How long would it take to guess your password?

Posted on January 26, 2017


We’re constantly reminded today of the need to make our passwords as difficult to guess as possible, but why is this so important, and how much difference does it make if you choose a password that’s a little bit more imaginative than, well, ‘password’?

If your password is one of the 50 most popular of 2016, it would probably not take very long at all to guess it because these are among the first that will be tried by a hacker, or any kind of script built for the purpose of unlocking passwords. Surprisingly, ‘password’ is now as low as eighth, perhaps because it’s becoming increasingly uncommon for account hosts to allow such simplistic passwords. Naïve internet users continue to go for the very obvious and unimaginative though, and we saw last summer that even digital experts like Facebook CEO Mark Zuckerberg aren’t averse to choosing some foolishly basic passwords.

You leave yourself far less open to malicious intent if you make your passwords alphanumeric, and a little more random than simply ‘123qwe’. If you struggle to come up with anything yourself, you could use a tool like’s Password Generator, which will come up with some randomly generated passwords with a bit more obscurity to them. You can choose passwords of any length from 6 to 24 characters, and ask it for as many as 100 passwords in one go.

I decided to ask it for a password of 8 characters (this is often the minimum allowed) and it came back with:


The tool uses upper and lower case letters and numbers to come up with the passwords, which gives it a total of 62 possible characters with which to compose them. However, it points out that “easily mistaken” characters are not used, and hence the digit zero (0), the upper and lower case letters O and I, and the lower case L all don’t make the cut. This knocks the number of available characters down to 56.

So, what’s the chance of someone correctly guessing ‘w6VPdUKc’ if they know you’ve used to conjure your password up? Well, each character has a one in 56 chance of being correctly guessed, so even the chances of correctly guessing the lower case ‘w’ at the start are just one in 56 – less likely than correctly guessing a card taken at random from a shuffled pack.

To work out the odds of getting the whole password right, you have to think back to maths lessons in school and remember ‘powers of’. If all 8 characters have a 56/1 chance of being correctly guessed, your sum is 56 to the power of 8, or 56 multiplied by itself 8 times. This gives you an enormous figure in excess of 96 trillion.

If we’re being ridiculous and we pretend that a person is physically sitting there and typing one password after another in, then even if they entered them at a rate of one per second, it would take them over three million years to exhaust all the possibilities.

Of course, a bot designed for hacking would be able to do it a lot more quickly. In fact, a tool on the website of software company BetterBuys reckons our randomly generated password could be cracked in a little over seven months.

A longer password, of course, increases your protection. If we increase the length to the maximum of 24 characters, gives us the following string:


There are 56 to the power of 24 different password possibilities now, which comes to a 42-digit number. To help you get your head around that, the estimated number of atoms on earth is 51 digits long. Of course, if you use other characters, like the pound sign or question mark, you’re making your password even more solid, but the BetterBuys tool thinks this password is infinitely uncrackable as it is.

This may seem like boring number crunching to many, but I find big numbers and probability fascinating. It reminds me of the likes of the infinite monkey theorem, which states that if you put enough monkeys in front of enough typewriters and gave them enough time, you would eventually get them to reproduce the entire works of William Shakespeare. Using this simulator, however, you can see that even one five-letter word of your choice is only likely to turn up once in around 12 million characters, so the odds of producing even a full line of Shakespearean text are unimaginably small.

Of course, the problem with obscure passwords is that they’re not as easy to remember as obvious ones, but consider coming up with some kind of mnemonic to help you memorise them. For example, ‘w6VPdUKc’ could be something nonsensical like “when six Vietnamese penguins dodged UK customs”. Alternatively, you could take a phrase more familiar to you and turn it into an alphanumeric string.

However, please don’t now use ‘w6VPdUKc’ or ‘nT3eZtaSwVJ9BePZevgyp4jX’, as the fact that we’ve just written a password-related article about them makes them a lot more guessable. At the time of writing, neither of those passwords brings up any results in a Google search, but once this has been published, they should both bring up at least one.

Don’t worry though – if you’re going for 24-character passwords, the good news is that there are still 904,716,785,818,481,122,446,300,007,835,278,136,836,095 to choose from!

John Murray

Content Team Leader at Engage Web
John works for Engage Web as a Content Team Leader and regularly contributes to the website and programmes of his beloved Chester F.C.

Like us on Facebook to see more posts like this

You might also be interested in:

No Comments »

There are no comments on this yet, be the first to write a comment.

RSS feed for comments on this post. TrackBack URL

Have your say!

We have worked with:

TEL: 0345 621 4321