via Bad news - turns out even long passwords can be cracked easily

We wanted to know the most common length of a compromised password, and how many longer passwords were being breached. To find out, the Specops research team analyzed the lengths of over 800 million compromised passwords (a subset of our larger Breached Password Protection list of over 4 billion unique compromised passwords). For the purpose of this research, we considered a password over 12 characters to be long.

Compromised password lengths: The results​

In descending order, these are the eight most common lengths for compromised passwords. As expected, 8 characters (212.5 million total compromised passwords were 8 characters exactly) is at the top – likely because it is the default password length in Active Directory. You can also see that as character length increases, the total amount of compromised passwords decrease. However, this doesn’t mean we’re talking small numbers.

  1. 8
  2. 10
  3. 9
  4. 11
  5. 12
  6. 13
  7. 14
  8. 15
The below table shows how many compromised passwords we found above five given lengths. If we’re counting 12 and over as a ‘longer password’ then 121.5 million compromised passwords were found to be long. As you can see, the number of compromised passwords does decrease as character length increases, but there are still 31.1 million compromised passwords over 16 characters in length.

This shows that having longer passwords doesn’t protect you from attacks. Even if the total numbers are smaller compared to 8-character passwords, these numbers still represent tens of millions of opportunities for attackers to breach organizations using longer passwords.

Blog: [New research] Do longer passwords protect you from compromise?

ForgottenSeer 103564

There are brute force attacks, social engineering, malware "Key Logging/Screen Scrapers" and as stated Phising. Grabbing the hash for cracking tools,ect. Using a GPU as already stated or even a botnet can certainly speed up the process. There are plenty of free tools available for cracking passwords. Ones best bet is to make them substantially harder to do by using enough symbols and different characters. Using reliable password managers help with creating and storing of, and if applicable, always use two-factor authentication as it will be a serious pain in the arse for any hacker.


Level 82
Top Poster
Mar 29, 2018
This guy's done the math and keeps it simple!
Here are the test results for one of my passwords:
Time Required to Exhaustively Search this Password's Space:

Online Attack Scenario:
(Assuming one thousand guesses per second)​
2.94 hundred trillion trillion centuries
Offline Fast Attack Scenario:
(Assuming one hundred billion guesses per second)​
2.94 million trillion centuries
Massive Cracking Array Scenario:
(Assuming one hundred trillion guesses per second)​
2.94 thousand trillion centuries
And this is using only two of four categories: upper case, lower case, numbers and symbols!
Last edited:


Level 10
Jun 6, 2017
If a database is hacked and the passwords are stored in plain text then it doesn't matter how long or complex the passwords are.

I think this is why the research shows so many long passwords being compromised. Unless some of the passwords are based on dictionary words (making them very simple to break) or are re-used passwords that were already on dark-web lists?

However, if a database is hacked and the passwords are strongly encrypted, then longer and complex passwords will almost certainly remain safe. Realistically, it is only short and simple passwords (or those based on dictionary words) that would be vulnerable to cracking.


Level 23
Content Creator
Jan 29, 2017
Don't get too comfortable. This data is based on today's computational power, which is growing exponentially. Within 5 years, 16-chracter passwords will drop in seconds.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.