How long does it take to crack a password?

It depends on length and predictability. A common word like 'shadow' can be cracked instantly because it appears in every attack dictionary. A 6-character password with mixed characters takes minutes. A 14+ character passphrase with unrelated words and symbols can take millions of years.

What is a dictionary attack?

A dictionary attack tests a list of known passwords, common words, names, and phrases against a target account. The 'dictionary' is not just English words. It includes millions of real passwords leaked from previous data breaches, popular names, keyboard patterns, and common number sequences.

Does adding 123 to a password make it harder to guess?

Barely. Adding 123 is the most common password modification in the world. Attack tools test word+123 as one of their first rules. In breach data, passwords ending in 123 appear millions of times. It adds almost no security.

What is credential stuffing?

Credential stuffing is when attackers take email and password pairs leaked from one data breach and try them on other websites. If you reuse the same password on multiple sites, one breach can give attackers access to all of your accounts.

How Do Hackers Guess Passwords?

Q: How do hackers guess passwords?

Hackers use automated software that tests millions of password combinations per second. They start with dictionary attacks using lists of known leaked passwords and common words, then apply rules like appending 123 or a year, then move to brute force for short passwords. Most common passwords fall in the first few seconds.

Short answer: Hackers do not guess one password at a time. They use automated tools that test millions of combinations per second, starting with the most statistically likely passwords. If your password is a common word, a name, or follows a predictable pattern, it falls in the first few seconds of an attack.

Most people picture password hacking as someone sitting at a keyboard trying different combinations. The reality is completely different. Modern password cracking is automated, systematic, and follows a specific order designed to find the most common passwords first.

Understanding that order is the key to understanding why some passwords fail instantly while others hold up for years.

Want to see where your password falls in this process? Test it now. Nothing is stored or sent.

The Attack Sequence: How It Actually Works

Password cracking tools like Hashcat and John the Ripper do not guess randomly. They follow a sequence, moving from the fastest and most likely methods to the slowest. Here is the typical order:

Phase 1: Known Passwords (instant)

The tool loads a list of passwords that have already been leaked in previous data breaches. These lists contain billions of real passwords that real people actually used. If your password is on the list, it is matched instantly.

This is not theoretical. The Have I Been Pwned database alone contains over 12 billion breached password entries. When we tested 100 popular pet names against this database, we found 57 million matches across 1,200 variations. The word shadow alone appeared over 2 million times. charlie appeared 1.9 million times.

Phase 2: Dictionary + Rules (seconds to minutes)

If the exact password is not in the breach list, the tool applies transformation rules to every word in its dictionary. These rules mimic the exact "tricks" people use to make passwords feel unique:

Append 123 → bella123
Append 1 → charlie1 (appeared 1.1 million times in breach data)
Capitalize first letter → Shadow
Append current year → luna2026
Append ! → pepper!
Replace letters with numbers → b3lla
Reverse the word → xam

A standard rule set like Hashcat's "best64" applies 64 of these transformations to every single word in the dictionary. A dictionary with 10 million words becomes 640 million guesses. At modern cracking speeds, this takes seconds.

Phase 3: Hybrid Attack (minutes to hours)

The tool now combines dictionary words with brute force. It takes each word and appends or prepends every possible short character combination:

bella + every 1 to 4 character suffix
Every 1 to 3 character prefix + luna
Two dictionary words joined together

This catches passwords like bella9472 or 2xlunar that are not in the dictionary but still use a common word as the foundation. The search space is much larger than phase 2, so this takes minutes to hours depending on the word list size.

Phase 4: Full Brute Force (hours to never)

Only after the faster methods fail does the tool resort to trying every possible character combination from scratch. This is the method most people imagine when they think of "hacking."

For short passwords (6 characters or fewer), full brute force is fast. For passwords longer than 12 characters with mixed character types, it can take years or longer. This is where long, unpredictable passwords survive. They force the attacker into the slowest, most expensive phase.

What Falls at Each Phase

Here is how common password types map to the attack sequence:

Password	Falls at	Time to Crack	Why
`shadow`	Phase 1	Instant	Appears 2M+ times in breach data
`charlie1`	Phase 1	Instant	Appears 1.1M times in breach data
`Bella123`	Phase 2	Under 1 second	Dictionary word + most common rule
`Luna2026`	Phase 2	Under 1 second	Dictionary word + year append rule
`Max!`	Phase 2	Under 1 second	Dictionary word + symbol append rule
`bella7291`	Phase 3	Minutes	Dictionary word + random 4 digit suffix
`Xr7!pQ2m`	Phase 4	Hours to days	Random but only 8 characters
`Bella$kettle!rain42`	Phase 4	Millions of years	19 chars, unrelated words, mid-placed symbols

The pattern is clear: anything based on a common word with a predictable modification falls in the first two phases. The only passwords that survive are those that force the attacker into brute force on a long, complex string.

Where does your password fall? Test it now and see which phase would catch it.

Credential Stuffing: The Other Kind of "Guessing"

There is a second way attackers "guess" passwords that does not involve cracking at all. After a major data breach, attackers obtain millions of real email and password pairs. They then try those exact combinations on other websites: your bank, your email provider, your social media accounts.

This is called credential stuffing, and it works because people reuse passwords. If you used Bella123 on a shopping site that got breached, and you also used Bella123 on your email, the attacker does not need to crack anything. They already have the key.

The Verizon Data Breach Investigations Report (DBIR) has consistently found that stolen and reused credentials are involved in a large percentage of breaches. This is why using a unique password for every important account matters as much as making each password strong.

Why Pet Names Fall First

Pet names sit at the intersection of every vulnerability in the attack sequence. They are short, common, frequently shared on social media, and people apply the same predictable modifications to them.

When we ran our pet name breach study, the numbers made this concrete. Across 100 popular pet names tested in 12 common variations, the breakdown was:

Variation	Breach Appearances	What It Tells Us
Name alone (lowercase)	26,977,248	Most people do not modify their pet name at all
Name + 1	13,521,059	Adding "1" is the most common modification by far
Name + 123	8,431,928	Second most common, tested instantly by attack tools
Name + year (all years combined)	92,756	Far less common than people assume

Every single one of these variations falls in Phase 1 or Phase 2 of the attack sequence described above. None of them survive to the hybrid or brute force stages.

For a detailed look at which specific pet names are most at risk, see our analysis of common pet name passwords.

What Survives an Attack

A password survives when it forces the attacker past the fast phases and into full brute force on a large search space. That requires three things:

Length above 14 characters. Every additional character multiplies the number of possible combinations exponentially. A 14-character password has roughly 10 billion times more combinations than a 7-character password using the same character set.

No dictionary words used alone. Any recognizable word, name, or phrase gets caught in Phase 1 or 2. Using multiple unrelated words together (a passphrase) works because the combination is not in any dictionary, even if the individual words are.

Unpredictable structure. Symbols and numbers placed in the middle of a password are far harder to crack than those appended at the end, because standard attack rules test end-of-word modifications first. Bella$kettle!rain42 is structurally different from Bella123! even though both contain a name, numbers, and symbols.

For the full set of principles behind building strong passwords, see our guide on what makes a password strong.

Test Your Password

Run your password through the Pet Name Password Checker to see how strong it really is. It checks strength, pattern predictability, and whether your password has appeared in known breaches. Everything runs locally in your browser. Nothing is stored or transmitted.