In the world of cybersecurity, speed and precision are everything. At Raxis, we recently upgraded our in-house password cracking machine that our team uses on most internal network penetration tests, and the results are astonishing. This new system can power through over 600 billion password guesses per second, allowing us to test password resilience faster and more effectively than ever before.

Even with this tremendous capability, our machine still falls short of the sheer computational muscle wielded by nation-state actors. But what it can do offers a sobering look at how fragile many passwords truly are.

Cracking Every 8-Character Password—In Just Three Hours

Using the Raxis password cracker, we can attempt every possible combination of an eight-character password, including all 95 printable characters: uppercase and lowercase letters, numbers, and symbols. In total, that’s roughly 6.6 quadrillion combinations. With our upgraded hardware chewing through possibilities at 600 billion guesses per second, that entire space can be exhausted in just about three hours.

A password format once considered strong (and still accepted by some compliance rules) can now be brute-forced in the time it takes to watch a movie or two.

NIST Recommendations: Still Relevant, But Evolving

According to NIST (National Institute of Standards and Technology) guidelines, users should use passwords that are at least eight characters long and unique for every system. While unique passwords prevent a breach in one system from cascading to others, as computing power continues to grow, even NIST’s baseline is increasingly vulnerable to brute-force attacks.

While an eight-character password may have once been reasonable, our current data shows that it’s no longer a sufficient barrier. Attackers equipped with modern hardware or cloud-based cracking tools can breach short passwords with alarming speed.

Why Multi-Factor Authentication Is Essential

The solution isn’t just longer passwords but also smarter authentication. Multi-Factor Authentication (MFA) adds an additional layer of defense beyond the password itself. Even if a password is cracked or stolen, MFA can stop attacks by requiring a second form of verification, such as a biometric scan, security token, or one-time passcode.

For organizations handling sensitive data, MFA is no longer optional; it’s a necessity. Pairing strong password policies with MFA dramatically reduces the risk of compromise and keeps unauthorized users out, even if one credential is exposed.

MFA is not a silver bullet either. During Raxis assessments we are sometimes able to circumvent MFA controls as part of the assessment. None the less, MFA is a best practice and we highly recommend organizations utilize it in combination with strong passwords.

Moving Forward: Passphrases and Passkeys

Here’s the takeaway: eight-character passwords are simply outdated. Wherever possible, use passphrases of at least three words, which are longer combinations of random or memorable words, or adopt passkeys, which remove the guesswork entirely. The longer the password or phrase, the more exponentially difficult it becomes to brute-force.

We welcome you to try out our password cracking capabilities on a Raxis penetration test to help your organization strengthen your defenses and stay one step ahead of attackers.