Hashing the passwords protects users (somewhat) if the database storing the passwords is stolen/copied. Instead of being able to see a user’s actual password, they only see a hash with no way to turn that back into the original password. They can still try to guess what it is by putting their guesses through the same hash method and comparing the results with what they see in the database. How long it takes for this to work depends on where your password is on their list of things to guess.

If the hacker knows the website only allows a maximum of four numerical digits for the passwords, then they know there are only 10^(4) (10,000) possible combinations that any password can be. This means they only need a maximum of 10,000 guesses to crack your password.

But if you allow upper and lowercase letters as well without changing the length, that’s now 56 new characters plus the original 10 so now there are 66^(4) (18,974,736) possible combinations that the hacker potentially has to work through.

If you increase the maximum length of the passwords to, say, 20 characters and keep the digits-only constraint, there are now 10^(20) (100,000,000,000,000,000,000) possible combinations. And tossing the letters back in makes it 66^(20) (about 2.46 x 10^(36)). That’s not even including special characters, which most websites do allow.

So you can see that by allowing longer passwords, it greatly increases the number of possible combinations that a hacker must try, which greatly reduces their chances of successfully guessing with random guesses.

Hashing the passwords protects users (somewhat) if the database storing the passwords is stolen/copied. Instead of being able to see a user’s actual password, they only see a hash with no way to turn that back into the original password. They can still try to guess what it is by putting their guesses through the same hash method and comparing the results with what they see in the database. How long it takes for this to work depends on where your password is on their list of things to guess.

If the hacker knows the website only allows a maximum of four numerical digits for the passwords, then they know there are only 10^(4) (10,000) possible combinations that any password can be. This means they only need a maximum of 10,000 guesses to crack your password.

But if you allow upper and lowercase letters as well without changing the length, that’s now 56 new characters plus the original 10 so now there are 66^(4) (18,974,736) possible combinations that the hacker potentially has to work through.

If you increase the maximum length of the passwords to, say, 20 characters and keep the digits-only constraint, there are now 10^(20) (100,000,000,000,000,000,000) possible combinations. And tossing the letters back in makes it 66^(20) (about 2.46 x 10^(36)). That’s not even including special characters, which most websites do allow.

So you can see that by allowing longer passwords, it greatly increases the number of possible combinations that a hacker must try, which greatly reduces their chances of successfully guessing with random guesses.