Let’s face it, a good password **never** needs to be longer than 20-40 characters.

As of 2023, even a 15-character password is beyond the brute-force abilities of the entire human race.

Here, we’ll start with the fundamentals of measuring password strength, and then demonstrate the range of hackable password lengths – from solo hackers to entire nations, all the way up to a galactic superpower.

## Caveats abound#

This discussion mainly applies to randomly generated passwords with a large character set^{1} since memorable
passwords are generally quite insecure. Predictable patterns are simply easy to guess.

For example, an English word in a password contributes ~16 bits of entropy (a measure of information or password strength), equivalent to 2-3 ASCII characters.

If your password looks anything like `PronounceCoauthor1984!`

, it’s about as secure as `k^D5]`

and can be broken
pretty quickly.^{2} And that’s a lot better than most passwords I see.

Indeed, in my experience, a frightening number of users’ passwords can be broken in seconds on a consumer-grade desktop. Such attacks typically start with massive lists of popular passwords from prior leaks and common words in many languages. Then, they add special characters, tweak capitalization, and make other modifications as needed.

## The concept of security level#

Cryptographic security is like building a lock that only the right key can open. The strength of the lock depends on how many different keys an attacker would have to try to break in.

Roughly speaking, if a cryptographic scheme has “128-bit security”, then an attacker would need to perform
\( 2^{128} > 3 \cdot 10^{38} \) operations to decrypt it. That’s **300 trillion trillion trillion**.

Many HTTPS connections provide precisely this level of security for the communication channel, even for some large U.S.
banking websites.^{3} The data sent over those connections can be very sensitive and those companies apparently believe
128 bits is sufficient to protect it.

There are 95 characters in the printable ASCII set, so any password over \( \log_{95}(2^{128}) = 128 / \log_2(95) < 20 \) characters is completely useless in this context. At that point, the cryptographic methods used to secure the data become the weakest link, and it is simply easier to break the encryption primitive than attack the password itself.

The most secure common encryption methods provide 256 bits of security, which is exponentially more secure.^{4} In other
words, breaking a 256-bit scheme is as challenging as breaking 300 trillion trillion trillion 128-bit ones.

## The limits of a typical online attack#

Now, lets look at the limits of what a practical attack could look like.

An online service should have rate limiting so you can’t try a hundred passwords all at once, but let’s say that the implementation is poor or there is an unknown exploit allowing you to check password validity as often as the network allows.

Assuming one guess per millisecond over an entire year, you can break ~35 bits of security. $$ \left(1 \text{ kHz}\right) \cdot \left(1 \text{ year}\right) \approx 2^{34.9} \approx 3.2 \cdot 10^{10} $$

That is less than the entropy of `keV#]i`

, a 6-character password.

However, the real concern is in an offline attack where someone has gained access to a database leak or exfiltrated data from the servers themselves. In those cases, you can easily test passwords with all the computational power you have on hand and never have to worry about network delays.

## The limits of practical offline attacks#

For simplicity and conservativeness, we’re going to assume that a key can be checked in a password hash or encryption scheme in a single floating point operation. This is pretty unrealistic, but perhaps the attacker has procured specialized ASICs specifically to attack you or a service that you use.

### A lone hacker#

As a baseline, you can get up to ~7 TFLOPS of FP32 performance per $100 through an Arc A750, RX 7900 XTX, or RTX 4060 Ti.

Let’s say a lone hacker has $10k to throw around and salvages the rest of their rigs for free from tech recycling or theft. They also siphon free electricity directly from the grid or an unsuspecting industrial company. In our idealized scenario, this yields a guess rate of 700 THz.

Over 1 year, they can break ~74 bits of security. $$ \left(700 \text{ THz}\right) \cdot \left(1 \text{ year}\right) \approx 2^{74.2} \approx 2.2 \cdot 10^{22} $$

For reference, that’s under the entropy of `iDif2$isXM&:`

, a 12-character password.

Realistically, common attacks just run through every credential in a leak and exploit the users with the weakest passwords. If a hacker is willing to spend a year cracking yours in particular, you are probably a high profile individual and have much bigger issues to worry about.

### A state actor#

Since 2018, multiple supercomputers and public distributed systems have achieved performance above 1 exaFLOPS (1 million TFLOPS). It is reasonable to suspect this is within the abilities of the major superpowers of the world, especially through botnets and classified supercomputers. In fact, the U.S. was planning such systems as far back as 2007-2008.

As of June 2023, the United States has at least 3.5 EFLOPS of (non-distributed) supercomputing power.^{5}

Over 1 year, this would break ~87 bits of security. $$ \left(3.5 \text{ EHz}\right) \cdot \left(1 \text{ year}\right) \approx 2^{86.5} \approx 1.1 \cdot 10^{26} $$

This could break `y1V"5)C{Kqam=`

, a 13-character password, but nothing more.

Huge distributed systems can be more powerful, but are unlikely to be controlled by a single entity. That said,
people have managed to run requests on AWS that would have ranked as one of the most powerful supercomputers in the
world.^{6}

### The global computing power#

It is difficult to estimate the total computing power of the human race, but it is likely below 10 zettaFLOPs (i.e., 1
thousand ExaFLOPS).^{7} For comparison, the hash rate of the entire Bitcoin network is currently ~500 EHz.

Over 1 year, this would break ~98 bits of security. $$ \left(10 \text{ ZHz}\right) \cdot \left(1 \text{ year}\right) \approx 2^{98.0} \approx 3.2 \cdot 10^{29} $$

This could almost break `+-5{;C:pPf?JcPy`

, a 15-character password with ~98.5 bits of entropy.^{8}

### The limits of physics#

There is a sci-fi concept called a Matrioshka brain, which is a massive structure that would consume the entire energy output of a star to power a supercomputer of unbelievable strength.

With the power output of our Sun, operating
at the theoretical limit of energy consumption and
the theoretical limit of thermodynamic efficiency, you can achieve
\({\approx}1.45 \cdot 10^{49}\) Hz of processing power.^{9} Scaling up to the luminosity of the entire Milky Way
galaxy yields \({\approx} 3 \cdot 10^{60}\) Hz of processing power.

Over 1 year, the Sun’s brain breaks ~188 bits of security, $$ \left(1.45 \cdot 10^{49} \text{ Hz}\right) \cdot \left(1 \text{ year}\right) \approx 2^{188.2} \approx 4.6 \cdot 10^{56} $$ and the Milky Way’s brain breaks ~226 bits of security. $$ \left(3 \cdot 10^{60} \text{ Hz}\right) \cdot \left(1 \text{ year}\right) \approx 2^{225.8} \approx 9.5 \cdot 10^{67} $$ Over the entire age of the universe, the Milky Way’s brain breaks ~260 bits of security. $$ \left(3 \cdot 10^{60} \text{ Hz}\right) \cdot \left(13.8 \text{ billion years}\right) \approx 2^{259.5} \approx 1.3 \cdot 10^{78} $$

Essentially,

- Annually, the sun can break
`[2\p2%i@KabWM4hr&*m|!aok%S.o`

, a 28-character password with ~184 bits of entropy. - Annually, the Milky Way can break
`KHH|j}<$>o8CnCg^Hc8s#I:',JzW3h^%d$`

, a 34-character password with ~223 bits of entropy. - Over the age of the universe, the Milky Way can break
`C]Y9.1V+dYrA2[3rl?ZF1K9n=re~hUAVh+BJk|P`

, a 39-character password with ~256 bits of entropy.

Notably, the final calculation that spans the age of our universe at the current luminosity of the entire galaxy barely exceeds 256 bits of security. Under these calculations, humanity will never break such a scheme by sheer brute force.

If someone tries to give you a password or API key longer than that, you can explain to them that it is absolutely unnecessary unless they’re trying to protect their secrets from an all-powerful God.

## See also and references#

- The various links strewn across the footnotes of this post.
- The extra details in “Table of Password Lengths for Various Character Sets and Entropies”.
- The general Wikipedia articles on password strength, security level, and key size.

I’ll be considering the character set to be the 95 printable ASCII characters, though many services place character restrictions which would decrease the number of possibilities accordingly. Recommendations using other character sets are shown in “Table of Password Lengths for Various Character Sets and Entropies” ↩︎

These words are from a small Diceware word list (7776 possibilities) provided by the EFF here. If you assume that most people select years from the last 5 decades and tend to only use the 12 main special characters

`!@#$%^&*-_.?`

, you find that this password has \(\log_2(7776^2 \cdot 50 \cdot 12) \approx 35\) bits of entropy. The capitalization here does not significantly increase the security of the password. ↩︎It’s important to note that while the security level might be 128 bits, the actual key lengths may be longer! RSA and ECC keys actually need to be 3072 bits and 256-383 bits long, respectively, to achieve this security level. For more information, see page 55 of NIST Special Publication 800-57 Part 1 Rev. 5. ↩︎

We may see this change in the next few years as NIST’s Post-Quantum Cryptography Standards are finalized. Notably, the quantum Grover’s algorithm

*halves*the security level of most symmetric-key algorithms. That said, 256-bit classical / 128-bit quantum security is still considered secure since that search space is considerably beyond current computational capabilities. ↩︎This is according to the statistics from the TOP500 list https://www.top500.org/statistics/list/. ↩︎

For example, an experiment in 2021 reached position 40 on the TOP500 list with “4,096 EC2 instances […] with a total of 172,692 cores”, achieving a performance of ~10 PFLOPS. ↩︎

It’s unclear how reputable this estimate is, but an AI Impacts wiki post claims a total of ~4 ZFLOPS as of Q1 2023. This is pretty consistent with my apparent 2019 estimate of ~1-2 ZHz in one of my favorite footnotes I’ve ever written (see page 13 of my undergraduate thesis). ↩︎

Remember that bits of security are an exponential measure. That last 0.5 bits of security increase the time required from ~1 year to ~1.5 years. ↩︎

This calculation is due to Arthur Isaac in Matrioshka Brains: Star-Powered Computers and closely matches that of the Computer performance by orders of magnitude Wikipedia article. ↩︎