The 2025 Hive Systems Password Table shows which type of passwords are easy or hard for hackers to crack. Hive Systems launched their first password table in 2020 by using data from howsecureismypassword.net, and then continued every year, using bcrypt with stronger settings with a hardware 12× RTX 5090. When you create a password, websites use a hash function to store it instead of as plain text, and a string of letters is formed called a hash. For example, when we hash the word ‘password’, it turns into e.g.: 5f4dcc3b5aa765d61d8327deb882cf99. But hashing is a one-way process, meaning you cannot unhash a password.
When a hacker steals a password, they get hash versions of it, but these versions can still be cracked by guessing every possible password that can be created through them, and this process is called dictionary attacks or brute force. Graphics cards (GPUs) can also be used to guess thousands of passwords through tools like Hashcat. GPUs can do millions to billions of calculations per second, and the more powerful GPUs are, the faster they crack passwords.
GPUs matter a lot when it comes to cracking passwords, and they can even bypass strong password protection like bcrypt, which is set to factor 10. They can break into an 8-character password in months, but if the budgets are typical, it can take hundreds of years. MD5 is the most common hash if we look at the previous data, but bcrypt has now taken the lead in how passwords are stored across major breaches. Even though NIST recommends PBKDF2 with SHA-256, many big services like MyFitnessPal, Dropbox, DataCamp, and Ethereum use bcrypt, which makes it hard for hackers to crack passwords. So for the setup for the password table for 2025 was bcrypt (work factor 10) for the hashing method and 12× RTX 5090 GPUs for hardware.
Bcrypt is a reliable password hashing method that can be made slower by increasing its work factor, which means that the higher the number, the longer it takes to crack the password. Different tools and platforms use it, like OpenBSD, which uses 10 work factor, Laravel uses 12 work factor, and SuperTokens uses 11 work factor. The best work factor for bcrypt is round 1,0, which makes it harder for hackers to crack passwords. It also uses salting, which means that it adds random data to passwords before hashing to prevent hackers from using precomputed lists.
If your password is weak, reused across multiple platforms, or a common word, it is an easy target for hackers and can be hacked through hackers using shortcuts like rainbow tables and dictionary attacks. If attackers are using AI-grade hardware, it also makes cracking faster, especially if the passwords are reused or shorter.
In 2022, LastPass (a popular password manager) was hacked, and hackers used that breach to pull off a $150 million crypto heist in 2025, which means that the passwords were cracked only in 2.5 years, which is alarming. LastPass was using PBKDF2 with SHA-256 to hash passwords, but their default setting was just 5000 iterations, which is considered very low, and they started recommending 600,000 iterations after the breach.
Read next:
• Study Shows Many Passwords that People Use Are a Security Risk as They Are Too Weak
• One in Five Local Searches Skip Google Search, Go Straight to Maps for Business Info and Directions
When a hacker steals a password, they get hash versions of it, but these versions can still be cracked by guessing every possible password that can be created through them, and this process is called dictionary attacks or brute force. Graphics cards (GPUs) can also be used to guess thousands of passwords through tools like Hashcat. GPUs can do millions to billions of calculations per second, and the more powerful GPUs are, the faster they crack passwords.
GPUs matter a lot when it comes to cracking passwords, and they can even bypass strong password protection like bcrypt, which is set to factor 10. They can break into an 8-character password in months, but if the budgets are typical, it can take hundreds of years. MD5 is the most common hash if we look at the previous data, but bcrypt has now taken the lead in how passwords are stored across major breaches. Even though NIST recommends PBKDF2 with SHA-256, many big services like MyFitnessPal, Dropbox, DataCamp, and Ethereum use bcrypt, which makes it hard for hackers to crack passwords. So for the setup for the password table for 2025 was bcrypt (work factor 10) for the hashing method and 12× RTX 5090 GPUs for hardware.
Bcrypt is a reliable password hashing method that can be made slower by increasing its work factor, which means that the higher the number, the longer it takes to crack the password. Different tools and platforms use it, like OpenBSD, which uses 10 work factor, Laravel uses 12 work factor, and SuperTokens uses 11 work factor. The best work factor for bcrypt is round 1,0, which makes it harder for hackers to crack passwords. It also uses salting, which means that it adds random data to passwords before hashing to prevent hackers from using precomputed lists.
If your password is weak, reused across multiple platforms, or a common word, it is an easy target for hackers and can be hacked through hackers using shortcuts like rainbow tables and dictionary attacks. If attackers are using AI-grade hardware, it also makes cracking faster, especially if the passwords are reused or shorter.
In 2022, LastPass (a popular password manager) was hacked, and hackers used that breach to pull off a $150 million crypto heist in 2025, which means that the passwords were cracked only in 2.5 years, which is alarming. LastPass was using PBKDF2 with SHA-256 to hash passwords, but their default setting was just 5000 iterations, which is considered very low, and they started recommending 600,000 iterations after the breach.
Read next:
• Study Shows Many Passwords that People Use Are a Security Risk as They Are Too Weak
• One in Five Local Searches Skip Google Search, Go Straight to Maps for Business Info and Directions
