How Long Does It Take to Crack a Weak Password on RDP?

If you search for "password cracking time," you will find tables like this one from Hive Systems: an 8-character lowercase password takes about three weeks to crack with modern GPU hardware. An 8-character password with uppercase, numbers, and symbols takes centuries. Problem solved, right?

Not quite. Those tables describe offline hash cracking with dedicated GPU hardware. When attackers target your Windows Server over Remote Desktop, they are not cracking hashes at all. They are doing something completely different — and the real numbers might surprise you.

What is the honest answer?

If your password is truly random and unique, attackers will never crack it over RDP. Even a simple 8-character lowercase password has around 200 billion possible combinations. At typical RDP brute force rates — usually just a few to a few dozen attempts per second per source IP, because attackers deliberately slow down to avoid triggering lockouts — that would take well over a century.

If your password is in the top 1,000 most commonly leaked passwords, it will be tried in the first few seconds.

If your password has been leaked in any data breach, it is already compromised. It does not need to be cracked at all.

The gap between those three scenarios is where most businesses get compromised.

Why does the math change everything?

RDP brute force attacks are fundamentally different from offline cracking. When a hacker steals a password database, they can throw massive GPU power at it — billions of guesses per second. But over a network connection to your server, every single login attempt requires:

• A TCP handshake
• TLS negotiation
• Credential submission
• Server response

This takes real time. Attackers running modest rates of a few attempts per second per IP — which is what they usually do to evade lockouts — would need well over a hundred years to brute force a random 8-character password.

So attackers do not try random combinations. They use much smarter techniques.

What do attackers actually do?

1. Credential stuffing

Attackers start with lists of passwords leaked from previous breaches. These lists are massive — HaveIBeenPwned's Pwned Passwords service tracks over a billion unique leaked passwords, with new dumps added regularly. The RockYou2024 leak made headlines for claiming nearly 10 billion entries, though Specops' own analysis found most of it was garbage — still, hundreds of millions of real, usable passwords remained after cleanup.

If your password has ever been used on any breached website, it is probably in one of these lists. And if it is in the list, attackers will try it first.

2. Password spraying

Rather than trying many passwords against one account (which triggers lockouts), attackers try one password against many accounts. They grab a list of common passwords — 123456, password, qwerty123, admin2025! — and try each one against every user on your server, then move to the next password.

This evades account lockout policies and still hits working credentials surprisingly often.

3. Dictionary attacks with mutations

Attackers take common words and apply predictable substitutions: password → P@ssw0rd! → Password2026!. Every "creative" substitution people think of has already been automated into cracking dictionaries.

The real top passwords on RDP

Specops Software analyzed millions of RDP attack attempts in 2025 and published the actual passwords attackers use against Remote Desktop. The top 10:

| Rank | Password | |------|----------| | 1 | 123456 | | 2 | 1234 | | 3 | Password1 | | 4 | P@ssw0rd | | 5 | password | | 6 | Password123 | | 7 | Welcome1 | | 8 | 12345678 | | 9 | Aa123456 | | 10 | admin |

Look carefully at that list. P@ssw0rd, Password1, Password123, Welcome1 — these all pass standard complexity rules. They have uppercase letters, lowercase letters, numbers, and even symbols. Any corporate password policy checker would accept them. And they are in the top 10 passwords attackers try first against your RDP server.

This is the core of the problem: complexity rules do not stop attackers. They stop users from picking passwords that are easy to type, not passwords that are easy to guess.

Why "strong" passwords often fail

Here is the uncomfortable truth: most "strong" passwords are not strong.

Password123! passes every complexity rule a typical corporate policy enforces — uppercase, lowercase, number, symbol, 12 characters. It is also in every breach dump on the internet. An attacker's first few guesses include it.

Specops analyzed over a billion malware-stolen credentials in 2025 and found that 230 million breached passwords met standard complexity rules. Complexity is not the same thing as uniqueness. A password can be complex and terrible at the same time.

A separate Specops analysis of 10 million sampled breached passwords found that 98.5% were weak by modern standards — even many that pass complexity rules.

What actually makes a password uncrackable?

Three things matter, and complexity is not one of them:

1. Length. A 15-character random password has so many possible combinations that even offline cracking takes centuries. Length scales exponentially — each additional character multiplies the difficulty.

2. Uniqueness. A password you have never used anywhere else, that has never been in a breach, is invisible to credential stuffing. Check your passwords against HaveIBeenPwned — if it appears even once, it is compromised.

3. Not a dictionary word or pattern. correcthorsebatterystaple is 25 characters but it is a famous xkcd example — it is in every wordlist now. Summer2026! is complex but it is a pattern. Attackers have automated lists of every pattern humans think is clever.

But wait — there is a bigger problem

Even a perfect password has a weakness you cannot fix: infostealer malware.

Infostealers like Redline, Vidar, and LummaC2 run on compromised user machines and grab stored passwords from browsers, password managers, and memory. The Sophos 2025 Active Adversary Report found that compromised credentials were the top root cause of attacks for the second consecutive year — 41% of cases — and in 56% of Sophos IR and MDR cases, attackers simply logged in with valid credentials rather than breaking in.

If your strong, unique password is typed on a machine that has an infostealer, it is captured in plaintext and sold to other attackers. No amount of complexity helps.

This is why password policy alone cannot protect RDP. You need layered defenses.

The practical takeaway

Stop optimizing for complexity rules. Start optimizing for these:

• Minimum 15 characters, ideally longer.
• Unique to this account, not reused from anywhere else.
• Checked against breach databases before you set it (tools like Azure AD Password Protection do this automatically).
• Combined with multi-factor authentication so a leaked password alone is not enough.
• Protected by automated brute force detection that blocks attacking IPs before they exhaust credential lists. BruteFence watches for failed RDP logins and blocks source IPs in real time — it turns credential stuffing from "try millions of passwords" into "blocked after 5 attempts." The free BruteFence Checker shows you how many attempts your server has already seen.

For the full story on how RDP brute force attacks work, see our guide on what an RDP brute force attack is. And if you want to understand why strong passwords alone are not enough, we covered that in why a strong password is not enough.

One last number

If you take only one thing from this article, take this:

A password from the top 1,000 most common list gets tried within seconds of an attack starting. A password from the top 1 million gets tried within hours. A truly random 15-character unique password gets tried never, because attackers give up long before they reach it.

The question is not how strong your password looks. The question is whether it is on any of the lists attackers already have.