The 2025 Hive Systems Password Table shows which type of passwords are easy or hard for hackers to crack. Hive Systems launched their first password table in 2020 by using data from howsecureismypassword.net, and then continued every year, using bcrypt with stronger settings with a hardware 12× RTX 5090. When you create a password, websites use a hash function to store it instead of as plain text, and a string of letters is formed called a hash. For example, when we hash the word ‘password’, it turns into e.g.: 5f4dcc3b5aa765d61d8327deb882cf99. But hashing is a one-way process, meaning you cannot unhash a password.

When a hacker steals a password, they get hash versions of it, but these versions can still be cracked by guessing every possible password that can be created through them, and this process is called dictionary attacks or brute force. Graphics cards (GPUs) can also be used to guess thousands of passwords through tools like Hashcat. GPUs can do millions to billions of calculations per second, and the more powerful GPUs are, the faster they crack passwords.

GPUs matter a lot when it comes to cracking passwords, and they can even bypass strong password protection like bcrypt, which is set to factor 10. They can break into an 8-character password in months, but if the budgets are typical, it can take hundreds of years. MD5 is the most common hash if we look at the previous data, but bcrypt has now taken the lead in how passwords are stored across major breaches. Even though NIST recommends PBKDF2 with SHA-256, many big services like MyFitnessPal, Dropbox, DataCamp, and Ethereum use bcrypt, which makes it hard for hackers to crack passwords. So for the setup for the password table for 2025 was bcrypt (work factor 10) for the hashing method and 12× RTX 5090 GPUs for hardware.