Hash Rate Crack Time Calculator

About the Hash Rate Crack Time Calculator

The hash algorithm used to store a password is the single biggest factor in how quickly an attacker can crack it offline. Fast algorithms like MD5 allow modern GPUs to compute over 100 billion hashes per second, while memory-hard algorithms like Argon2 reduce throughput to mere thousands. This calculator lets you select a hash algorithm, specify a keyspace, and see how long cracking takes at the algorithm's real-world hash rate.

This comparison is essential for security architects choosing password storage algorithms and for penetration testers estimating crack feasibility. By seeing the concrete time difference between MD5 and bcrypt for the same password, the case for proper password hashing becomes crystal clear.

When This Page Helps

Many legacy systems still use fast hashes like MD5 or SHA-1 for password storage. This calculator demonstrates, in concrete time estimates, the enormous difference proper hashing algorithms make. It helps justify migration efforts and algorithm selection decisions to both technical teams and management.

How to Use the Inputs

1. Select the hash algorithm from the dropdown.
2. Enter the password charset size and length to compute keyspace, or enter keyspace directly.
3. Review the hash rate for the selected algorithm (per single GPU).
4. Specify how many GPUs are used in the attack.
5. See the estimated average and maximum crack times.
6. Compare multiple algorithms to understand the security difference.

Example Calculation

Tips & Best Practices

• Always use bcrypt, scrypt, or Argon2id for password storage — never MD5 or SHA.
• Increase bcrypt cost factor by 1 each time hardware doubles in speed (roughly every 2 years).
• Argon2id is the modern gold standard, offering resistance to both GPU and ASIC attacks.
• Multiple GPUs scale linearly — 8 GPUs crack 8× faster.
• Hash rate varies significantly by GPU model; RTX 4090 is ~2× faster than RTX 3090.
• Consider pepper (server-side secret) in addition to salt for defense in depth.

Hash Algorithm Speed Comparison

The speed difference between hash algorithms spans many orders of magnitude. A single RTX 4090 GPU can compute ~150 billion MD5 hashes per second but only ~50,000 bcrypt hashes at cost 12. This 3-million-fold difference is why algorithm selection is the most impactful password security decision.

Why Memory-Hard Algorithms Win

bcrypt slows down computation but can still be parallelized on GPUs with limited memory per core. Argon2 and scrypt require significant memory (64MB+ per hash), which severely limits GPU parallelism because GPU cores share limited VRAM. This makes Argon2 the best choice for new implementations.

Migration Strategy

If your system currently uses MD5 or SHA for passwords, plan a migration. A common approach is to wrap existing hashes: bcrypt(MD5(password)). On the next login, rehash directly with bcrypt. This provides immediate protection without requiring all users to change passwords.

Hardware Trends

GPU hash rates roughly double every 2–3 years. Plan for this by choosing algorithms and parameters that provide at least 10 years of security margin.

Frequently Asked Questions

• What is a hash rate?

  Hash rate is the number of hash computations a device can perform per second. It depends on the hash algorithm's computational complexity and the hardware's processing power. Fast algorithms have high hash rates (bad for passwords), while slow algorithms have low hash rates (good for passwords).

• Why is MD5 so fast?

  MD5 was designed as a general-purpose hash for data integrity, not password security. It uses simple mathematical operations that GPUs can parallelize extremely efficiently. It was never intended to slow down attackers, which is why it's unsuitable for password storage.

• What bcrypt cost factor should I use?

  Use the highest cost factor that keeps login latency acceptable (typically under 250ms). In 2026, a cost factor of 12–14 is common. Test on your production hardware and increase the factor periodically as hardware improves.

• How does Argon2 differ from bcrypt?

  Argon2 is memory-hard, meaning it requires significant RAM per computation. This makes it resistant to GPU and ASIC attacks because these devices have limited memory per processing core. bcrypt is only CPU-intensive, so GPUs can still achieve moderate parallelism.

• Do salts affect hash rate?

  Salts prevent precomputation attacks (rainbow tables) but do not reduce per-hash computation speed. A salt forces the attacker to compute each hash uniquely for each user, but the per-attempt speed remains the same.

• Can I use this for non-password hashing?

  Yes. The keyspace and hash rate concepts apply to any brute-force scenario: cracking encryption keys, nonces, tokens, or any secret with a finite search space. Just adjust the keyspace and hash rate accordingly.